A two-part analysis and action plan
Part Two: So What do I do Now?
By Russ Schrader, General Counsel and Chief Privacy Officer
Part One gave a quick overview of the Equifax breach, why this breach matters more than merchant breaches, and how I see this playing out in courts, DC, and statehouses in the next few years. The short answer: don’t confuse motion with progress.
In part two, I have outlined the actions that businesses and consumers should take, as well as trends that will accelerate now that half of American adults have had their financial identities breached.
Actions and Implications of the Equifax Breach:
Will there be an Equifax? Yes. The fate of the company and shareholders is up to its management, insurance carriers, lawyers, and customers (especially banks). However, it is one of the Big Three nationwide consumer reporting agencies. Its departure from that business would concentrate the industry. Government regulators don’t like that lack of competition. Settlements and corporate restructuring will likely restrict certain business practices and may force Equifax out of some data collection and business lines. Close audits and oversights will be part of any FTC and CFPB consent decrees.
Consumer Actions. Half of American adults were directly affected by the Equifax breach – that’s more than 143 million people. The other half will suffer the indirect results from the breach, and should realize they are whistling past the graveyard. Basic steps for everyone to take:
- Check the Equifax site to see if Equifax thinks you have been affected. Do this every few weeks. As Equifax digs deeper into the breach, they will likely find what virtually every big breached company found—it’s worse than they said or thought.
- Both the FTC and CFPB websites have checklists of actions consumers should take. Read them and do it. Consumer Reports also has some great advice.
- Freeze accounts, even if it’s means planning a bit before your next car or mortgage or rewards card with signing bonus.
- Sign up for fraud and transaction alerts. Having your phone ding every time your card is used can sometimes be fun.
- Watch credit reports. That is not a guarantee that the data will not be misused, but vigilance is a start.
- Contact with state and federal officials and candidates who will move reform and protections forward. If neighbors and friends of politicians get accounts taken over, look for pressure on all credit bureaus to offer free freezes and unlimited access to reports. Get and use them.
Actions for Every Business. Internal Control is not just for Sarbanes-Oxley companies. There are a number of simple steps that would have prevented major breaches:
- Companies need to start at the top with Data Security 101 rules. If the Board hasn’t had a recent briefing on data security, get one. Make sure the obvious basics are being followed—update patches and access control.
- Don’t save data because ‘it may come in handy some day.’ It will come in very handy, but not for the company. Planned data destruction is part of a data retention strategy.
- At the same time, understand and accept that there will always be more hackers. They come in different flavors as well. Criminals for data sales, others for exploitation of that data. State actors breach for IP and credentials. Terrorists and political actors look for havoc. Together they have a bigger IP budget and more FTEs than you do.
Broader Implications and Speculations. We need to look past the current breach and think about the ripples throughout the economy and industry when large amounts of diversified data elements are taken. A few things to look out for:
- It will be more difficult for businesses to authenticate individuals using standard measures. Crooks will use social engineering to leverage breached data and get additional information to facilitate account takeover, unauthorized account openings, fake tax returns and health insurance claims. They could end up with a more detailed consumer profile than Equifax.
- More consumers will be suing banks over the information their banks gave Equifax. Banks are already suing Equifax. Small banks may get nuisance payments. Success depends on indemnification clauses, proof of negligence, and settlements.
- Big banks with major relationships will get systemic as well as financial relief. They should renegotiate with all the credit bureaus on several fronts: banks should not share information with vendors who can’t prove their security. Less data may mean less usage and lower fees. Plus, any “give to get” data sharing requirement will be unsustainable.
- A thin credit file gets even thinner when there are doubts about the quality of the data, and those who have good data won’t be willing to share it. This could reduce credit availability to the underserved and those just joining the economy, which leads to other economic reprocussions. Beware a disparate impact on bank lending and financial inclusion.
- Banks will rely more on their own information for underwriting and fraud. This may work for the biggest banks—but even they will end up talking to themselves and miss fraud around them until it’s too late. Those big banks will also run into potential fair lending issues.
- Mid-size and smaller banks will not have the depth of data internally to self-underwrite. They will have additional risks with questionable data, but could reap benefits with smart underwriting.
- Social graphs and algorithms from non-financial sources will grow in importance in this smart underwriting. But Big Data and machine learning have their own problems. The Facebook ad terms and Amazon bomb-making suggestions are simply the latest news items of unintended consequences of tech. Books like as Cathy O’Neil’s “Weapons of Math Destruction” point out compounding effects of algorithmic errors.
Conclusions and Proactive Next Steps for Business:
- All companies, especially banks, need a better understanding of who is getting their data and what is happening to it. For example, data given to a third party for benchmarking studies should be restricted and destroyed afterwards; the third party should not be allowed to index and resell it—thus prolonging the life and adding another source for a potential hacking.
- Data still needs to move. There are huge benefits to society from proper use of data. But data must be controlled and users must be trusted. The goals for data owners should be to keep the data and share it only with vetted parties for described uses and at profit-maximizing prices.
- Companies that facilitate the exchange of targeted data requests and insights without taking possession of the actual data will thrive.
DISCLAIMER: The views expressed here are those of the author and not those of any current or former client or employer.
©2017 by Russ Schrader, all rights reserved