January 26, 2017

Americans and Cybersecurity

1. Americans’ experiences with data security

Virtually any digital action that internet users may take – from using credit cards to logging into social media sites – creates data that is stored by companies, governments or other organizations. And when those data are stored, they present opportunities for theft or misuse. This chapter examines the basic contours of the cybersecurity environment for individuals, including: the types of online accounts Americans have, their experiences with various types of data theft, and their overall concerns about the safety and security of their digital information.

The survey illustrates the wide-reaching exposure that many Americans have to the world of cybersecurity. Nearly two-thirds of all Americans (64%) have at least one online account that holds their health, financial or other sensitive personal information. And a similar share (64%) have experienced or been notified of a significant data breach pertaining to their personal data or accounts. More broadly, roughly half the public feels their data have gotten less secure in recent years. Any many Americans express a lack of confidence in various institutions – most notably, the federal government and social media platforms – to safeguard and protect their personal information.

64% of Americans have an online account involving health, financial or other sensitive data

All sorts of online services – from email or social media sites to news or e-commerce platforms – require users to create an account in order to take advantage of them. But some of these services compel users to submit highly personal or sensitive information, such as details of users’ financial records or medical history. And these highly sensitive records can be especially damaging if others gain access to them and exploit them. The survey asked about four general categories of these “high value” accounts and found that:

  • 55% of Americans report having an online account with banks or other financial service providers.
  • 36% have an online account with household utility providers.
  • 32% have an online account with their healthcare providers.
  • 39% have some other kind of online account that involves bill payments or transactions.

All told, 64% of Americans maintain at least one of the online accounts listed above. College graduates and those with higher household incomes are especially likely to report having all four types of online accounts. For example, half or more of Americans with annual household incomes of $50,000 or more indicate having an online account with banks or financial institutions (73%), utility providers (55%), healthcare providers (50%) or some other type of institution with which they make online transactions (54%). Meanwhile, 42% of Americans in households earning less than $50,000 per year have an online account with banks or financial institutions and only around one-quarter have an account with utility providers (22%), healthcare providers (18%) or other types of service providers (27%).

Similarly, around three-quarters of college graduates (77%) have an online account with  financial institutions, while half or more have online accounts with healthcare providers (53%), utility providers (52%) or some other types of service providers (58%).

Nearly two-thirds of Americans have experienced some form of data theft

The broader debate over cybersecurity and the safety of Americans’ personal data is taking place in an environment where a significant share of the public has personally experienced some type of data theft.

The survey asked about seven different types of identity or data theft that Americans might be exposed to and found that several are particularly widespread. Some 41% of Americans have learned they were the victims of a data breach by seeing fraudulent charges on their credit or debit cards. Around one-third (35%) of Americans have received notices that some sort of sensitive personal information – like an account number – had been compromised, and 15% have received notices that their social security number, specifically, had potentially fallen into the wrong hands.

In other cases, the public experiences data breaches in the context of their major online accounts: 16% of Americans have had someone take over their email accounts without their permission, while 13% say that someone has hacked or taken over one of their social media accounts.

In addition to these breaches, a notable share of Americans have experienced even more severe forms of data theft. Some 14% of Americans report that someone has attempted to open lines of credit or take out loans using their name, while 6% have had someone impersonate them to try and claim tax refunds. All told, nearly two-thirds of Americans (64%) report that they have experienced at least one of these seven types of data theft.

Americans in their early 30s through mid-60s are especially likely to have encountered many of these forms of data theft. Nearly half (48%) of Americans ages 30 to 64 have noticed fraudulent charges on their credit cards, while around one-in-five (19%) have received notices that their social security number was compromised. Overall, nearly three-quarters of Americans in this age range (72%) have experienced at least one of the seven types of breaches (compared with 55% of those ages 18 to 29 and 50% of those 65 and older). Along with Americans in this age range, college graduates (78% of whom have experienced at least one of these breaches) and those with household incomes of $75,000 or more per year (77%) are also relatively likely to have encountered these various types of data theft.

