The following editorial appears on Bloomberg View.
If, like us, your insurance coverage is provided by the good folks at Anthem Inc., you probably have a few questions. How did the company not notice that cybercriminals were siphoning 80 million customer records from their systems? Why wasn’t my personal information encrypted? And why would Chinese hackers, the prime suspects, be interested in my Social Security number?
With some effort and luck, these questions will be answered soon, as litigants, attorneys general and federal investigators descend on the company. For now, give Anthem credit for coming clean quickly about its lapses — and remember that the attacks will continue unless there are some real reforms.
For one thing, companies need to start encrypting personal information held in their databases — especially important data such as Social Security numbers — as a matter of course and storing it more securely. This will make it harder for many businesses to “mine” that data, share it or package it for resale. Such is life in the Age of Hacking.
Companies also have to demand better security from their business partners. Health care companies, in particular, are vulnerable because they’re repositories of so much sensitive information and rely on elaborate networks. The thieves are often cunning: When Target was attacked in 2013, the infiltrators stole credentials from a heating and refrigeration vendor with which the retailer did business.
Finally, businesses have to get more comfortable sharing data about attacks with one another and with the government. The nascent information-sharing group for health care companies, called NH-ISAC, should use this incident as a wake-up call for the entire industry, a known laggard in cybersecurity.
Congress could help by getting serious about setting up a federal information-sharing arrangement headed by the Department of Homeland Security. That should be a two-way street, with the government sharing expertise, offering access to intelligence information, and providing liability protection in exchange for businesses participating forthrightly and complying with the rules. If this latest attack was, in fact, undertaken by the Chinese, it’s unreasonable to expect Anthem to know how to respond without help from the federal government.
It’s also important for Congress to start debating how to bolster laws to prevent the spread and sale of stolen personal data online. That’s a complicated undertaking that could have a lot of unintended consequences, so it has to be done prudently. With each new attack, however, the task only becomes more urgent.
All these things cost money. Yet so do enormous, terrible data breaches — just ask Target, which has tallied up expenses of $248 million after its attack.
Eventually, this cost-benefit analysis will make the expense of better protection look affordable — not just to the inhabitants of corporate C-suites but to anyone with an email account. In the meantime, we’ll be monitoring our credit. You should, too.