What’s said about money can be said about data: No one treats other people’s information the way they treat their own.
Last week, Equifax—one of the “big three” consumer credit rating and reporting agencies— disclosed a massive hack that compromised the personal information of 143 million U.S. consumers. What makes this hack so damaging is that Equifax’s databases contain a motherlode of information about consumers—names, addresses, dates of birth, Social Security numbers, bank accounts, credit cards and more—all in one place.
Such hacks fuel the supply side of identity fraud and theft. Criminal hackers then sell the information wholesale via the “dark web” to other criminals who then use it to create fraudulent credit cards or other financial accounts. The “street” value of personal data goes up the more information there is to connect to a specific individual. By itself, a credit card number has a small degree of value. Add the expiration date, and the value ticks up. Add the CVV code (the three-digit number of the back of the card), and the value ticks up more. Connect it with a name and address and Social Security number and the value skyrockets.
If you’re lucky, the process ends with a phone call from a credit-card issuer asking you to verify a big-ticket purchase in a far-flung foreign capital. If not, you can find yourself debited for thousands of dollars in purchases you did not make and face years of battling with banks to clean up your credit rating. In the worst case, your personal or business bank accounts may be accessed and drained.
The Equifax hack is damaging in at least three ways: the number of records stolen, the wealth of information they contain and that, as a major credit-reporting company, consumers are obliged to use it to conduct everyday business, ranging from applying for retail credit to renting an apartment. This last point is critical, because it’s where the curmudgeonly criticism—that if you don’t want your data stolen, don’t put it online—breaks down. Consumers today increasingly have no choice but to put personal data online. The so-called “internet of things” will depend on it.
This is not meant as a slam. The internet of things will have enormous social benefits. Further development of the platform and accompanying applications should be encouraged. But a key element in making it work will be consumer confidence in the security of the personal data that’s collected as a matter of course.
This why both the government and commerce must address the Equifax hack as a significant problem. Although I tend to favor that government takes a light hand on business, there needs to be a thorough investigation as how this hack happened. Unfortunately, if the past is any indication, the Equifax hack will likely be traced to disregard of internally published cybersecurity protocols. The hacker may have been clever enough to break through a firewall, but that breach probably was aided by system information acquired by the target’s carelessness, such as:
- Neglect to follow a basic server security protocols, like a double authentication process (J.P. Morgan);
- A “lost” laptop that shouldn’t have been removed from the work to begin with (S. Department of Veterans Affairs);
- Introduction of malware when opening an attachment in an email from an unrecognized sender (Democratic National Committee);
- Social engineering schemes in which a hacker persuades an employee to disclose log-ins and passwords (Yahoo).
All these and more violate best practices for data protection that can be found on any basic list of ways to safeguard data, be it on a home PC or a corporate server farm. When there’s loss because of failure to follow established standards of behavior, whether or not encoded in law, it’s negligence. And negligence is actionable.
If consumers are to remain confident in the security of their data in an environment where they are asked to share it in greater quantities, policy attitudes must change. That starts with the government realizing that cybersecurity is too big to be managed top down by a single “office” or “czar.” Responsibilities, strategies and tools must be distributed throughout the federal and state levels of government with the understanding that different hackers have different objectives. The Equifax hack was motivated by criminal profit. That means detection, prevention, regulations and response should be quite different here than for other targets, such as the Pentagon or defense contractors (espionage) and critical infrastructure (terrorism and cyberwarfare).
For one, the Equifax hack should be treated as an international organized crime problem. Solutions call for multilateral efforts with Interpol as well as other national police agencies. Treaties and accords should be pursued, but cooperation is possible without them. A model could be the Virtual Global Taskforce, an international private-public partnership of law-enforcement agencies, nongovernmental organizations and industry that has successfully targeted child pornography and child sexual exploitation.
But the private sector should be held accountable as well, especially when breaches occur because internal cybersecurity protocols and processes have been routinely ignored. Prosecutors should push for stronger penalties and judges should be reluctant to approve defendant-friendly settlements that fail sufficiently to punish a company for its carelessness.
Legislators should enact laws that guarantee baseline protection for consumers and compensation when negligence leads to loss. When a company requests or requires valuable personal data, it should be treated as under contract to do its best to protect that data. The best practices are already there. All the public needs are legislative teeth to ensure they are followed.
In the end, this transcends Equifax or any single data breach. Policymakers are still coming to grips with how the internet has exponentially increased the value of personal information. If consumers have little or no confidence in those they must entrust with it, the digital economy will be worse for it.