What happened and how?

Equifax, one of the three major consumer credit reporting agencies, lost control of the private digital identification of over 143 million people. As consumers, we put our blind trust in these sanctioned gatekeepers to protect our most sensitive personal information used to determine the approval fate for our home loans, car loans, student loans, and credit cards. Although these credit bureaus are entrusted with our entire digital footprint; we do not choose them, nor approve their access to our complete digital identity. What’s worse, everything is in one place - social security numbers, birthdates, addresses, contact information, bank accounts and more.

One of the largest most critical data breach in history is shocking and alarming because it was caused by gross negligence on behalf of the Equifax IT department. In spite of being warned by cybersecurity professional two months earlier, Equifax did not patch their systems leaving the door wide open to breach, a violation of Security 101. As a result, hackers preyed on the vulnerability of Apache Struts, free open-source software used to create Java web applications.Equifax complacency and inaction reclassifies the reason for breach from simple incompetence to gross negligence.

This negligence was coupled with an absolute lack of transparency and fundamental integrity. After discovering the breach on July 29, Equifax waited until Sept. 12 to notify victims, giving the excuse they "thought the intrusion was limited". This inexcusable delay in notification aggravates this damage on a global scale that will last for decades with a magnitude that will never be fully understood. It was later revealed that the cybersecurity professionals who found the vulnerability and offered a fix were hired after an earlier intrusion in March. The shameful behavior both before and after the July breach demonstrated an absence of accountability and basic sense of civil duty. In the aftermath of public backlash, Equifax’s CEO, CIO and CSO has since stepped down.

And it gets even worse…

The lack of corporate integrity was exacerbated by executives allegedly shirking their responsibility to shareholders, customers, and employees putting their personal financial gain in front of the lives of millions of people. At the urging of a bipartisan group of senators an investigation has been opened as to whether executives violated insider trading laws when they sold stock days after the company discovered it was hacked, but weeks before it was reported.

Equifax Chief Financial Officer John Gamble, President of U.S. Information Solutions Joseph Loughran and President of Workforce Solutions Rodolfo Ploder unloaded shares worth almost $1.8 million just days after the company discovered a security breach on July 29. Equifax stock lost approximately 15% of its value when the news broke, a Wall Street punishment seemingly disproportionate to the damage done.

Urgent need to reform this industry

Although Equifax stock took a hit, time will forgive with the market correction potentially short lived. Ironically, the breach created a wave of new, albeit forced consumer demand. Because our identities are much more likely to be stolen, we need to buy protection services even more as a preemptive defense – there are no other recourse or rights in the USA.

Equifax has spent nearly $6M lobbying for less regulation and penalties. Equifax’s lobbying group, CDIA stated “The consumer reporting industry is adequately regulated and goes to great lengths to ensure consumer data is protected.” They initiated a concerted campaign to repeal a federal regulation upholding consumers’ rights to sue which goes into effect in January 2018. In addition, Equifax was caught steering consumers trying to find out if they were affected to a one-year “free” credit monitoring service that contained an arbitration clause forbidding class actions. It also preyed on its own victims initially rolling out the “free service” with a clause that they would have to proactively take action to cancel or automatically be rolled over into a paying program.

What should be done?

A company such as Equifax nor any other should possess such an enormous responsibility on a global scale. It has proven through a series of poor choices that it will not uphold basic ethical standards to protect the public unless forced to do so. This is not the first serious data breach that consumers have experienced, but the Equifax brand has taken the largest hit compared to other large scale breaches at Yahoo!, Home Depot, eBay, Anthem Blue Cross, and others. Consumer advocate groups have finally said “enough”, and are demanding new protections and a total reengineering of the credit bureau process.

Business as usual should not be allowed to continue. We must apply lessons learned and force a transformation focused in 4 areas:

We need more, not less regulation. Given the series of events, one must assume that the incentives/penalties are not enough for companies to be forthcoming. The lack of transparency is not just to you and me, it appears as if Congress has the same questions that we do, 13 to be exact. How deep does it go? When did you know? Were records related to the IRS, Medicare and Medicaid, and SSA compromised in the breach? Equifax has until September 28th to respond to Orin Hatch, the Chairman of the Senate Committee on Finance. Today, each of the 48 states have different data breach disclosure laws but we should hope for a most stringent federal approach. The Personal Data Notification and Protection Act was an attempt in this direction with a 30-day notification requirements (not 6 weeks) and fines of up to $1M per violation.

We need more, not less certification and training. Many government agencies require certifications such as CISSP as they handle a massive amount of citizen information. As such, why the credit bureau shouldn’t have the same requirements? Because it is difficult to find talent and expertise, we are seeing the opposite, a trend to lessen certification requirements just because companies can’t hire fast enough.

We need separation of duties and systems, not consolidation. We must put a limit on the quantity of information a company can own on an individual, and/or require it be held in a separate Information Technology (IT) system, similar to the regulation that followed Wall Street Crash of 1929. The Glass–Steagall legislation of 1933 separated investment and retail banking to reduce the risk of consumer savings being used to pay losses incurred from bad investments.

We are global citizens and need a global agreement. In 2016,the European Union adopted a bill entitled General Data Protection Regulation (GDPR). The GDPR aims to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It becomes enforceable May 2018 after a 2 year transition period whereby companies will be required to notify consumers 72 hours after discovering a hack or suffer stiff penalties. It also applies to US companies owning European customer or employees personal information. Given that these companies will also have to abide by it, bringing a GDPR-like law to the U.S. could be an obvious and simple step to quickly close the gap.