Seriously, Equifax? This Is a Breach No One Should Get Away With
By: Farhad Manjoo, NY Times, September 2017
Equifax, you had one job. Your only purpose as a corporation, the reason you were created and remain a going concern, is to collect and maintain people’s most private financial data.
Now you have fallen down on your only job — and spectacularly so. Hackers penetrated the spectral gauze of security surrounding your website, and over the course of nearly two months, they made away with the personal information of as many as 143 million Americans. It is the most important financial data available on any of us — our names, birth dates, Social Security numbers, home addresses and in some instances a lot more — and it was just sitting there on your site, all but wrapped up in a red bow.
So, Equifax, I have to ask: Now that you have failed at your one job, why should you be allowed to keep doing it?
If a bank lost everyone’s money, regulators might try to shut down the bank. If an accounting firm kept shoddy books, its licenses to practice accounting could be revoked. (See how Texas pulled Arthur Andersen’s license after the Enron debacle.)
So if a data-storage credit agency loses pretty much everyone’s data, why should it be allowed to store anyone’s data any longer?
Here’s one troubling reason: Because even after one of the gravest breaches in history, no one is really in a position to stop Equifax from continuing to do business as usual. And the problem is bigger than Equifax: We really have no good way, in public policy, to exact some existential punishment on companies that fail to safeguard our data. There will be hacks — and afterward, there will be more.
Experts said it was highly unlikely that any regulatory body would shut Equifax down over this breach. As one of the nation’s three major credit-reporting agencies, which store and analyze consumers’ financial history for credit decisions, it is likely to be considered too central to the American financial system; Equifax’s demise would both reduce competition in the industry and make each of the two survivors a bigger target. Raj Joshi, an analyst at Moody’s, said in a note to investors that Equifax was likely to be fine, as “the impact of the security breach will only modestly erode its solid credit metrics and liquidity.”
The two regulators that do have jurisdiction over Equifax, the Federal Trade Commission and the Consumer Financial Protection Bureau, declined to comment on any potential punishments over the credit agency’s breach.
Consumers also have piddling rights over how Equifax may continue to use their credit data. “There’s nothing in any statute or anything else that allows you to ask Equifax to remove your data or have all your data disappear if you say you no longer trust it,” said John Ulzheimer, a consumer credit expert who worked at Equifax in the 1990s.
But wait, it gets worse. You also can’t prevent Equifax from getting any more of your data.
“You might be able to casually say to your bank that you don’t want them to give information to Equifax anymore, but I don’t know that’s going to have an effect on anything,” Mr. Ulzheimer said. “You don’t control the rules of engagement.”
This isn’t just about Equifax. We live in the age of Big Data. We have allowed, mostly passively, the emergence of huge and exquisitely detailed databases full of information about all of us. Financial companies, technology companies, medical organizations, advertisers, insurers, retailers and the government — thanks to technology, they can all now maintain massive warehouses of information on just about everyone alive.
Yet in many cases these data stores are only lightly regulated, and compared with the scale of the data compromised, the punishment for breaches is close to nonexistent. There is no federally sanctioned insurance or audit system for data storage, the way the Federal Deposit Insurance Corporation provides insurance and a wind-down process for banks after losses. For many types of data, there are few licensure requirements on organizations seeking to house personally identifiable information.
In many cases, terms-of-service documents indemnify companies against legal consequences for breaches. In fact, according to the Consumer Financial Protection Bureau, the credit-reporting service that Equifax is offering customers affected by this breach requires people to waive their legal rights to sign up.
“It is troubling that Equifax is forcing people to waive legal rights in order to receive fraud monitoring after the company’s breach put their personal information at risk,” Samuel Gilford, a bureau spokesman, said in a statement.
With all these ways of mitigating fallout from attacks, breaches keep happening — and in almost all cases, even when the data concerns tens or hundreds of millions of people, the companies that were hacked continue to operate anyway. See Yahoo, for instance, which hackers hit for 500 million accounts, and then again for one billion accounts — but which is still in business.
You might argue that not every data hack deserves a corporate death penalty. That’s reasonable. Neither Target nor Home Depot, for instance, is primarily in the business of storing your data. Both were hit in hacks for millions of people’s credit-card data, but after they offered some penance and promised to fix their systems, it’s not unreasonable that you would continue to shop at their stores.
And you might argue that hacking is impossible to avoid no matter how many security measures companies take. Unforeseen calamities happen in complex systems — banks are robbed, airliners crash, car engines blow up.
But the Equifax case is troubling because neither of these arguments applies.
“If it fails at its one job, it really is quite hard to justify using it again,” said Steven S. Rubin, a lawyer who specializes in cybersecurity law at the firm Moritt Hock & Hamroff.
And if it really is impossible to safeguard against hacking, Equifax’s continued existence becomes even more untenable. On its website, Equifax boasts that it “organizes, assimilates and analyzes data on more than 820 million consumers and more than 91 million businesses worldwide, and its database includes employee data contributed from more than 7,100 employers.”
But if we are now conceding that hacks just happen and no one can stop them — well, here’s a crazy thought: Maybe let’s not allow any company to house all this data. I contacted Equifax to ask about this, but did not hear back.
What is likely to happen is just the opposite of a harsh punishment. The more data a company has on us, the less likely it is that a breach will put the company in any real danger, because its very size protects it.
“Smaller companies have more of an existential concern,” Mr. Rubin said. “When a small law firm or accounting firm loses people’s data, they’re going to be in big trouble, because you can go down the street and find someone else.”
But Equifax? It has more of your data than just about anyone else. So even after losing it, it will probably keep just getting more.
Categories
- Benefits Resources
- Bonding
- BOP
- Business Insurance
- Commercial Auto
- Commercial Property
- Company News
- Construction
- Crime Insurance
- Cyber Insurance
- Directors & Officers
- Employee Benefits
- Employment Practice Liability Insurance
- Entertainment
- General Liability
- Health Insurance
- Healthcare
- Healthcare Reform
- Homeowners Insurance
- Hospitality
- Manufacturing
- Medical Malpractice
- Mining & Energy
- Nightclubs
- Personal Auto
- Personal Insurance
- Professional
- Restaurants
- Retail & Wholesale
- Risk Management Resources
- Safety Topics
- SBA Bonds
- Security
- Seminars
- Technology
- Tourism
- Transportation
- Uncategorized
- Workers Compensation
Archives
- May 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- November 2018
- September 2018
- August 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- February 2013
- November 2011
- October 2011
- September 2011
- July 2011
- June 2011
- March 2011
- November 2010
- October 2010
- September 2010
- April 2010
- February 2010
- November 2009
- October 2009
- November 2008
- August 2008