Even after countless articles about data breaches have appeared in the mainstream media for years – many of them featuring some of the most recognizable companies in the world, most Americans still have no idea of what to do in the event of a data breach. Even worse, a majority of Americans do not even check whether or not they’ve been the victims of a data breach, according to a new survey by Lexington Law. That’s good news for hackers, but not such good news for anyone else.
Findings from the Lexington Law survey on data breaches
The survey from Lexington Law provides a high-level overview of how Americans have responded to the current data breach epidemic impacting companies ranging from hotel giant Marriott to credit score agency Equifax. The survey went out to over 1,000 people, representing a diverse range of ages (from 18 to 55+).
One primary finding from the survey was that only 20% (1 in 5) of Americans have checked for a data breach in the past month. This, despite the fact that in 2017 over 1,579 total U.S. data breaches occurred. You can do the math here – that figure represents an average of 4 data breaches per day, every day, for an entire year. And that was nearly two years ago. In the past 24 months, the pace of public data breaches has only increased in intensity. Surely by now, people are aware of how prevalent these data breaches are, right?
Similarly, a majority of Americans have never checked at any time to see if they were the victims of a data breach. In an era where just about everyone is at risk of a data breach, it seems surprising, but most people still haven’t bothered to find out if their personal information or data is at risk. There are several possible conclusions here. One is that most Americans are so inundated with these stories about data breaches, that they just ignore all the “noise” around them and carry on with their busy lives as if nothing happened. Another possible conclusion is that a majority of Americans simply don’t think they have any data or information of value to hackers. And, finally, another possible conclusion is that most Americans simply have their head in the sand, hoping against hope that it won’t happen to them.
When the survey data from Lexington Law is broken out into age groups, the findings are even more surprising. The one age cohort that had the greatest percentage of people who had never checked to see if they had been the victims of a data breach was the 18-to-24 age group: 69 percent of people in this age bracket had never checked. In contrast, 46 percent of those age 55 or older had never checked. Thus, the so-called “digitally savvy” generation was actually the least savvy when it came to knowing how to protect their data, and the oldest generation was actually the most digitally savvy.
A lack of understanding of how to respond to data breaches
Another key finding from the Lexington Law survey was that nearly 2 in 3 Americans (66 percent) “didn’t know what to do” during a data breach. They didn’t know what to check, who to contact, or even what types of questions to ask. Instead of taking active measures to secure their data in the event of a breach, they are doing nothing. And, instead of taking proactive measures to insulate their data from hackers and cyber criminals, they are doing nothing.
According to Lexington Law, there are several basic steps that anyone can take to protect their data and information. For example, in the event of a data breach, people could simply check out a website like HaveIBeenPwned.com to find out if their email address is part of a data breach. And, they could do a quick check of their credit history to make sure that people are not opening accounts in their name or otherwise inflicting financial damage on them.
Preparing for a growing number of potential data breach threats
As the Lexington Law survey makes clear, there is a vastly expanding set of potential data breach threats. Stolen credit card numbers and misappropriated financial information is just the start of the problem. You also need to add in stolen passport numbers, stolen birth certificate information, and stolen email addresses. Each of these pieces of data can be used as part of an elaborate identity theft strategy.
In the digital world, the reality is that there are many more attack surfaces from which determined cyber thieves can get access to your data and personal information. People need to become much more tech savvy about the way that bits and chunks of information, if shared with the wrong people, can become part of a broader data ecosystem of people buying and selling data for profit.
As a result, Lexington Law warns that users must become much more proactive in protecting their data. They can no longer trust institutions like banks, brokers, credit bureaus or healthcare providers to do the heavy lifting for them. Moreover, Lexington Law counsels that individuals should do periodic checks and reviews, just to make sure that they have not been the victims of a data breach. And, of course, if they have been the victims of a data breach, then they need to take all possible measures to secure their data.
Final takeaways from the Lexington Law survey
One big conclusion of the Lexington Law survey is that, “Many Americans are lost” when it comes to dealing with data breaches. Most likely, they’ve been told to change their passwords so many times that they’ve just given up. Too much of the burden of protecting their personal data and information has been placed on them, and shifted away from where it really belongs – on the shoulders of the world’s largest financial, retail, healthcare and travel companies.
But is this abdication of responsibility really fair to everyday Americans? People should have a reasonable expectation that, when they check into a hotel during vacation, that passport information won’t be shared with cyber criminals. And they should also expect that, when they entrust financial institutions with their money, personal data would not be sold off to the highest bidder. So, if anything, the Lexington Law survey should be seen as a negative reflection not on everyday Americans, but rather, on the institutions most trusted by everyday Americans to protect their data.