Economist Writing Every Day

Twice in the past year, I have received robo notices from doctors’ offices, blandly informing me that their systems have been penetrated, and that the bad guys have absconded with my name, phone number, address, social security number, medical records, and anything else needed to stalk me or steal my ID.  As compensation for their failure to keep my information safe, they offer me – – – a year of ID theft monitoring. Thanks, guys.

And we hear about other data thefts, often on gigantic scales. For instance, this headline from a couple of months ago: “Substantial proportion” of Americans may have had health and personal data stolen in Change Healthcare breach”. By “substantial proportion” they mean about a third of the entire U.S. population (Change Healthcare, a subsidiary of UnitedHealth, processes nearly half of all medical claims in the nation). The House Energy and Commerce  Committee last week called UnitedHealth CEO Sir Andrew Witty to testify on how this happened. As it turned out:

The attack occurred because UnitedHealth wasn’t using multifactor authentication [MFA], which is an industry standard practice, to secure one of their most critical systems.

UnitedHealth acquired Change Healthcare in 2022, and for the next two years did not bother to verify whether their new little cash cow was following standard protection practices on the sensitive information of around a hundred million customers. Sir Andrew could not give a coherent explanation for this lapse, merely repeating, “For some reason, which we continue to investigate, this particular server did not have MFA on it.”

But I can tell you exactly why this particular server did not have MFA on it: It was because Sir Andrew did not have enough personal liability for such a failure. If he knew that such an easily preventable failure would result in men in blue hauling him off to the slammer, I guarantee you that he would have made it his business within the first month of purchasing Change Healthcare to be all over the data security processes.

Humans do respond to carrots and sticks. The behaviorist school of psychology has quantified this tendency: establish a consistent system to reward behavior X and punish behavior not-X, and behaviors will change. As one example, Iin one corporate lab I worked in, a team of auditors from headquarters came one year for a routine, scheduled audit of the division’s operations. If the audit got less than the highest result, the career of the manager of the lab would be deeply crimped. Our young, ambitious lab manager made it crystal clear to the whole staff that for the next six months, the ONLY thing that really mattered was a spotless presentation on the audit. It didn’t matter (to this manager) how much productivity suffered on all the substantive projects in progress, as long as he was made to look good on the audit.

Let me move to another observation from my career in industry, working for a Certain Unnamed Large Firm, let’s called it BigCo. BigCo had very deep pockets. Lawyers loved to sue BigCo, and regulators loved to fine BigCo, big-time. And it would be a feather in the cap of said regulators, or other government prosecutors, to throw an executive of BigCo in the slammer.

Collusion among private companies to fix prices does do harm to consumers, by stifling competition and thereby raising prices. So, back in the day when regulators fiercely regulated, statutes were enacted making it a criminal act for company agents to engage in collusion, and authorizing severe financial penalties. American authorities were fairly aggressive about following up potential evidence, and over in Europe, police forces would engage in psychological warfare using their “dawn raid” tactic: just as everyone had sat down at their desks in the morning in would burst a SWAT team armed with submachine guns and lock the place down so no one could leave. I don’t know if the guns were actually loaded, but it was most unpleasant for the employees.  BigCo’s main concern was avoiding multimillion dollar fines and restrictions on business that might result from a collusion conviction, so they devoted significant resources to training and motivating staff to avoid collusion.

Every year or two we researchers had to troop into a lecture hall (attendance was taken) and listen to the same talk by the same company lawyer, reminding us that corporations don’t go to jail, people (i.e. employees) go to jail, by way of motivating us to at all costs avoid even the appearance of colluding with other companies to fix prices or production or divide up markets or whatever. This was a live issue for us researchers, since some of us did participate in legitimate technical trade associations where matters were discussed like standardizing analytical tests. If memory serves, the lawyer advised us that if anyone in a trade association meeting, even in jest, made a remark bordering on a suggestion for collusion, we were to stand up, make a tasteful scene to make it memorable, and insist that the record show that the BigCo representative objected to that remark and left the meeting, and then stride out of the room. And maybe report that remark to a government regulator. That maybe sounds over the top, but I was told that just such a forceful response in a meeting actually saved BigCo from being subjected to a massive fine imposed on some other firms who did engage in collusion

My point is that if the penalties (on the corporate or managerial level) for carelessness are severe enough, the company WILL devote more substantial resources to preventing fails. It seems to me that the harm to we the people is far greater from having our personal data sucked out of health care and other company databases, than the harm from corporate collusion which might raise the price of copier paper or candle wax. Thus, I submit that if someone in the C-suite, like the chief information officer or the CEO, were liable to say 90 days in jail, management would indeed apply sufficient resources to data integrity to thwart the current routine data theft.

If I were king, this would be the policy in my realm. I recognize that in the current U.S. legal framework, the corporate structure shields management from much in the way of personal liability, and there are good reasons for that. I suppose another way to get at this is to have automatic fines structured to strip away nearly all shareholder value or management compensation, whilst still allowing the company to operate its business. This would be another route to put pressure on management to prioritize protection for their customers. Sir Andrew’s total compensation package has been running about $20 million/year. To my knowledge, the impact of the recent gigantic data breach on him has been fairly minimal in the big picture. Sure, it was aggravating for him to have to tell the U.S. Congress that he had no idea why his corporate division screwed up so badly, and to have to devote a good deal of effort to damage control, but I am guessing that his golf game (if he is a golfer) was not unduly impacted. He is still CEO, and collecting a princely compensation. But what if the laws were such that a major data hack would automatically result in a claw-back of say 95% of his past two years of compensation, and dismissal from any further management role in that company?  I submit that such a policy would have motivated the good Sir Andrew to have devoted proper diligence and company resources to data integrity, such that this data breach would not have happened.

I don’t mean to pick on Andrew Witty as being uniquely negligent. By all accounts he is a nice guy, but his behavior is paradigmatic of ubiquitous benign management neglect, which has consequences for us little people.

These are just some personal musings; I’m sure readers can improve on these proposals.