 |
It took six weeks after credit reporting agency Equifax
found out it had been hacked for the company to notify the 143 million
customers whose private data was at risk. Following what might be the
worst data breach of the past decade, such a long delay is shocking —
but given the lack of regulation it’s not all that surprising.
Companies have often taken liberties with time when
notifying customers of a hack. But doing so brazenly puts their
customers at risk while these companies avoid consequences. Such
situations illustrate exactly how certain companies can easily
prioritize their bottom line over customers’ financial security and
privacy, especially when industry-wide standards for safety are largely
unmet or simply nonexistent as more personal data becomes digitally
accessible.
What sets Equifax’s latest breach apart has less to do
with numbers — Yahoo’s data breach last year affected 500 million
accounts — than the value of the data stolen. Still-unknown hackers
gained access to a trove of names, birth dates, Social Security numbers,
and addresses of Equifax users. With so much personal information, criminals can easily apply for fraudulent loans, open bank accounts or credit cards, make scams feel more convincing, and more.
It hasn’t helped that Equifax has handled the situation incredibly poorly. High-level executives sold off almost $2 million
of the company’s stocks after finding out about the breach in late
July, weeks before they went public about the hacks, which prompted the
company’s stock to fall 18 percent as of this week.
To crown it all, Equifax sought to make good with
customers by offering free credit monitoring and identity theft
protection. But any customers who took advantage of the deal might waive their right to join a class action lawsuit against the company. After public outrage, the company made clear that the clause did not apply to the latest hack. Some 30 lawsuits against the company have already been filed.
A breach of this proportion serves as a warning for what
may lie ahead. Hacks will only grow more sophisticated and prevalent. As
our world continues to migrate to digital spaces, our data becomes more
valuable — and more at risk — than ever.
But companies are not incentivized to prioritize our
privacy. They need to be pressured. “The only good way for these things
to be stopped is for the giant organizations holding this information to
be better regulated,” said Jessy Irwin, a cyber security consultant.
Companies have legitimate reasons to delay informing consumers about a hack. But the decision can also driven by self-interest.
Right now, there is little national oversight on how
companies handle data privacy. When it comes to notifying consumers that
their data has been stolen, laws vary state to state and differ in how
much time and how much information companies are required to divulge.
Equifax is based in Georgia, a state where there is no timeline
specified for when a company must notify customers about a breach.
There are legitimate reasons why a company would choose
to wait before going public. Sometimes they are cooperating with law
enforcement who don’t want to sabotage their investigation into the
source of the hack. Companies also might not be aware of the extent of
the damage, requiring time to investigate before letting users know.
Some cybersecurity experts believe it’s best to assess the full scope of
the hack before letting consumers know and causing panic.
That doesn’t mean that these companies aren’t also driven
by self-interest. Data breaches look bad for a company’s reputation.
“On the one hand, companies certainly would have a PR incentive to not
report breaches to the affected individuals,” said Beth Givens,
executive director of California advocacy group Privacy Rights
Clearinghouse. In the case of Equifax, the company’s slowness combined
with the executives who sold off their stocks prior to the public
announcement make the company look like it was minimizing responsibility
for a serious consumer problem. The Wall Street Journal also reported
Monday that Equifax spent $1.1 million last year lobbying against regulatory laws, including data security and breach notification.
Last year, Yahoo faced criticism for waiting to go public about the data breach for potentially more than a year after it first
discovered signs of an attack. In 2014, Target and Neiman Marcus were
hit with similar criticism for not going public about credit card data
breaches until a third-party cybersecurity blog needled the retailers into coming forward.
“I think it’s really necessary for someone to step up,
especially a federal regulator,” Irwin said. “Having to just trust an
organization when they have demonstrated that they’re completely
untrustworthy, especially in figuring out if you’ve been affected or
not, that’s not a viable solution.”
Equifax has yet to disclose why it waited so long to inform customers about the breach. A spokesperson told the Washington Post that the company’s executives had no knowledge of the breach when they sold their stocks. In a company press release last week, Chair
and Chief Executive Officer Richard F. Smith said, “We pride ourselves
on being a leader in managing and protecting data, and we are conducting
a thorough review of our overall security operations.”
