Here is a website you can go to:
http://www.anthemfacts.com/
I think it is time for the federal government to mandate serious financial penalties for these big data breaches.
Problem is, many of these hacks come from places like China & Russia, where they really don’t give a crap about what US law has to say on the subject.
The hacks are already illegal to perpetrate.
What PastTense is saying is that companies who do not sufficiently secure private customer information should be civilly liable for data breaches. I completely agree.
I work in the software security industry. There are lots more companies could do to protect themselves, and some are conscious of their vulnerabilities. But it’s a hard problem to solve - the enemy is vast, well organized, and motivated by massive returns.
Any law that’s crafted to make companies liable for data breeches is going to have to be carefully written and it’ll involve huge numbers of lawyers and cases to determine if a company took all the right and appropriate measures when hackers are exploiting a vulnerability no one knew about.
Even companies that are doing all the right things are vulnerable. What is the purpose of penalizing them?
^ That. Also, it will force companies to think more about the info they are collecting from their customers. A health insurance company needs most of that info in the OP for their operations, but why the hell do they need to know their customers’ income?
So they know how much to jack up the rates.
Can you imagine if other businesses required information about your income before you could purchase goods?
Don’t they need that information to calculate subsidies?
Subsidies in the individual market. I sold small business plans for years and had tax returns for a lot of sole proprietors to show they had a business, pay stubs and state reports to prove employee relationships and so on.
Since there is no perfectly secure system, I don’t know how one could define “sufficiently secure”. A company can reduce the chances of being hacked, but cannot prevent it. If enough of the right hackers want in, they will get in.
^This. I have Anthem BC/BS through work and do not have to disclose my salary to them. That aside, hackers may well have enough of my personal info to make my financial life a pain for a while.
I agree. And if your house gets broken into, you should be thrown in jail.
This isn’t a great analogy, since you have control of your household security measures protecting your own property.
A better (but still imperfect) analogy would be suggesting a civil remedy against a storage company when your storage unit on their premises is burgled.
:rolleyes:
Let me save you all the time. “We’ll send you a letter when we get around to it.”
That was the most useless FAQ I’ve ever read.
I have a subsidized Anthem health plan where my share is pegged to a percentage of my income. Thus, in order to calculate my monthly bill they need to know my income.
And yes - I am almost certainly one of the 80 million.
My company just switched from Cigna to Anthem this January. Peachy.
StG
Another Anthem customer here. I already have a credit watch service, which I have locked down for the mean time. No new accounts can be opened, and no credit reports or inquiries issued.
The spouse and I put alerts and freezes on our credit this morning. I’m still concerned about the ID data being out there. They keep going on about how credit card and medical information wasn’t compromised. Fantastic. What about the info that was compromised and can be used to construct a false identity with my name attached to it? I don’t want to get arrested because some jerkwad used my name, birthdate, SS#, etc. to commit a crime.
Except I can guarantee most companies are shortchanging IT security. Probably the only ones doing it right are the big financials due to the billions/trillions at stake. I’ve seen it too many times; security initiatives are partially funded or not funded at all. Or positions are not filled. Or policies enacted that make security difficult or impossible.
Unfortunately many companies see IT as a necessary evil that is just a drain on the bottom line (once worked for a company on the S&P 500 where the CEO said that exactly). Why would they spend 100s of thousands for “no benefit” (as they see it).
I agree with this. I have been in information security for decade or so, in many different industries. They almost all try to squeak by with the bare minimum security controls. Universities are the worst. I worked at a major university that only patched their Windows servers once a year. Literally, they patched annually. It was outright negligence, and of course they got hacked routinely.
It’s not a lot better in the corporate world. I know I’ve mentioned this here before, but it’s my favorite story about corporate security. A Chief Information Security Officer at a big life reinsurance company (reread that; let it sink in before going on) once told me, “We’re a 20 billion dollar company. A million dollar breach is a rounding error. Why should we care?” Uh, maybe because you have highly sensitive data on millions of Americans? And you kind of have a responsibility to those people?
The healthcare industry is not quite as bad as higher education, but that’s not saying much. Generally, healthcare still doesn’t take the threat seriously, and they are still driven by checking off boxes to meet HIPAA compliance, either not understanding or not caring that HIPAA requirements only get you to a minimum level of security.
Too many companies don’t care about security until the data is already in the hands of Russian criminals, then they sit around wondering, “How’d that happen?!”