Governance & Risk Management , Incident & Breach Response , Legislation & Litigation
Cynic's Guide to the Equifax Breach: Nothing Will Change
Massive Breach Turns Equifax's 'Products' Into Victims, But Don't Expect JusticeCall me cynical, but if the Equifax breach turns out like every other big, bad data breach we've seen for more than a decade, after a large brouhaha - from Congress, state attorneys general, consumer rights groups and class-action lawsuits - nothing will change. Fast forward, and U.S. consumers won't enjoy any say in how their personal information gets bought or sold, and big credit-reporting agencies, such as Equifax, will see their business model remain intact.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
For any real change to occur, Congress would have to do something, such as tear down the credit bureau system and eliminate the use of Social Security numbers as identifiers, which continues to put us all at risk from fraudsters.
Fat chance: In recent years, Congress has failed to do anything of any merit when it comes to cybersecurity or bolstering Americans' privacy.
Instead, expect political theater. Lawmakers in Congress have already promised to summon executives from Atlanta-based Equifax to testify. Potentially, Equifax will be forced to prove its future information security mettle in response to formal probes now launched by at least five state attorneys general. And more than 30 class-action lawsuits have already been filed (see Equifax Faces Mounting Anger, $70 Billion Lawsuit).
But as far as Equifax's business goes, or the fact that consumers have no say in how their personal data gets bought or sold, the odds are that nothing will change.
That might sound pessimistic. But industry watchers anticipate few long-term repercussions for Equifax, which reported a net income of $489 million in 2016.
Raj Joshi, an analyst at credit ratings service Moody's, told investors regarding Equifax: "The impact of the security breach will only modestly erode its solid credit metrics and liquidity."
Equifax's 'Products' Become Victims
So for data breach victims seeking justice from Equifax, don't expect any.
I'm not suggesting this state of affairs is fair. Equifax's massive breach has turned 143 million of the company's "products" into potential identity theft victims and also resulted in the exposure of "limited personal information for certain U.K. and Canadian residents." None of the U.S. victims, however, have any rights about how their data gets used, or in this case, potentially misused. Compare that to Europe, where residents will soon have the EU's General Data Protection Regulation to safeguard their privacy.
The writing on U.S.-based data broker breaches has long been on the wall. As of 2015, for example, data broker Experian had suffered more than 100 breaches, according to the data breach blogger known as Dissent. Experian has, at times, been forced to testify in Congress about these breaches, as Equifax will now do.
For more than a decade, Congress has held hearings, but not passed legislation giving consumers any rights about how their data gets handled by brokers. But then again, Congress has not even been able to pass a federal breach notification law. Thankfully, most states have done so; at least consumers must now be notified when businesses such as Equifax lose their data.
Most Breach Lawsuits Fail
Data brokers face few - if any - breach repercussions. Most post-breach lawsuits filed by affected U.S. consumers fail, because victims must typically prove they have suffered actual or threatened financial injury, under what's known as Article III standing, legal experts say (see Why So Many Data Breach Lawsuits Fail).
In the rare cases when judges do allow these types of data breach lawsuits to proceed, most breached businesses will settle, rather than risk a jury decision that could create an unwelcome precedent. Earlier this year, health insurer Anthem agreed to a proposed $115 million deal to settle a class action lawsuit over its 2015 breach, which involved lost health data. But that settlement amount is an outlier.
In general, consumer-launched breach lawsuits, when settled, tend to yield far lower consumer compensation, such as about $10 million in the case of the Target breach, which remains tied up in appeals, or $19 million in the Home Depot case.
But the compensation that any individual victims see remains relatively small. As a result, many consumer-rights advocates view these settlements as little more than public relations moves.
Data breach victims, meanwhile, have always been left to clean up the mess. And when attackers steal an individual's Social Security Number, date of birth, address and other personal - and personally identifying - information, they may sell or trade it to others, and it may be used for attempted identity theft for months or years.
Long-Term Repercussions Are Rare
As data breach expert Troy Hunt has noted, in the short term, data breaches will often take a bite out of the value of a company's stock price. But such breaches are rarely fatal for a business - firms almost always rebound, seeing no long-term effect on their stock prices - or executives' careers.
The only exceptions, in a handful of cases, have been hacked cryptocurrency exchanges - that lose all of their funds and declare bankruptcy - or Yahoo, which had the misfortune to discover two record-setting breaches after Verizon had made a bid to buy the firm. Verizon subsequently demanded a $350 million discount and dumped Yahoo's senior management team after the deal concluded.
Even then, Yahoo's CEO, Marissa Mayer, walked away with at least $250 million following the deal with Verizon.
Why let a big, bad breach or two to stand in the way of compensation and profits?