But security risks are not isolated to Equifax. The other
two main credit monitoring agencies TransUnion and Experian could also
be the targets of future breaches. The companies have been criticized before for lack of oversight — including regular security audits — that other financial institutions are required to have.
Customers need to know if their data has been hacked to protect themselves
An enormous number of people have been left exposed from
this breach. In addition to the 44 percent of the US population affected
by this hack, an unknown number of customers in the United Kingdom and
Canada were implicated.
Some individuals have used Equifax whether they’ve made
the choice to sign up for it or not. Any credit report that gets pulled,
such as for background checks for loans or to get approved to rent an
apartment, could be from one of the big three credit agencies, including
Equifax.
The Federal Trade Commission, charged with regulating
credit bureaus like Equifax, has declined to state whether it will
launch an investigation after the hack. “We’re trying to get a handle on
the scope of all of this. We’re certainly taking this very seriously,” FTC Chair Maureen Ohlhausen told reporters at an antitrust conference, Reuters reported.
Anyone concerned that they were affected by the hack
should check their credit accounts immediately for any suspicious
activity, set up a fraud alert, and watch their credit card and bank
accounts. You could also freeze your credit account to prevent anyone
from fraudulently applying for your credit. It’s also a good idea to set
up two-factor authentication on important financial accounts to deflect
hackers with stolen information. (There are several good guides on what to do if you’ve been hit by this attack, including these suggestions from CNN and CNET.)
One of the most important factors is timing. Customers
need to make changes and set up alerts as quickly as possible to prevent
harm. There is likely a time lapse between when a company is first
hacked and when they find out. In that time, it’s possible that the
stolen data has already been sold to the highest bidder on the black
market. That’s why it’s so crucial for people to be notified as soon as
possible if their data has been hacked.
Demanding that companies come forward about breaches —
and suffer the hit to their reputation — could also incentivize
companies to take security more seriously. Greater transparency also
provides more information to cybersecurity researchers who can use this
information to prevent more hacks in the future.
Logistics aside, there’s the principle behind this:
People have a right to know if their personal data is secure. Our
digital identities are extensions of ourselves, and we have a right to
know if we are physically and financially secure.
National data breach notification laws, explained
Rep. Lou Correa, a Democratic representative from California, announced on Tuesday
he would introduce legislation to regulate data breach notification.
House committees including the Judiciary Committee and Financial
Services Committee also expressed interest in holding hearings about the issue. But this isn’t the first time there’s been interest in passing such a law. In 2015, Congress
failed to pass a bill introduced by Obama mandating companies notify
customers 30 days after first indication of a data breach.
Meanwhile, regulations continue to be left up to the
states. Currently, 48 states require some sort of disclosure, though
timing is only specified in eight states and varies anywhere from 15 to
90 days. For comparison, the European Union has a law going into effect next year requiring companies to notify customers 72 hours after discovering a hack.
But privacy activists aren’t necessarily in favor of a
national law. Some, like Givens at Privacy Rights Clearinghouse, fear
that federal regulation would be considerably weaker than what some
states, including her home state California, require. “Congress is not
known for strong consumer protection laws,” she said, adding that the
technical world changes fairly quickly and that she has little
confidence that federal law would be able to keep up to date.
There’s also the push for data security safeguards that
take aim at deeper problems. Companies regularly collect data simply
because they might want to use it sometime in the future — there needs
to be laws that force them to only collect the bare minimum of data
necessary. There should also should be limits to how long a company can
store data, requirements to encrypt anything they collect, and regular
security audits. Data breach legislation, Givens argues, should also
include regulations like these.
Givens warns that putting the onus on consumers to
protect their identity can only go so far. “It’s not fair to blame the
victim,” she said. “In order to open up a bank account, rent an
apartment, or apply for a job, you have to reveal a lot of personal
information. It’s up to those entities that collect that information to
protect it.”
Big hacks like the Equifax fiasco put into context just
how much control companies have over our personal information. And as
the digital world increasingly dictates where we work, play, and live
our lives, we need to have control — or at the very least, basic
knowledge — over how our digital identities exist in this space.
Companies aren’t incentivized to put their customers
first. Whether it’s minimizing how much of our information they collect,
fortifying security, or simply telling us they’ve been breached, we
can’t depend on these companies in good faith. It’s up to government
regulators to keep them in check.
Comments