Stop saying, ‘We take your privacy and security seriously’

In my years covering cybersecurity, there’s one variation of the same lie that floats above the rest. “We take your privacy and security seriously.”

You might have heard the phrase here and there. It’s a common trope used by companies in the wake of a data breach — either in a “mea culpa” email to their customers or a statement on their website to tell you that they care about your data, even though in the next sentence they all too often admit to misusing or losing it.

The truth is, most companies don’t care about the privacy or security of your data. They care about having to explain to their customers that their data was stolen.

I’ve never understood exactly what it means when a company says it values my privacy. If that were the case, data hungry companies like Google and Facebook, which sell data about you to advertisers, wouldn’t even exist.

I was curious how often this go-to one liner was used. I scraped every reported notification to the California attorney general, a requirement under state law in the event of a breach or security lapse, stitched them together, and converted it into machine-readable text.

About one-third of all 285 data breach notifications had some variation of the line.

It doesn’t show that companies care about your data. It shows that they don’t know what to do next.

A perfect example of a company not caring: Last week, we reported several OkCupid users had complained their accounts were hacked. More likely than not, the accounts were hit by credential stuffing, where hackers take lists of usernames and passwords and try to brute-force their way into people’s accounts. Other companies have learned from such attacks and took the time to improve account security, like rolling out two-factor authentication.

Instead, OkCupid’s response was to deflect, defend and deny, a common way for companies to get ahead of a negative story. It looked like this:

  • Deflect: “All websites constantly experience account takeover attempts,” the company said.
  • Defend: “There’s no story here,” the company later told another publication.
  • Deny: “No further comment,” when asked what the company will do about it.

It would’ve been great to hear OkCupid say it cared about the matter and what it was going to do about it.

Every industry has long neglected security. Most of the breaches today are the result of shoddy security over years or sometimes decades, coming back to haunt them. Nowadays, every company has to be a security company, whether it’s a bank, a toymaker or a single app developer.

Companies can start off small: tell people how to reach contact them with security flaws, roll out a bug bounty to encourage bug submissions and grant good-faith researchers safe harbor by promising not to sue. Startup founders can also fill their executive suite with a chief security officer from the very beginning. They’d be better off than 95 percent of the world’s richest companies that haven’t even bothered.

But this isn’t what happens. Instead, companies would rather just pay the fines.

Target paid $18.5 million for a data breach that ensnared 41 million credit cards, compared to full-year revenues of $72 billion. Anthem paid $115 million in fines after a data breach put 79 million insurance holders’ data at risk, on revenues that year of $79 billion. And, remember Equifax? The biggest breach of 2017 led to all talk but no action.

With no incentive to change, companies will continue to parrot their usual hollow remarks. Instead, they should do something about it.