What the Equifax Settlement Teaches Us about Privacy Regulations – by Dr. Chris Strasser
The Wall Street Journal recently revealed that Equifax will investigate an alternative identification to social security numbers for its customers. Having already agreed to pay more than $700M in fines for its 2017 data breach, Equifax is still negotiating the final terms of its full resolution to this incident. The breach, which affected over 150 million U.S. consumers, included personal privacy data such as names, addresses and birthdates, in addition to social security numbers.
The idea of obfuscating Personally Identifiable Information (PII) has been around for some time; however, this is the first time it has been mandated as the resolution of a cyber breach. The idea is simply that you do not need to use something that is directly tied to an individual to look up their record. By not giving broad access to PII, companies greatly reduce the risk of a cyber breach or insider threat involving such data. Most companies that use big data analytics to mine consumer behaviors are not interested in the discrete individual data, but rather the trends and preferences the data indicates as a whole. If a different consumer ID is used to interface to a specific service, a breach of information is limited to only that service vs. a broader risk for identity theft. In other words, if Equifax does not store your social security number, it’s not on the network for a hacker to get into your other records with other services such as your bank.
Unfortunately, since the social security number has emerged as the common reference for individual credit liabilities across industries this can be a tall order. However, if the social security number is held more securely and only accessed directly by customer facing personnel and a few IT staff, this reduced access and use inside Equifax can also result in reduced risk for unauthorized access to it.
As we move into more integrated services and social media, the common indexing of who we are will always be in tension with the obfuscation of our private information. It is essential this tension be maintained to protect individuals and to minimize risk to the companies that hold consumer data. As a professional compliance engineering and monitoring industry emerges to provide privacy and security services, hackers continue to grow and evolve their attack vectors ensuring there is no risk-free way to store data. A strong integrated compliance and cybersecurity culture across the enterprise is something Equifax probably wishes they had back in 2015.