Why the Anthem Data Breach Is Needlessly Harmful

Recently, Anthem, one of the largest health insurance providers, suffered a massive data breach involving personal data on up to 80 million people. According to Anthem, the data breached includes "names, dates of birth, member ID/ social security numbers, addresses, phone numbers, email addresses and employment information."

The fallout of the breach means that people are at greater risk for identity theft. As stated in a PC World article:

"After stealing such information, hackers often bundle it up and sell it on underground forums to other cybercriminals, who could try to use it in a variety of identity-related scams, such as ordering credit cards or taking out loans."

According to NBC:

"Tens of millions of American children had their Social Security numbers, date of birth and health care ID numbers stolen in the recent data breach at health insurance giant, Anthem Inc. This exposes these kids to the real risk of identity theft."

Over and over again we hear the typical spiel about how people should take advantage of credit monitoring, be alert, monitor their children's accounts for fraud, and so on. We hear it again and again: Don't let your guard down! Be on the lookout! Protect your SSN!

Does it really have to be this way?

The answer is no. Breaches such as Anthem need not cause as much harm as they do. Certain data breaches cause harm because organizations use people's Social Security numbers (SSNs) akin to passwords, an irresponsible practice I recently wrote about. If SSNs weren't used in this way, then the SSN would just be a number, nothing more. A data breach of SSNs wouldn't cause harm.

Why People Can't Really Protect Themselves

We're told to guard our SSNs like a hawk. Be careful about giving it out.

If you refuse to give their SSN to organizations, you must fight a constant and often losing battle. The law often requires organizations to collect SSNs.

Even if you don’t give your SSN, it is still out there and still widely used and available. Because various entities use it as a password, any thief who gets a hold of your SSN can use it to gain access to these accounts or acquire credit in your name.

And so diligent individuals take all these steps to guard their SSNs, and then there's a breach such as the one at Anthem, and . . . bam . . . their SSNs are out there! It is akin to trying really hard to keep your clothes clean while eating by wearing a bib – but doing so in the middle of a food fight!

No matter what you do, you can't fully protect yourself.

The obligatory tips that are given out nearly every time identity theft is discussed in the media -- guard your SSN, shred documents, etc. -- provide a false sense of control. The problem is that you have to guard your SSN in the first place. You shouldn't have to guard it and you can't fully guard it.

The real problem is that a number of companies are loose about granting credit or have poor ways of authenticating identity. The law fails to force them to fully internalize the cost of their practices to individuals.

The result: Whenever there's a data breach, thieves can take advantage of the system. The loss is borne by the individuals and the companies having the breach. But the harm is caused by other players in the system that enable fraudsters to misuse the data to conduct fraud.

It's time we started looking to these other players that make breaches involving SSNs so harmful in the first place. Think of all the harm that could be eliminated if SSNs were neutralized as a tool that fraudsters could use. Companies having breaches would suffer less. Individuals would suffer less. And children would suffer less. If for nothing else, let's do it for the children.

* * * *

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells. Along with Paul Schwartz, Solove is a Reporter on the American Law Institute’s Restatement Third, Information Privacy Principles. He is the author of 9 books including Understanding Privacy and more than 50 articles. Follow Professor Solove on Twitter @DanielSolove.

The views here are the personal views of Professors Solove and not those of any organization with which they are affiliated.

Please join one or more of Professor Solove's LinkedIn groups:
Privacy and Data Security
HIPAA Privacy & Security
Education Privacy and Data Security

Click below to sign up for Professor Solove's newsletter. It is free and is only sent out occasionally, so it will not clog your inbox.