As the news of the Equifax Data breach trickles out and I find myself once again worrying about my own personal data, there’s something that’s really been bothering me about the latest breach. Unlike other other breaches, you cannot opt in or out of Equifax’s credit reporting services. If you have a social security number and any form of utility service, bank account, credit card, loan or do anything else that is not cash based then your identity is in their system. This is on par with the IRS or the social security system being hacked.
Now I’m not even going to start discussing whether the credit agencies have too much power, if they should exist, or if they should be nationalized. That’s a completely different discussion and doesn’t address the issue at hand. On the same hand, I’m also not going to discuss the insider trading that appears to have occurred, that’s already a crime and should be dealt with.
What we should be discussing is culpability. It seems like the media spin has been how can you, the victim, protect yourself now that your data is compromised. What about the company that has been breached? Why aren’t we talking about their failure to protect our data? As our data becomes more and more valuable and it’s protection integral into our daily existence, shouldn’t there be some incentives for companies to protect it? Or rather, if you consider protecting our data the level of “reasonable care” that the “average company” should provide, shouldn’t their be some penalties when they don’t?
We should be talking about criminal negligence and a class action lawsuit. As a licensed Architect, if I failed to protect my client’s health, safety, and welfare as well as their financial interests I can be sued for negligence. If that breach was severe enough it could be criminal instead of civil. The basic test is what is the reasonable level of care that the average Architect would provide. While financial services and data protection isn’t a licensed profession currently (maybe it should be) there should at least be a level of public trust that a company will protect your sensitive data when you or someone else provides it to them.
I think we can all agree that regardless of whether it’s currently legally required, companies that deal with sensitive personal information (social security number, bio data, and other data that can be used to steal someone’s identity) should be held to some level of responsibility for protecting that data. Equifax has failed to do this and has exposed millions to identity theft through no fault of the victims, and so far have offered a new culpa and a year of credit monitoring services. That’s rediculous, that’s somewhere around $150 per person in compensation and after a year they are on the hook, that’s about $210 Million but I bet there’s a volume discount; that’s not a small number but ridiculous compared to the impact. Identity theft costs people on average about $5000 per incident, at 143 million people, that’s a potential $7 Billion in damages. Also, it’s not the first time Equifax had had a major data breach, this Forbes article goes into more depth on their past breaches and Equifax’s systematic disregard for data security.
It’s not like people can vote with their feet and choose not to use Equifax in the future, like other companies, so they really have no incentive to make sure this doesn’t happen again. In fact, even after past civil lawsuits they still are not taking security seriously, and you can bet they are not alone. It’s time we made this type of negligence a crime.