Lots and lots and lots of people are talking about the Equifax breach. Many share similar views: this can’t happen again, Equifax should face some economic consequence, consumers need to be better educated, we need legislation, we need regulation. All of which may be valid and reasonable, but few of which will actually happen. Foremost among them, we will have another breach.
So how can we reduce the consequences for consumers and companies when the next breach happens?
We can pass national data breach legislation. A national standard would not have prevented the Equifax breach, but it would clarify for consumers and companies the types of information subject to protection and the penalties for failing to do so. While respecting the valuable role of the states, we clearly need a basic federal standard to ensure that all Americans can expect adequate data protection allowing companies to better deploy security and training so that the next breach is less damaging for consumers. Senator Mark Warner has not only renewed the call for national data breach legislation, but also asked the important question “is it time to rethink data protection policies dealing with these large, centralized sets of highly sensitive data on millions of Americans?” The answer to Senator Warner’s question is yes.
We need to reconsider whether companies like Equifax should be permitted to have access to and maintain sensitive consumer information without the consumer’s knowledge. As others have pointed out, the consumers whose information the breach compromised were not Equifax customers. Rather, the banks and other institutions that provided Equifax consumer data are Equifax customers. In most cases, consumers are the customers of Equifax’s customers, e.g., your mortgage bank.
Consumers can and should demand adequate security of the personal information held by their bank, and the bank can demand adequate security from the companies to whom they sold, traded, or shared their customer’s information. In the financial services sector these counter-party risk management obligations are proving somewhat effective at reducing cybersecurity risks. This risk management approach has its roots in regulations that require consideration of risks and processes to manage, but don’t specify the methods, e.g., software applications, to address them.
The result is that the financial services sector is leagues ahead of its peer sectors in terms of cybersecurity practices. And as we’ve just seen, that’s not saying much. What can consumers expect, then, with the expanding Internet of Things, and the myriad insecure products collecting unknown types of data and storing and sharing such data largely without consumers’ knowledge.
Consumers need actual notice of the organizations maintaining their sensitive personal information and the right to have it securely destroyed or otherwise rendered inaccessible. In the era of data brokers, big data, and cheap storage, it is no longer sufficient to have an annual disclosure requirement that offers few specifics about what’s actually happened to a consumer’s personal information; it’s no wonder few consumers actually read them. If organizations maintain systems sophisticated enough to share personal information with their peers, then they can also provide notice to the person whose information they shared. Without knowledge of the organizations that maintain consumer personal information, how can consumers know whom to ask about the adequacy of the security afforded to their information. And, even if consumers knew whom to ask, they are not in a position to know what to ask or to assess the response. Nor should they be.
We need greater transparency and accountability to help consumers make informed choices about who should have access to their information. So yes, organizations that maintain sensitive information should be subject to a national data breach standard. But notice after the breach together with a few years of credit monitoring are hardly adequate. Worse yet, some companies offering credit monitoring use terms of service as a mechanism to limit consumers’ recourse through binding arbitration when they fail to uphold their obligations. Binding arbitration clauses inhibit full accountability and fail to provide full recovery for consumers; they should no longer be permitted in agreements over consumer information and existing clauses should not be enforceable.
We need to properly allocate liability for data breaches. Liability has been thrown around in cybersecurity policy discussions for decades. The Cybersecurity Act of 2015 provides some protection for companies for actions taken consistent with its authorizations. But we’ve yet to see liability protection incent significant changes in information sharing since the law’s passage. It’s time to broaden the discussion to consider whether breached companies should face liability where they failed to follow best practices or were otherwise, well, stupid. Which isn’t to say hardware and software manufacturers are immune. Rather, they too should feel greater pressure to adhere to the highest of industry standards and face the possibility of litigation when they don’t. In the face of ongoing breaches where it’s clear that companies knew they were the target of malicious activity and knew the security measures to take but failed to take or maintain them, it’s hard to see why strict liability is an unfair approach. If consumers can’t negotiate their rights with full knowledge of the risks, they shouldn’t be left with the additional cost of credit freezes and years of the possibility of identity theft and the attendant consequences. Equifax makes clear that today’s approach to liability is not in anyone’s long term interest – consumers or companies.
We also need an audit regime to assess whether companies that hold sensitive consumer data are adequately protecting it and a transparency process to share the results with consumers. Consumers may not know current best practices to appropriately secure sensitive personal information, but they should have the ability to choose a company that is following them. And if that company’s efforts fail, the steps taken will have informed a relevant insurance market, which can then manage the costs of the breach. As my colleague Rob Knake observed, if financial impact is a certainty, “companies [will] think twice before asking for this data …and twice more before storing it.”
If Equifax teaches us anything, it’s that consumers should no longer bear the burden of poor data security in the form of inadequate, after the harm remedies and limited means of recourse. Instead, we need real opportunities to hold companies accountable by arming consumers with information about who has their data and how good they are at protecting it, and a liability regime that properly allocates costs and risks across stakeholders.