Keeping up with our epidemiology studies was hard enough.
Now, Washingtonians are getting a crash course in digital privacy, after hundreds of millions were stolen from the state Employment Security Department.
Gov. Jay Inslee’s team has more explaining to do. It can’t leave desperate people hanging while it adds deadbolts and updates software.
But this is an opportunity to learn how privacy has evolved, the nature of threats and what’s needed to restore a sense of safety.
One key lesson: Everyone should now know that their personal information — namely Social Security numbers — is likely available to thieves at this point. That horse can’t be put back into the barn, any more than we can stuff coronavirus back into the bats in China.
Officials involved with the state fraud case confirmed publicly and in conversations with me that thieves already had Social Security numbers of residents, whose identities were used to submit false unemployment claims.
That’s because so many organizations have leaked private data in the past 15 years. Were you insured by Premera Blue Cross? Shop at Target or TJ Maxx? Bank at JP Morgan Chase? Had credit information handled by Equifax? Worked for the federal government before 2015? All were hacked.
“Virtually everyone in the country has had their data exposed in some fashion,” said Paul Stephens, chief analyst at Privacy Rights Clearinghouse, a San Diego advocacy group.
Among the personal details that leak, “generally we consider the most dangerous data element is the Social Security number,” Stephens said.
That’s unsettling. But it’s better to know the risk and take precautions to reduce the chance something bad happens.
That means using strong passwords and changing them periodically, keeping an eye on accounts and credit reports, and being wary of online and phone scams. Wash our hands, use good passwords, reduce risk.
For extra protection, get a credit freeze from credit agencies. That free service blocks anyone from opening an account in your name unless you call to unfreeze your credit.
Just don’t forget you’ve quarantined your credit. I did forget, causing an awkward situation at Home Depot last summer. Trying to save money on a lawn mower by agreeing to a credit-card offer at the check stand, I ended up waiting 20 minutes at the service desk, only to be rejected. It was perplexing and embarrassing, until I remembered the credit freeze.
Another thing to know: If your identity is used for fraud, it will be a hassle but probably not disastrous. Of 1.4 million fraud reports received by the Federal Trade Commission in 2018, when there were 327 million Americans, only 25% reported a loss. The median loss for people was $375; banks, merchants and credit-card companies absorb most losses.
It’s like car prowls in Seattle. Statistics are dubious because police rarely investigate, so people stop reporting if losses aren’t big. Still, it’s a constant, low-level threat. All you can do is lower risk with precautions, like locking doors and leaving nothing valuable in cars.
I’m not saying these crimes are trivial: Sometimes they’re devastating. But since they’re usually minor, we needn’t be fearful.
Criminals are at fault, but there’s blame to go around.
Blame organizations who are slow to upgrade security and stay ahead of online thieves, allowing personal information to circulate.
Blame ourselves for sharing too much online, in return for free services like Facebook and Google, and for embracing easy credit.
I’ve been the victim of identity theft because, even after publicized breaches, stores and credit agencies were still too quick to issue new accounts and lax about verifying identity. That was a decade ago; Employment Security didn’t really lock things down until May 14.
Just as Magnolia Hi-Fi let “Brier Dudley” in Chicago instantly open an account and buy stuff, the state enabled “Joe Blow” to get benefits without waiting to confirm his unemployment.
The next lesson: Since thieves have keys, we need stronger locks. That’s why banks and others now require phone calls or text messages to verify accounts. Verizon practically needs a DNA match. Those extra steps and inconveniences add layers of protection, like masks and social distancing do.
Combined with other measures, like issuing ATM cards with chips and requiring strong passwords, the risk of being victimized decreases. Then we don’t have to live in fear of bad guys having our Social Security numbers.
This also prepares us to have better discussions about protecting privacy going forward. That includes state policies giving people more control over personal information that’s collected and shared by companies. It requires openness about security standards and decisions so organizations can be scrutinized and held accountable.
Next up are proposals in Congress to protect privacy while people are using phones for disease contact-tracing. Phones already track our whereabouts. But we need to have faith that if health officials leverage phones, it won’t give government or companies a new tool to monitor or monetize us.
Solving that riddle is tomorrow’s quiz.