Equifax and What It Means for Cybersecurity

On September 7, 2017 Equifax announced a data breach that compromised the personal data of over 143 million Americans. Despite this breach occurring in May, Equifax did not find out about it until July, after which it waited until August to report it to the FBI and September to report it to the public. To make matters worse, Equifax had been alerted about a potential vulnerability in its system by the Department of Homeland Security in March of that year, yet took no steps toward implementing the suggested fix. As a result, millions of people have been put at risk of identity theft. In the wake of this major breach, many have been left wondering what can be done to prevent similar future occurrences. Some government officials have suggested implementing stricter regulations on credit reporting agencies. Others, however, warn that adding more regulations will make it too hard for companies who already have to deal with state, local, and federal regulators along with federal and international laws. These officials instead suggest stronger penalties for cybercrimes, especially those against the United States government. Another suggested requirement for credit bureaus is that they obtain explicit consent before collecting or storing personal data from anyone. While this is already a requirement under the European Union’s General Data Protection Regulation, there is no such regulation in the United States. Although United States citizens technically may have given the credit bureaus implied consent to gather their information any time they have requested a credit report (or applied for anything that requires a credit report – credit card, loan, mortgage, etc), a strong argument can...