The Equifax hack is highly disturbing not only because of its massive scope, but also because of the specific type of personal data that was stolen. Credit reporting agencies are supposed to be one of our lines of defense in data security and privacy protection—and Equifax failed in its core mission. Moreover, by waiting six weeks to notify customers, Equifax robbed them of the crucial window during which they may have been able to stem some of the damage. Now, people claiming to be the hackers are demanding Equifax pay roughly $2.6 million in Bitcoin, threatening to dump data on nearly all those affected if they aren’t paid by Sept. 15.
In a world where one line of faulty computer code can mean the difference between normalcy and chaos, it is often not a question of if, but when, the most sensitive systems will be hacked. Given this reality, we must improve our ability to react at every level after companies have been breached. The Equifax debacle exposed three deficiencies in our laws that need to be corrected: We need better protections for consumers, a national reporting system for data breaches, and strong cybersecurity standards for credit reporting agencies.
Companies that hold our most sensitive data need to rethink their relationship with the public. Executives at major firms swear no oaths, but they are just as responsible for the well-being of the American people as any member of Congress—especially today, when companies collect and analyze more data on the average citizen than the government does. Equifax failed not because its defenses were impenetrable. Rather, it failed because it took its role as digital gatekeeper for granted. Reports show that Equifax failed to apply a known patch that may have prevented the data breach.
In the aftermath of an attack, every employee—from the CEO to the interns—has to focus on two key goals: stop the bleeding and restore confidence. Instead, Equifax customers were faced with predatory and woefully inadequate services. The company’s rollout of a website used to inform customers of their account status was riddled with technical flaws. In some instances, the very programs Equifax offered to monitor the status of user data was flagged by antivirus software as a phishing scam itself.
If users did manage to get a straight answer about the status of their data, they soon discovered they were barred from suing Equifax due to a fine-print mandatory arbitration clause. Thanks to New York’s attorney general, Equifax has changed its policy—at least in the case of this hack. Yet the fact remains: It is outrageous that Equifax was planning to take advantage of its customers’ precarious position by stripping their rights to sue if they relied on the company’s identity theft service.
To end this consumer abuse, I plan to introduce legislation that would prevent companies from enacting their forced arbitration clauses in the event of a data breach. While my colleagues and I will focus intently on Equifax during the digital autopsy phase to come, we also have to turn our gaze inward. We need to pass a national data breach notification law—now.
Currently, a muddled patchwork of 48 different state laws governs when and how companies are required to report data breaches. Aside from disadvantaging people who live in states with more lax reporting requirements, it also complicates things for companies that want to comply. Increasingly, data isn’t stored in one single place. Depending on a firm’s network architecture, a user’s account information can exist in, say, Newark, Los Angeles, and Chicago all at the same time. That means three—or often more—competing sets of laws.
Add to this the fact that Equifax and similar firms often fall through the regulatory cracks when it comes to oversight (credit reporting agencies are less heavily regulated and monitored than banks, although they hold a goldmine of data) and a stark picture emerges. Strong cybersecurity standards may have prevented this breach. On this front, I plan to offer legislation that would compel credit reporting agencies to adopt clear cybersecurity standards similar to those of the financial industry.
In the coming weeks, Equifax and its top executives will be scrutinized by investigators at the FBI, FTC, and several congressional committees. Congress must serve as a catalyst for action, bringing together consumers who demand better cybersecurity, encouraging agencies to conduct thorough oversight, and helping firms recognize that post-incident services are a crucial part of good data stewardship. Together, we can begin to develop a system that works for the 21st century.