Why so little innovation in protecting consumers from data breaches?

data-breachThere is no product I’m aware of in the world that protects people from data breaches and identity theft better than Abine’s solutions (www.abine.com). However, the commercial marketplace for consumer-facing data breach services (which has grown over the last decade as data breaches have exploded in size and number) is devoid of new thinking. There has been extremely limited innovation in protecting consumers from data breaches.

It remains centered on the decades-old practice of giving consumers “credit monitoring, alerting, and restoration services” many of which are put to use by less than 1% of customers.

Not only do less than 1% of customers actually claim the tangible benefits from services like ID restoration, restoring an identity is ineffective in making sure similar bad things don’t happen again – it really does nothing to prevent the root causes of identity theft.

Predicting the future of Data Breaches

10 years ago, security researcher Adam Shostack and Andrew Stewart wrote a paper / book which correctly predicted the huge growth in data breaches.  They also foresaw a market related to providing innovative services to consumers to help them after a data breach.  These services would empower consumers to better control, protect, and prevent the abuse and misuse of their personal credentials – in effect deal with the root causes of identity theft and help stop the problem at its source.

Adam revisits why this market didn’t develop in a recent paper and suggests (as any good critic should) a solution: vouchers.  ID theft vouchers would function in a similar way to school vouchers that empower parental choice) enabling consumers that were part of a data breach to buy protective services on an open market instead of being steered into traditional credit monitoring services offered by large incumbents (e.g. Lifelock, Equifax, Experian).  Adam further believes the government (mainly the FTC and various state legislators which have passed rules and regulations designed to force companies to better disclose data breaches and to protect those affected) can play a key role in catalyzing this market place through encouraging such vouchers.

We decided to put this to a test.

Abine’s identity protection services survey

We tested Adam’s hypothesis by surveying 500 people online asking them to imagine they’re recipients of a company data breach letter and to choose between different options in two versions of a disclosure and notification letter:

  • a scenario where Experian Credit Monitoring is presented as the only option (Exhibit A)
Exhibit A

Exhibit A

  • the other scenario where a market of different service providers is presented with a voucher option (Exhibit B)
Exhibit B

Exhibit B

Conclusion

The respondents overwhelmingly chose… the vouchers and more choice (although in neither offer did they have to pay).

survey-responders-data-breach-notification

Our research clearly supports Adam and his proposals’ conclusion. We also saw in the survey respondents’ comments some interesting things.  Firstly, a preference for simplicity and single choice from a clear but substantial minority.  Secondly, a majority who said that more choice would mean better protection.  Thirdly, a big brand effect: both positive and negative for respondents familiar with various national brands included.  Some quotes:

  • “I don’t want a voucher and have heard negative reports about Lifelock”
  • “I like the second letter better because it gives the person more options. If someone had a bad experience with Experian in the past I’m sure they would appreciate that.”
  • “They offer you more products to help protect your identity and let you choose, rather than trusting the 2 years of one product.”

Abine and our competitors would of course be open to the FTC and other regulators experimenting with promoting data breach vouchers for consumers.  It can’t hurt given where we are today.  Over time, the market will change by necessity as data breaches grow and it becomes ever more clear it is nearly impossible to protect networked data – and that the exposure of our personal data can have a lasting impact far behind just its financial value alone.

About Abine

Abine is the creator of Blur – the only password manager and tokenized digital wallet that gives consumers simply better passwords, payments and privacy.  Over 25 million people worldwide have used Abine’s solutions on their desktop web browsers and iOS and Android connected devices.  Blur dramatically reduces login and checkout friction, facilitates habitual shopping, and inspires trust… all while avoiding the typical problems of slow merchant acceptance of new technologies.  Get Blur.

 

The above post was written by Abine, Inc. co-founder and CEO, Rob Shavell. Follow Rob on Twitter @robshavell

 




Join in the discussion

  • Andre de Blois says:

    Protect your Password! Essential and hopefully obvious as long as your password is intelligently chosen. Remember, key financial accounts and very personal accounts are often kept separate from Abine and other password managers.

    My point: Why are user IDs not case sensitive? This is especially true for banks etc.. Furthermore, I know of one bank that only allows 6 characters for a secure password!

    Education is required on both sides of the user-client fault line.

Leave a Reply

Your email address will not be published.

Comment