To Improve Data Privacy, Let’s Stop Claiming “Everyone’s Data Is Already Out There”
On a recurring basis I hear opinion-leaders make the claim that “everyone’s personal data is already out there”. Yet based on my professional experience this point of view is as false as it is dangerous. The result of this often-repeated error is that people can become lazy with the handling of personal data, increasing levels of future risk.
While no one can deny that far too much personal information continues to be exposed, there is simply no basis in fact to support the claim that the entirety of every person’s private data–such as that related to general authentication, payments, health, home, communication devices and more–is available to any other person who simply tries hard enough to access it. We need to stop repeating the unfounded and dangerous claim that “everyone’s data is already out there”.
Let me take a step back. I’d be the first to acknowledge that there’s far too much personal data ‘out there’, which in turn is causing much harm to identity-holders, the organizations who serve them, and law enforcement. The Identity Theft Resource Center(of which I’m a board member) counted some 1,244 breaches containing identity-holder data last year. As an expert witness in many large data breaches, what I see are breaches that are bigger than ever, with hackers sometimes even working with the support of rival foreign nations. Data compromise is the fuel that makes possible identity theft or fraud, which Javelin Strategy & Research (disclosure, I founded Javelin and have since divested of it), pegged at $16 Billion in 2017.
So with all this evidence, why should anyone believe that there are limits to how much of anyone’s private data is available to fraudsters, to commit crimes such as opening fraudulent new financial accounts, stealing people’s tax refunds, committing medical identity theft, and more?
Evidence makes it clear that the entirety of everyone’s data is certainly notavailable to every criminal, whether they are trying to hack into a database of personal records or attempting to use that hacked data to impersonate identity-holders.
Fact: criminals continue to expend tremendous effort trying to hack into databases, proving that they don’t already have everything they require.
Fact: dark web sellers keep selling personal data, which proves the same point.
Fact: those who have suffered recent data breaches are more likely to be recent fraud victims, based on studies published by Javelin.
Fact: attempts to mine the dark web to access all targeted private data for any one individual have not been consistently successful, based on evidence I’ve reviewed in confidential legal cases.
Fact: despite shortcomings, the use of various forms of private identity data are still successfully used every single second of every day to authenticate identity-holders, which simply could not be true if the entirety of everyone’s data were ‘already out there’.
I push back strongly to the generalized statement that ‘everyone’s data is already out there’ because it risks creating more data compromise and more identity fraud by rendering people to be apathetic. The identity-holder must always be involved in their own safety, even with developments in technologies such as analytics, ‘passive authentication’ (where the identity-holder isn’t involved in their verification), AI, and more. While it may one day be possible for technology to take over today’s nightmare of protecting private data and then using it to authenticate individuals, for now we rely on a partnership with the actual identity-holder to effectively play their part in protecting data and then using it in a way that assures service providers that they are who they claim to be. Identity-holders and the professionals who serve them must be continually reminded that their actions make a difference in who has access to private identity data, and how that data are used.
Two truths can exist at the same time: too much private data is being exposed to criminals, and enough personal data remains protected to ensure that we must rely on the motivated participation of the actual identity-holders to keep it that way. To best motivate both identity-holders and all the professionals charged with minimizing various forms of identity crimes, I’m pleading: let’s stop repeating the damaging falsehood “everyone’s data is already out there”. Once we do that, we can turn our attention to any number of available methods for improved education and empowerment in the battle against both data compromise and identity misuse.
photo credit: thanks Markus Spike, from Upsplash