The massive scope of the Equifax data breach is almost as horrifying as the confidential personal data that was exposed.
Approximately half of the U.S. population was impacted, as well as consumers in the U.K. and Canada. The sensitivity of the data (national id, financial history, addresses, birth date, etc.) makes this breach more serious than most because the hackers behind the breach have all the information necessary to conduct identity theft on a massive scale.
Equifax is one of the three main credit bureaus that track consumer information and it provides an estimate of the consumer’s credit worthiness by calculating a credit score. These scores are based on records of loans we have taken out in the past and our payment history (e.g. timely payments, late payments, or defaults).
A credit score is like a financial passport that validates your identity and serves as an indicator of your fiscal responsibility. Without a good credit score, your access to credit necessary to finance a home, car, or even get a new credit card is at risk. Further, these scores determine not only how much credit you can get, but also how much you will pay for it.
This breach raises fundamental questions about privacy, consumer rights, and the need for new regulations to protect consumers.
“The credit-reporting giant had more than two months to take precautions that would have defended the personal data of 143 million people from being exposed. It didn’t.”
– Equifax Officially Has No Excuse, Wired
In the U.S., there are a number of regulations (e.g. Sarbanes-Oxley, PCI DSS, and Graham-Leach-Bliley) that specify what companies need to do to be compliant; however, this does not mean they are secure.
There is a predominant “check the box” mentality where organizations work to demonstrate compliance without understanding whether they have really addressed the underlying security challenges facing their business.
Food for Thought
- What is the proper legal balance between supporting business vs. protecting consumers?
- What are appropriate standards of care for Personally Identifying Information (PII)?
- Should we borrow some of the GDPR legislation that allows consumers the ‘right to be forgotten’ once they stop doing business with a company?
- What rights should consumers have over their own data? GDPR requires the company to be transparent about what data is collected and to which companies they sell your data.
- How are companies controlling access to sensitive information? Do they have the proper controls in place? Have those controls been properly tested?
- Is security an integral part of your firm’s businesses practices, or are they incidental?
- Have you invested enough in training both your technical team and end users on security principles?
- How often are you performing security audits and assessments to identify and mitigate weaknesses?
Ultimately, the Equifax breach gives us a hard lesson in security.
“The sad and inconvenient truth is that a majority of large companies have similar challenges, problems and weakness in their cybersecurity. Most companies still fail to maintain a proper application inventory and thus keep critical vulnerabilities unpatched for months.”
– Ilia Kolochenko, CEO of High-Tech Bridge
Companies are not investing enough in security measures and U.S. regulations don’t protect consumers by not giving us any control of our PII data. Regulations like the European Union’s General Data Protection Regulation (GDPR) are at the vanguard and place the consumers’ rights above those of the corporation. Hopefully, the monstrous Equifax breach is the wakeup call that spurs new laws to protect consumer rights over corporate interests.
Photo credit: Flickr
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us today!