The Equifax data breach — in which hundreds of millions of names and Social Security numbers, not to mention a huge cache of credit-card numbers were leaked — is already the most extensive and potentially devastating in the increasingly populated history of data breaches. Its vastness, and the potential ill effect of loose SSNs and credit-card numbers traveling around the dark web, has raised a number of questions, chief among them “am I affected?,” “what is Equifax doing to fix this?,” and “how can we make them pay?”
The bad news is that the answers are unknowable at this point. Even if your Social Security number was included in the hack, there’s not much you can do to prevent it from being sold online, either to identity thieves or state-sponsored spying operations. The best advice is to freeze credit reports at the big credit agencies and cross your fingers.
What’s Equifax doing to fix it? Not much, and not well: The company set up a website that people could use to see if they were affected, but that site was so haphazardly constructed that it could have been mistaken for a scam, and seemed to spit out results at random, even to people typing in dummy names and SSNs. Anyone who wished to put a freeze on their credit was initially issued a PIN number that was clearly generated by the date and time of submission — a freeze issued on September 8, 2017 at 2:15 p.m. generated the number 0908171415. Equifax has said that it’s changing it.
So, you might not be able to protect yourself, and Equifax is botching its end of the response. But at least we can revel in their punishment, right? Won’t some enormous fine be levied, possibly crippling a company that was too cavalier with precious data? Ah — welcome to America, my friend. There’s not a whole lot that the government can do here. As Farhad Manjoo wrote in the New York Times last week, “We really have no good way, in public policy, to exact some existential punishment on companies that fail to safeguard our data.” As is always the case, legislation and regulation trail technological progress, and data breaches of this size and scope are uniquely 21st-century problems.
You can’t ask Equifax to discard your data. You can’t prevent them from collecting more data. They got hacked, they issued a press statement, and for the most part it’s back to business as usual. Seems kinda messed up!
So what could we do, besides file endless class actions that will be settled out of court at sums not likely to be truly painful for Equifax? Well, why not borrow a page from environmental regulations? A reasonable proposal from the Council on Foreign Relations suggests treating these breaches like oil spills — except, instead of oil, it’s data. If you’re going to operate carrier-class data operations, you should be liable for the potential damage.
Let’s dispense with the class action lawsuits (anyone who has checked with Equifax to see if their data was lost may have already waived their right to sue). Setting a high dollar figure per record and making that payment a certainty will make companies think twice before asking for this data (do you really need my Social Security Number to provide me with cable service?) and twice more before storing it.
If Equifax knew with certainty that the consequences of a data loss were going to cost them $1000 per compromised record, this incident might never have happened. While regulators can’t show up with clip boards and make companies more secure, significant financial penalties would start to get market forces working in favor of security.
Remember that this isn’t just about Equifax — more than punishment here we need a future regulatory regime covering data collection across the board. Data is gathered by big firms, often in ways we don’t realize, and, like toxic waste, stored for years despite being of little discernible use. Unlike toxic waste, it can actually be disposed of without any harm. The point is that there is no justifiable reason to hold onto these enormous stores of data, and only bad things come from their unauthorized release into the wild. Simply holding onto them makes these companies a target, but it makes the average consumer the real victim.
In a talk on data collection and storage called “Haunted by Data,” Maciej Cegłowski elaborates the data-is-radioactive-waste metaphor: “If we keep it up, we’ll have our own version of Three Mile Island, some widely publicized failure that galvanizes popular opinion against the technology.” If we’re lucky, Equifax will be that failure.