Data breaches and identity theft are the norm in today’s cyber landscape, but the latest data breach at Equifax is a sucker punch to anyone who has a credit score in the US.
Update 9/11/17: Equifax is now allowing those who elect to use Equifax's free credit monitoring services in the wake of the data breach the ability to void the arbitration clause. Also, freezing your credit with Equifax is now being considered a better option other than free credit reporting. Equifax seems to not be charging for the credit freezes anymore. However, it may make sense to freeze your credit at TransUnion and Experian.
The implications of this breach are massive and becoming quite the PR mess for Equifax. Basically, unless you have been living off the grid deep in the Amazon Rainforest, your social security number, credit card numbers, and more have been exposed.
You can check to see if your data was lost in the data breach here. If so, Equifax is offering free credit reporting and identity protection for a year if you enroll in their TrustedID Premier service. They even give you a date when you can come back to the site and sign up.
Two things seem problematic here. One is you get the sense they are leveraging your misfortune to sell you a product. The second, and most ironic, is that product is identity protection – the very thing they just made necessary.
Watch Out For The Arbitration Clause
But you may want to read the fine print before signing up for their services. The default seems to be that you are giving up your right to be a part of any class-action lawsuit. Instead you are accepting their arbitration clause. I’m not a legal expert, so I’m not entirely sure how binding this is, but it seems fairly evident from the Terms of Service on their website that you can waive your rights to participate in class action lawsuits.
So it would appear that this ‘free offer’ is less of an apology for losing your data in the first place and maybe more focused on covering Equifax’s potential exposure to huge financial losses.
The Point of No Return
The most frustrating part of this breach is that we’ve reached a tipping point. There isn’t much we can do to protect ourselves at this point, the damage has been done. All of our information is out there on the market for a price, therefore all of us are vulnerable to identity theft. It is a case in point of why each and every one of us needs to stay vigilant about who has our data and what they are doing with it. Nobody else is going to do it for us. It also doesn't help that companies like Equifax obtain our data without our consent.
At this point, we may have to consider a new deal of sorts on what our identity actual is and what it means to us.
Maybe biometrics needs to play a bigger role in identity protection, or maybe we all need new social security numbers. It isn’t far fetched. If a criminal has our name address, phone number, and social security number then there is nothing stopping them from pretending to be whomever they want. They have enough information to open new credit card accounts, take out loans, and even get access to more information that is sensitive.
Transparency Is Best PR In Wake of A Data Breach
Consumers can quickly read the moral compass of a company when a data breach occurs. If the company acts in a way that seems immoral, they risk ruining their reputation even more. This results in more class action lawsuits, civil suits, and smear campaigns. In Equifax’s case, the fact that some executives started selling off stocks before the breach became public speaks volumes.
Vice versa, if a company plays their cards right when a breach happens, they can turn a very negative situation into a small positive by being transparent and doing what they can to help those affected by a breach. Data breaches aren’t going away and every business is at risk, some more than others. Having the right plan in place that contains as much of the damage as possible may be the difference between living another day or going out of business.
The US Needs Its Own GDPR
Currently, US law does not protect your data. In most cases, laws merely dictate how quickly a company like Equifax has to notify us that they have lost it. Obviously, we need more protection and we need the companies who profit from our data to start taking a bigger role in protecting our personally identifiable information (PII). This will continue to happen unless there are strict fines and regulations.
Maybe we should take a lesson from our neighbors across the Atlantic. Regulations like the European Union’s General Data Protection Regulation (GDPR) actually dictate that personal information belongs to the person described by it – not the corporation that has it. GDPR gives EU residents the right to opt-out and notify a company that they can no longer use their data. Perhaps it is time for the US to start passing laws that protect its citizen's rights instead of large corporate interests.