Equifax breach: Told. You. So.
“There’s a consumer value proposition of being in control of their data.” That was an Equifax executive, quoted in American Banker last month. Now we know how right he was.
There's not a whole lot I can add about the disastrous Equifax breach that hasn't been said already. My colleague Rob Garver has an excellent rundown of the dumpster fire on Friday in SourceMedia's FinReg & Policy Watch. And the biggest lesson is, really, the same thing I wrote in American Banker in January:
“Customer data might be a valuable asset, but it is also a huge liability. You could even call it radioactive. … “[I]t is painfully clear that the more information a company has about its customers, the bigger the prize for hackers….
“Apart from tightening up cybersecurity … this environment calls for a new mindset. A simple option would be to collect only what you absolutely have to in order to run the business and be compliant, and dispose of it as soon as you safely and legally can.”
Of course, Equifax's flagship business is collecting highly personal information about consumers, so perhaps that last bit of advice wouldn’t have been as much help in this case.
This is where the executive’s line about control really stings. Consumers don't really have a choice about whether to share their data with Equifax or the other big credit bureaus.
Shopping at Target or another retailer is a choice, a calculated risk (even if most people don't consciously make that risk assessment while shopping). The fact that Americans are all subject to Equifax makes the company's failure to protect people's data especially galling. Did I mention that the identity monitoring being offered to victims comes with an arbitration clause?
There is a global community of identity professionals dedicated to finding better ways to build trust in the digital economy. To be fair, Equifax is part of that movement, through OnlyID, the joint venture with FIS announced last month.
The news of the breach is surely an awkward development for that venture. And perhaps for any such enterprise that proposes to vouch for people’s identities so they don’t need to fork over personally identifiable information to a gazillion different companies. It may be safer to trust only one entity with personally identifiable information than numerous entities, but that’ll be a hard sell when one just leaked the records of 143 million consumers.