Last Thursday, my colleague Beth Ward sent me a chat.
“Did you see the news that UMD was a victim of a cyber attack?” she asked—we’re both University of Maryland grads. UMD had just announced that hackers had breached their databases and stolen personal information on students dating back to 1998.
“Yeah, I got the email, so I’m probably one of the people compromised. But they’re offering a year of free credit monitoring. ”
“Ironically enough, I already have a year of free credit monitoring from Target.”
I laughed. “Well, I already have a free year of credit monitoring from a federal government data breach.”
We remarked at the absurdity of the situation. Here we were, being told that our most personal information—including name, date of birth, and social security number—were now in the hands of hackers. And…we were feeling pretty confident. After all, our data had already been compromised and we already had Experian watching our credit on someone else’s dime.
We’re in an odd time where data breaches still feel totally unacceptable, and yet are exceedingly common. Customers were outraged when Target announced its data breach in December, and it hurt profits, which fell more than 40% in the fourth quarter. Last week, the email from UMD President Wallace Loh was overwhelming in its apology and regret. He clearly anticipated shock and outrage from the more than 300,000 students and staff affected.
But let’s not feign surprise. If by now you don’t expect that your personal information will be compromised, you’re simply lying to yourself. It’s going to happen. The Online Trust Alliance (OTA) warns that “every business must be prepared for the inevitable loss” of sensitive data—which means that some company is inevitably going to leave you exposed.
We can handwring endlessly and threaten to stash our money under our mattresses. But we’re better off shifting our mindset: expect an attack and prepare to respond.
This isn’t to say we admit defeat. But we can take a cue from critical infrastructure industries, who are taking a resilience approach to cyber security. Businesses and individuals should invest in cyber security protections and use best practices to fend off the large majority of attacks; but we must also prepare to take a hit without it devastating us.
Now, the question is: When will it become commonplace to proactively insure ourselves against data breaches? No one threatens to stop driving simply because auto accidents are common. Instead, we take action to make sure that vehicle damage doesn’t cause us a devastating financial loss.
A large number of businesses are offering credit monitoring to affected customers after an attack. Target offered a free year of credit reporting to the 110 million customers affected in their November data breach, and UMD just extended their offer to five years of credit monitoring. (Consumer Reports noted this approach isn’t a catchall for post-event identity theft, but it’s a start.) When we start looking at identity theft as an inevitable hazard of our modern lives, perhaps we can start taking steps before an event to better mitigate potential damage.