Data Breaches and Equifax

October 23, 2017

Data breaches have become a fact of life.  On September 7, 2017, the credit reporting agency, Equifax, disclosed that it had been the victim of a massive security breach.  The current estimate is that about 145 million Americans were affected, with their most sensitive credit-related information stolen by unidentified thieves with unknown motives.  The Chief Information Officer, the Chief Security Officer, and the CEO of Equifax all resigned within a month.

The response to the breach has not gone smoothly.  Equifax had actually discovered the breach at the end of July, so over a month had elapsed by the time the public knew.  Making matters worse, a few days after the company started investigating the breach, three Equifax executives sold Equifax stock worth about $1.8 million.

After disclosing the breach, Equifax was immediately criticized for its poor roll-out of the website that consumers could use to see if they were affected. Then people noticed that the one-year free credit monitoring service that Equifax was offering included a mandatory arbitration provision in its terms of service agreement. The fear from consumers and attorneys alike was that this arbitration provision would prevent consumers from being able to sue Equifax over the data breach.  The Attorney General of New York promptly started examining this provision of the Equifax contract.  Equifax clarified that the arbitration provision only applied to the credit monitoring service itself.  At times, the company also seemed surprised that the arbitration clause was in the agreement at all.

In early October, former Equifax CEO Richard Smith appeared before several Congressional committees to testify about the breach.  Even the free market purists were angry because the consumer has absolutely no choice about whether Equifax should have their data.

The possibility of insider trading was also explored at the hearings.  Richard Smith repeatedly said that, to his knowledge, the executives who sold stock after the breach did not know about the cyberattack. The SEC has opened an investigation.  Several members of Congress were very angry about the fact that the security hole that enabled the massive data theft was actually disclosed and had a patch provided for it in March.  Someone at Equifax had dropped the ball and left a security vulnerability unpatched for four months.

So what can be done now?  The data breach at Equifax has made people start questioning why we need credit reporting agencies at all.  Policymakers in DC are open to suggestions about an alternative proposal.  Some people have also posed questions about the social security number system, and if we should reform that as well.  Others ask if the federal government should get more involved with data breaches by enacting new laws.  Currently, almost every state has a law that addresses the actions that must be taken after a data breach, but these state laws can vary a lot on the measures that have to be taken to inform affected parties promptly.  Creating a federal data breach law might simplify matters by standardizing what companies have to do when they suffer a data breach.

The federal government has also drafted a Cybersecurity Framework a couple of years ago.  The Framework is voluntary and mainly applies to critical infrastructure.  The Framework provides general guidelines for the different stages of preparing for a cyberattack, including defending, training, and recovering from such attacks.  Does the Equifax breach indicate that the compliance with the Framework should be mandatory, at least for some sectors of the economy?

In short, something has to change.  But whether some of these change will actually reduce the harm caused by data breaches is an open question.