It has been almost a week now since health insurer Anthem disclosed that hackers had gotten hold of data on 80 million of its customers. Which just means we’re that much closer to the disclosure of the next giant data hack.
This is going to keep happening, obviously. One big reason is that, for Anthem and lots of other companies that possess our most sensitive data, protecting it isn’t the core of their business. Cleaning up after this mess is going to be an expensive pain for Anthem, but the attack is unlikely to drive away customers. If Anthem got a reputation for being dramatically worse at protecting customer data than other health insurers, the corporate human-resources people who choose insurers might start to defect. But as long as it’s approximately as bad as the rest, that shouldn’t be a worry. (For an illustration, check outthis Bloomberg graphic on the worst corporate hacks of the past couple of years, which comes complete with stock charts that don’t show much clear impact.)
Things would be very different, one presumes, if instead of health insurers, banks and retailers storing our data for us, we chose personal-data services to watch over our private information and represent us as we transacted and interacted. For those companies, protecting customer data would be the very core of their business. Sure, there would still be data breaches. But competitive forces would push the best data protectors (and the best data-protection methods) to the top.
This vision of how the world of personal data ought to work, with individuals owning their data and hiring companies to manage it, has been in the air for a few years now. Blogging pioneer Doc Searls, who calls it vendor-relationship management, has been trying to drum up support for it with a book and the ongoing ProjectVRM at Harvard Law School. Alex “Sandy” Pentland of the MIT Media Lab helped get a World Economic Forum project going on “Rethinking Personal Data,” which has on occasion come close to embracing the customer-owns-the-data approach. And there has been startup after startup aiming to address some aspect of this.
What there haven’t been, as far as I can tell, are any big success stories or signs of a real shift in the direction of putting the customer in charge. Instead, most of the data-related excitement in business circles has revolved around finding ways to gather, process and monetize ever more information on consumers. This isn’t so much about social security numbers, as in the Anthem breach, as it is about data that “is either passively observed about individuals or computationally inferred about them,” in the words of one recentWEF report. Anything that stands in the way of such data gathering is an obstacle to be pushed aside or navigated around — and while Searls and Pentland both argue that their approach might eventually make people willing to share even more data than they do now, in the short term it would interfere with the business models of Google, Facebook and scores of other companies, so it’s not happening.
In a Q&A with the Harvard Business Review in November, Pentland said he was “quite hopeful” that change would come “because people are fed up.” Are they? For yet another WEF report, “The Internet Trust Bubble,” pollsters asked people in 63 countries in 2012 “to what extent do you trust the following institutions to protect your personal data?” Banks and financial institutions scored the highest, with 60.5 percent of respondents answering 5, 6 or 7 on a 7-point trust scale. Providers of health and medical services came in second, at 55.1 percent, and government authorities in third, at 52.9 percent. No other sector cracked 50 percent. At the bottom of the list were mobile-phone operators (43.7 percent), shops and department stores (38.9 percent), companies that provide social-networking services (37.4 percent) and online marketers and advertisers (29 percent).
Given the recent hacks at JPMorgan Chase and Anthem, one would imagine that trust in banks and health providers is lower now. Overall, the world’s consumers appear to be justifiably suspicious, even fed up. So far, though, it’s still an inchoate, diffuse sort of fed-up-ness. What exactly will it take to g