The data breaches at Target and Sony kept them in the cybersecurity spotlight for several years -- Target because it highlighted the need for better network design and Sony because it provide a glimpse into the dirty laundry of celebrities. Now, we have the Equifax case at center stage for some scary reasons.
It's tough to forgive the company for waiting 40 days to notify federal agencies and the public about the breach that exposed birth dates, Social Security numbers, and other personal data for up to 143 million people. Then Equifax didn't win any friends when it tried to slap conditions on requests by breach victims for a free credit report.
However, as serious as the scale of the breach may be today, the Equifax case could have several even longer-term effects.
First, there is a lesson for all companies to learn from. Equifax found that its failure to apply a publicly available patch to a piece of Apache software left the company vulnerable. That highlights the need for all organizations to adopt a discipline in keeping their systems patched. However, that presents a challenge in a business world that is far more complex than what we had a few years ago when Microsoft's Tuesday night Windows updates seemed sufficient. Today's corporate applications can be a rat's nest of custom and open-source code and data drawn from many sources, assembled by developers who may have long-since left the company.
Maybe other organizations will benefit from what they learn about the patching issue. But the Equifax case also raises questions about how data is acquired and used. In fact, it's time to rethink the core credit bureau model.
This breach differed from those like Target's in that the point of sale systems hacked at Target held what can be thought of as first-party data. That was largely information that customers gave to Target voluntarily or through activity with the company. Customers gave Target -- as they do with other retailers -- personal information when they signed up for a loyalty card or applied for a store credit card. Customers also supplied data when they made purchases -- what they bought and, more importantly, how they paid for it. Thus, the hackers targeted credit card numbers.
You entrust retailers, banks, and many other businesses with your data. You have a business relationship with them.
Those retailers and other consumer-facing companies also have collected what could be called second- and third-party data (experts differ on where second-party starts and ends) about you. In most cases they use that data, often acquired from data brokers, in aggregate without personal identifiers, to spot market trends. Odds are that you and your peers on the data analytics team do the same on behalf of your organizations.
The retailers also use that data to identify us as members of a subset of potential customers, people who might be interested in a direct mail piece such as a sale flyer for a specific product. You may not want to get that junk mail, but it is relatively innocent and you can toss it in the recycling bin.
Credit bureaus also collect large volumes of second- and third-party data. But unlike your relationship with retailers, you may have never personally engaged with Equifax and the other credit bureaus. Unless you have contacted one for your own credit report and perhaps requested corrections, you have never given them explicit consent to use your data.
The credit bureaus sit in the background, collecting information about all of us, drawing on public data sources -- address changes with the postal service, employment records, etc. -- and our relationships with our creditors, such as banks, mortgage companies, and credit card companies, and sometimes those same retailers who have been breached themselves.
Explicit consent is something you are going to hear plenty about in the coming months as companies all over the world strive to comply with the EU's General Data Protection Regulation (GDPR) before May. A key element of that regulation is that if your company -- even if it is based in the US -- collects data about EU residents, you have to get explicit consent from thorse residents to store or use their data.
Technically, you may have given the credit bureaus what could be considered implied consent to use the data that they get from your creditors when you applied for a credit card or mortgage. It's right there in the tiny little print with all the lawyer speak. Or you may have authorized a new creditor to request your credit report.
That implied consent wouldn't be a problem for most of us if Equifax, Transunion, and Experian were just sending out junk mail. However, they hold our futures, our quality of life, and that of our families, in their hands. They don't even have to ensure that the data that goes into your credit report is accurate, unless you spot errors on your own.
Apply for a loan? Credit check. Apply for a job? Credit check. Rent an apartment? Credit check. That ain't about junk mail!
I recognize that most US regulators aren't about to require it from big, profitable businesses, but the explicit consent provision and other requirements found in GDPR need to be applied to the credit bureaus, even if it completely alters their business models. The consumer has too much at stake to have so much of their life history being stored by a third party, often without their knowledge.
Just as the Robert Morris Worm of 1988, which effectively shut down the Internet, was a dope slap showing IT managers why computer security really matters, maybe the Equifax breach holds lessons for all of us. Maybe it will show analytics leaders and the C-suite executives who always demand to know more, more, and more about all of us just how serious the risks are in using and misusing data culled from other sources and intended for other purposes, particularly without our explicit consent.