On September 7, 2017 Equifax announced a data breach that compromised the personal data of over 143 million Americans. Despite this breach occurring in May, Equifax did not find out about it until July, after which it waited until August to report it to the FBI and September to report it to the public. To make matters worse, Equifax had been alerted about a potential vulnerability in its system by the Department of Homeland Security in March of that year, yet took no steps toward implementing the suggested fix. As a result, millions of people have been put at risk of identity theft.
In the wake of this major breach, many have been left wondering what can be done to prevent similar future occurrences. Some government officials have suggested implementing stricter regulations on credit reporting agencies. Others, however, warn that adding more regulations will make it too hard for companies who already have to deal with state, local, and federal regulators along with federal and international laws. These officials instead suggest stronger penalties for cybercrimes, especially those against the United States government.
Another suggested requirement for credit bureaus is that they obtain explicit consent before collecting or storing personal data from anyone. While this is already a requirement under the European Union’s General Data Protection Regulation, there is no such regulation in the United States. Although United States citizens technically may have given the credit bureaus implied consent to gather their information any time they have requested a credit report (or applied for anything that requires a credit report – credit card, loan, mortgage, etc), a strong argument can be made that the credit bureaus should be required to have more than just implied consent when they are dealing with such important data that can affect one’s entire financial future. Only time will tell if such a regulation will be enacted in the United States, especially due to the costly and major changes such a regulation would require credit bureaus to make.
Yet another solution to this cybersecurity problem could change the way we store personal data altogether. With talk in the White House of moving away from Social Security numbers completely, a digital identity age may be upon us. Such a digital identity structure would take the power to control one’s personal data out of the hands of large companies and put it into the hands of the individual. In this type of a system, the data would be distributed throughout the population so that a hacker could no longer hack just one system to gain access to the personal data of millions of people. Organizations such as the World Identity Network and companies like Civic and ID.me are currently working to develop the technology to make this idea a reality (go to the Civic website to watch an interesting video explaining how a personally stored data system could work).
No matter which solution is chosen in response to this major data breach, one key lesson must be learned. In an age where billions of dollars are spent each year to develop and improve technological features, equal attention must be paid to developing security and privacy features to match.