OK, so the Equifax breach is a big deal. A BIG deal. Nearly half of Americans are affected[1]. Their information (and possibly yours and mine) has been accessed by some entity who is probably up to no good. There’s been hemming and hawing and biting of fingernails, but, other than a fairly precipitous fall in Equifax’ stock price,[2] it’s unclear what penalties Equifax may suffer resulting from its potential mishandling of all of our financial data.
What potential penalties are in the pipeline?
- Class Action lawsuits – generally these turn my stomach. I always tend to picture a bunch of too tanned lawyers drinking tropical cocktails in the Caribbean comparing the numbers of persons who have joined their class action the way some overconfident men compare shoe sizes. I know this is likely unfair. However, like many Americans, I worry that we are an overly-litigious society. There’s another reason I don’t think much of class actions. The companies at fault never seem to learn much. We’ve all received checks in the mail because this bank or this auto manufacturer did something wrong and is making it up to me by sending me a check for $19.47. Whoa, let me pay off the mortgage! Was the problem solved? You tell me. How many of you have received a second check from the same entity a few years later for another infraction?
- Government investigations. Several state Attorneys General and government agencies have indicated that they will be investigating the breach and the responses of Equifax, its Board, and “C” suite. These will likely be lengthy goings on and unlikely to result in any near-term change in Equifax’ data security policies and practices. With any luck, necessary policy and practice changes will result from the recommendations of the “independent cybersecurity firm” that Equifax has engaged[3]. Hopefully, these will occur earlier than any government orders or settlements could provide.
What can we do?
Many people believe that markets can self-regulate. That is, poor behavior and business practice will cause consumers to choose businesses with better business practices. Basically, the theory is that if a business’ behavior is not up to par, “market forces” will prevail and the entity will lose market share or even go bankrupt. Unfortunately, this theory requires us, as consumers, to be energized and highly knowledgeable about the choices that companies make. Most people don’t have computer security degrees or the time to check up on all the firms they utilize. An individual’s only recourse would be to demand action from those who have the knowledge and expertise and with whom we directly interact: our lenders.
Equifax is one of the top three credit bureaus. Credit bureaus make agreements with banks, retailers, and others to capture, analyze, and maintain information about you and me to advise these same banks and retailers about our creditworthiness. In other words, they have a more or less comprehensive record of how good we’ve done paying back loans and credit cards based on information provided by banks, retailers, and others who have loaned us money. Then, when we ask for a loan, they sell this information back to the banks and retailers to help them decide on whether or not to make the loan.
The important thing is that while our information fuels the credit bureaus’ engine, we are not their direct customers. Equifax’ and other credit-rating agencies’ customers are the very banks and retailers that provided them with the information in the first place. The only market force that will chasten a credit bureau with security problems is when banks and retailers refuse to do business with them and demand better security and breach response.
If you wish to take an action, might I suggest contacting your lenders and asking if they use the services of Equifax or intend to continue to do so. If they indicate that they are still planning to use services from potentially risky companies, you should press them to ask for concessions from the company, including sharing the results of the forensic security analysis with their corporate partners (our lenders), especially any calculations of risk that the analysts may have made. Lenders should demand a level of security and associated low risk be at an agreed-upon level that protects us!
Secondly, they should demand that their data partners (like credit bureaus) commit to a high standard for reporting breaches once they occur. A fortnight seems to be a very long time for a general announcement, especially at the speed of the internet, wherein the personally-identifiable data accessed back in May, June, and July has probably already been leveraged by those who stole the information. I was unable to find any regulation specifically requiring an individual advisory in the case of credit agencies. The Federal Trade Commission (FTC), however, has a rule for Health Breach Notification (https://www.ftc.gov/tips-advice/business-center/guidance/complying-ftcs-health-breach-notification-rule) that requires notification to affected individuals “without unreasonable delay,” within 60 days of discovery. To be clear, the rule does not appear to apply to the Equifax breach, but it is worth noting that Equifax notified the media within 60 days, which would have met the standard, which makes me wonder a little about the standard.
It’s unclear when, or if, individual advisories will be made. One of the most important reasons for notifying individuals in the case of personally-identifiable health information is that the information can be used for identity theft. This same risk exists here and it doesn’t seem unreasonable to expect that Equifax and regulators should utilize similar (or quicker) reporting timeframes.
What have I done?
Personally, I’ve contacted my credit union and suggested they stop sending information to Equifax, pending a promise of more timely breach notification. I should have added that they not send any more data until they are convinced it will be securely held. If multiple financial institutions were to threaten an action like this, Equifax would be forced by these “market forces” to get the job done quickly and effectively and to continue to improve in anticipation of developing threats. Depending upon how the next few weeks or so play out, I may move my accounts to an entity that does not use Equifax (if I can find one). I am my lenders’ customer – it may be only by talking with my feet that I can effect change with my lenders and the service bureaus they rely upon.
[1] 143 million out of an estimated nearly 326 million (census.gov on September 15) is approximately 7/16 of American population, or 43.9% of the TOTAL population. If we assume the vast majority are over age 18 (U.S. adult population is 251.7 million), the percentage of those is even higher.
[2] From 142.72 on 9/7/17 to 92.98 on 9/14/17 (https://www.fool.com/quote/nyse/equifax/efx ).
[3] https://investor.equifax.com/~/media/Files/E/Equifax-IR/reports-and-presentations/events-and-presentation/investorrelationsqacybersecurityincident.pdf, dated Sept. 7