The Equifax Breach is a Case Study in Why We Need a National Data Notification and Protection Law: Picks of the Week
“The Time is Now for Congress to Act of a National Data Breach Notification Law” | The Hill
“Equifax Breach Prompts Scrutiny, but New Rules May Not Follow” | The New York Times
“The single most depressing thing about the Equifax breach” | The Washington Post
It took over six weeks for credit bureau Equifax – one of the three major credit reporting firms in the U.S. – to disclose the massive data breach that potentially compromised confidential information of 143 million customers – or nearly half of the U.S. population. Aside from the reports on the company’s sloppy cybersecurity measures that made it a low-hanging fruit for hackers and its subsequent handling of what appears to one of the worst data breaches in recorded history, the fact that the company took so long to notify customers is appalling – but given the patchwork of data breach notification laws in the US and the still-too-common disregard for industry-wide cybersecurity standards, it was not all that surprising.
Breached companies often choose to delay notification of hacks, putting customers at risk while avoiding consequences. While there may be legitimate reasons to delay informing consumers about a data breach, such as an ongoing criminal investigation by law enforcement or the need to assess the full scope of the hack and extent of the damage before letting consumers know and possibly causing panic, companies often wait to go public about a data breach because they fear the damages a hack will have on their reputation, customer trust, stock value, and overall revenues.
In the case of Equifax, the company’s slowness first in patching a known vulnerability and then in effectively responding to the hack and notifying customers, combined with its high-level executives who apparently sold off almost $2 million worth of stocks days after the breach was discovered, shows a complete lack of leadership and real concern about customers’ privacy and security. Equifax has yet to disclose why it waited so long to inform customers about the breach and, in the meantime, two top executives have stepped down, the legal team and the Board are bracing for probes by the federal and state authorities and a slew of class-action lawsuits, and the CEO is preparing to testify before the U.S. Congress.
What sets Equifax’s breach apart, however, has less to do with their undue delays or with the numbers of records breached – Yahoo’s data breach last year affected as many as one billion accounts – than with the high-value of the data exposed. The data that was accessed by still-unknown hackers includes a trove of names, birth dates, Social Security numbers, addresses, driver’s license numbers, and even credit card and bank account numbers. Even individuals that never used Equifax were affected. Indeed, consumers have almost no control over whether their information is absorbed into credit bureaus like Equifax, Experian, and Trans Union, and do not have to provide consent for them to use and process their personal data. If you ever applied for a mortgage, a credit card, a cellphone plan, or to buy a car, Equifax, or a similar company likely has your information which is used to rate your credit-worthiness to banks, home sellers, auto sellers and others.
With so much personal information, criminals can easily impersonate you, take out new lines of credit in your name, file fraudulent tax returns, take out prescriptions, and craft even more sophisticated phishing emails and scams. This type of cyber risks are not isolated to Equifax, but this massive data breach revealed another inherent flaw in the U.S.: the over-reliance on Social Security numbers and the skewed credit reporting system that is in urgent need of reform. The wide use of SSNs in both government and private sectors, and the ease of using it to access highly-sensitive accounts, has made hacking systems such as credit reporting agencies even more appealing to cyber criminals.
A breach of this proportion should serve as a warning both for policymakers and customers about what may lie ahead. Breaches will only continue to grow in number, volume, and sophistication. As more information becomes digitally available, our data becomes more at risk than ever.
Unfortunately, companies are not incentivized to prioritize security, resiliency, and privacy, and there is little national oversight on how companies handle data. Indeed, most companies constantly collect and store data even just because they might want to use it sometime in the future – there is no law that forces them to only collect the bare minimum of data necessary, or that limits how long a company can store data, or that requires to encrypt everything they collect, or that imposes regular security audits. When it comes to notifying consumers that their data has been stolen, laws in the U.S. vary state to state and differ in how much time and how much information companies are required to divulge, and whether to notify other parties beside the affected people (such as state attorney generals, credit bureaus or regulators). Past calls in Congress to establish a nationwide standard have repeatedly fizzled. The result is a muddled patchwork of 48 different state laws governing data breach notification, and timing is only specified in eight states and varies anywhere from 10 to 90 days. Rhode Island’s law, for instance, requires notification to be made within 45 days from the discovery of a breach. Georgia – where Equifax is based – has no timeline specified for when a company must notify customers about a breach. Alabama and South Dakota don’t even have a data breach notification law on the books. For comparison, the European Union’s new General Data Protection Regulation, which comes into effect next year, requires that any data breach be reported within 72 hours.
Big hacks like the Equifax fiasco put into context just how much control organizations have over our personal information, how much information is regularly collected, and how valuable (and vulnerable) that information is. But as the digital world increasingly dictates where we work, play, and live our lives, we need to have control — or at the very least, basic knowledge — over what data is being collected about each one of us, where it is stored, who has access to it, and how it is being protected.
While Congress debates the merits of the various proposals to establish a national data notification and protection law, if you were a victim of this latest enormous breach (assume you were!), here are a few things you should do to protect yourself:
- Check your credit accounts immediately and regularly for any suspicious activity, and continue to monitor your credit card and bank accounts for the foreseeable future;
- Set up a fraud alert;
- Freeze your credit accounts – meaning no one can open an account (transfer money), buy a car, house or other big item – using your SSN, CC, bank account, etc.
- Set up two-factor authentication on important financial accounts to deflect hackers with stolen information;
- If you have children, enroll them into allclearid.com/ .