Many Americans lack trust in key institutions – especially the federal government and social media sites – to protect their personal information

When asked whether they have confidence in various companies and institutions to keep their personal records safe from unauthorized users, Americans’ views are decidedly mixed. Some institutions – such as telecommunications firms and credit card companies – inspire relatively broad confidence. In total, around seven-in-ten cellphone owners are very (27%) or somewhat (43%) confident that the companies that manufactured their cellphones can keep their personal information safe; a similar share is very (21%) or somewhat (47%) confident that the companies that provide their cellphone services will protect their information.

Similarly, around two-thirds of online adults are either very (20%) or somewhat (46%) confident that their email providers will keep their information safe and secure. And roughly six-in-ten Americans are very (23%) or somewhat (36%) confident that their credit card companies can protect their personal information. Other companies and retailers are viewed slightly less confidently: 14% of Americans are very confident (and 46% are somewhat confident) that these entities will keep customers’ information safe.

But even as a majority of Americans express at least some confidence in each these institutions, in each instance a notable minority expresses no confidence at all in the ability of these entities to protect their personal data. And some institutions – in particular, the federal government and social media platforms – are viewed with skepticism by a substantial share of the public when it comes to protecting users’ personal records. Fully 28% of Americans are not at all confident that the federal government can protect their personal information (just 12% are very confident). And 24% of social media users are not at all confident in the ability of these sites to keep their personal information safe – nearly three times the share of social media users (9%) who have a great deal of confidence in these companies.

Overall, there is relatively little variation in Americans’ attitudes towards these entities based on their demographic characteristics. However, users who have directly experienced certain types of data theft in their own lives tend to have lower levels of confidence in the institutions that were involved in these experiences – particularly when it comes to digital institutions, such as email and social media. Some 22% of Americans who have had their email accounts accessed without their permission are not at all confident in the ability of their email providers to keep their personal information secure – that is double the share (11%) among those who have not directly experienced an email breach themselves. And 40% of those who have experienced a breach of their social media accounts are not at all confident that these platforms can protect their personal information – again double the share (20%) among those who have not had their social media accounts accessed in this way.

On the other hand, Americans’ attitudes towards their credit card companies are less strongly correlated with their past experiences with data theft. Among those who have ever noticed fraudulent charges on their credit cards, 13% say they are not at all confident in the ability of these companies to protect their personal information – identical to the share among those who have not experienced this (13%). In fact, one-in-five Americans who have experienced fraudulent charges on their credit cards (22%) indicate that they are very confident in the ability of credit card companies to protect their personal information.

But in the end, relatively few Americans express either blanket confidence or universal concern about the institutions they entrust with their personal information. Just 13% of Americans1 indicate that they are at least somewhat confident in all of these seven institutions, while just 4% indicate that they lack confidence in all of them. The vast majority of Americans fall somewhere in between – they trust some institutions but are skeptical of others.

Roughly half of Americans think their personal data are less secure compared with five years ago

At a broader level, roughly half (49%) of all Americans feel their personal information is less secure than it was five years ago. Around one-third of the public (31%) feels that their data are equally secure now compared with five years ago, while around one-in-five (18%) feel that their data are actually more secure today.

Americans ages 50 and older are especially likely to express concerns that their personal information has become less protected in recent years: 58% of these older Americans feel that their data are less secure than five years ago, while just 12% feel their data are more secure. Americans under the age of 50 tend to express less concern about this issue by comparison: 24% feel that their data are more secure than five years ago. But even so, a plurality of 18- to 49-year-olds (41%) feel their data are less secure now than in recent years.

Outside of age, Americans’ attitudes toward this issue do not vary substantially by gender, racial background, household income or educational attainment. However, those who have themselves experienced some sort of data theft or breach express broader concerns about the overall security of their personal information. Roughly half (52%) of Americans who have experienced at least one of the seven types of data theft measured in this survey feel their data are less secure than five years ago, compared with 40% of those who have not experienced any of these forms of data theft.

In addition to these broader concerns about the security of their personal information, Americans express their worries about digital data theft in more concrete ways. Specifically, 69% of online adults report that they have chosen to not open an online account because they were worried about how their personal information would be handled by the site in question. This behavior is largely consistent across a range of demographic groups, although users who have experienced personal data theft themselves are somewhat more wary about signing up for digital platforms. Fully 73% of those who have experienced at least one form of data theft say they have refrained from opening an online account due to their concerns about how their information would be treated, compared with 61% of those who have not experienced any type of data theft.

  1. These figures are based on respondents who answered questions about all seven institutions.