In light of the recent Equifax data breach, we must take a step back to address and understand how these leaks arise, what we can do to prevent them and hold company’s accountable when things go wrong.
By: Akshay Pardiwala
Personal data has fueled marketing efforts enabling businesses to target certain customer bases by performing market segmentation. The use of data for this purpose is controversial, we never know who exactly is looking at our information or how it is being used and the last thing we want is our information to fall into the wrong hands.
In July of this year, Equifax Inc. (EFX), a consumer credit reporting agency, experienced a massive data breach compromising sensitive information such as social security numbers for over 143 million Americans. This information can be really useful for banks and other institutions to check the credibility of individuals, however; the same information can be misused to fraudulently open new accounts, collect government benefits or obtain medical services and ruin the financial credibility of identity theft victims. How do we ensure that our data doesn’t get into the wrong hands?
Under our current laws, Equifax doesn’t have to follow strict regulations when it comes to reporting breaches such as this. As a result, Equifax kept the breach a secret for over six weeks. Furthermore, their actions after the breach lacks professionalism. Although Equifax denies insider trading allegation, two high level executives liquidated $1.8 million worth of Equifax stock before the breach was made public – just a little suspect. Along with potential insider trading, Equifax was notified in March by Cisco Systems that there was a flaw in a piece of their software called “Apache Struts”. Equifax then “took steps” to correct this flaw but they clearly failed in their “efforts” because the hackers entered the system two days after Equifax was notified and they remained undetected in the system for four whole months. When dealing with sensitive private information, extra precaution should be used to ensure security. The alleged scandals just keep adding up for Equifax, the worst part about it is, 48 states have passed breach disclosure laws but none of those laws have kept agencies like Equifax in line.
It seems as if everyday a new piece of information about this massive data breach gets released. Will there be an end to this? Unfortunately, in this year alone, there have been a countless number of data breaches, this will either mean security has to tighten up or legislation will force agencies to not tread in risky waters. For example, effective next year, the European Union, by law, will require companies to notify customers within 72 hours after discovering a hack. How should we reform our laws to protect sensitive information?
- Do you believe that agencies have a duty to report breaches?
- How do we amend our laws to force not only Equifax, but also any other agency dealing with any sort of sensitive information to report breaches and other hacks which could compromise personal data?
- Why did the corporate governance structure fail to ensure that Equifax did its duty to report the breach in a timely matter?
- Do you think it was alright for Equifax to first try to find a solution before announcing the breach?
- Even more importantly, how do we create systems which prevent breaches in the first place?
These are just a few questions which come to light when looking at cyber security. Answering these questions will help us formulate strategies to help fight cybercrimes in the future.
Journal, Dow Jones & Company, 18 Sept. 2017, www.wsj.com/articles/weve-been-breached-inside-the-equifax-hack-1505693318.
Mims, Christopher. “After Equifax, Should the Government Force Companies to Report Hacks?”
The Wall Street Journal, Dow Jones & Company, 24 Sept. 2017, www.wsj.com/articles/should-the-u-s-require-companies-to-report-breaches-1506254402.