By Marc R Gagné MAPP Senior Privacy and Data Advocate, Cyber Intelligence and Director @ Gagne Legal. See more about Marc here. Image from Pixabay here.
If you’ve been following the Equifax cyber security incident potentially affecting 143 people, then perhaps you’re already aware of the terrible irony at play here. A company whose single job is to collect and store personal data in a secure way has compromised the personal data of nearly half the U.S. population.
Consumer protection? Hardly. Here’s a realistic view of the Equifax debacle and what can be done to prevent this from happening again.
First Came Negligence
Hackers did gain access to important personal data of 143 million U.S., Canadian, and British consumers. All Equifax is divulging is that the hackers exploited a website application vulnerability, gaining access to “personally identifiable information” (PII), which is highly sensitive info like Social Security numbers and birth dates.
There’s negligence there, but they won’t tell anyone about it so for the time being, other companies cannot learn from Equifax’s mistakes.
Negligence comes in many forms. In a bit of irony that may come back to bite them, Equifax has lobbied against legislation that would protect victims of data breaches!
Then Came Arrogance
Equifax CEO Richard Smith, speaking after the breach, hardly seemed humbled or apologetic about his company’s negligence:
“We pride ourselves on being a leader in managing and protecting data…”
More irony: their answer to helping protect data after the breach was to set up a website where consumers could find out whether their data had been compromised. All consumers had to do was enter their personal data!
Data breaches erode trust, so asking consumers to extend trust by entering their personal data on another Equifax website seems a bit arrogant.
But the real arrogance was waiting approximately six weeks before letting their customers know about the breach. Discovered in late July, nothing was made public until September 7. The company has not returned any comment about that delay. They have only issued this non-apology:
“We apologize to our consumers and business customers for the concern and frustration this causes”
More arrogance: as a conciliatory measure, Equifax is offering one year of free security monitoring and identity theft protection services to those who were affected. What happens after the year? Consumers can pay for the service or be left vulnerable to the hackers, who are certainly smart enough to wait a mere 12 months to begin their campaigns of identity theft and other malicious maneuvers.
Finally, Outright Thievery
A data breach is never good news, but for a company whose mission involves protecting people from the long-range effects of identity theft, such a breach can be a permanent PR disaster.
So it doesn’t help at all that Equifax executives doubled down on bad behavior by selling company stock before the breach went public. Much more than a PR disaster, this debacle now seems to involve outright thievery.
Three Equifax executives reportedly sold large amounts of shares in company stock just after the breach was discovered:
CFO John W. Gamble
President of U.S. Information solutions Joseph M. Loughran III
President of Workforce Solutions Rodolfo O. Ploder
Together, these three execs sold almost US$1.8 million in shares. After the breach was disclosed, shares plummeted twelve percent.
With trust, confidence, and capability out the window, what does Equifax have to offer consumers at this point? And without a good product, what do they have to offer investors?
The Blockchain Solution that Equifax Should Adopt
One problem is that Equifax and companies like them do not face the same stiff regulatory monitoring as other institutions who handle PII. Banks’ systems and cyber security policies are carefully audited and monitored. Although credit reporting companies are held to the same data security laws, they do not face the same standards of oversight… unless something goes wrong.
Oversight may have caught Equifax’s weak cyber security system but the real solution here involves blockchain technology. This would allow consumers to control access to their personal data. They would have to authorize instances of when their data is disclosed. Data providers would not know where disclosed data was headed, and data recipients would not know where data had originated.
Blockchain networks would maintain a record of transactions but the actual data in each transaction is shared only among those who were authorized by the consumer to access that data.
It’s called ‘triple-blind’ transactions and many large institutions are experimenting with it right now. They include Royal Bank of Canada and, ironically, Equifax and TransUnion, another credit reporting agency. Around the world, UBS and Credit Suisse also have blockchain projects underway.
The bottom line? Equifax should stop making flimsy apologies and offering dubious, ineffective solutions. Instead, they should move forward on real solutions like blockchain technology.
Marc-Roger Gagné CCIE, CHTI, CCII, CCTA, CIPP/G/C, CTFI, MAPP
Does Privacy Still Exist? Data and privacy insights with Marc Gagne
