By allowing the most sensitive information of 143 million consumers to be stolen, Equifax failed big time with something that is make or break for them: data. The company also bungled public disclosure of the compromise, as well as the basics of effective crisis communications and data breach corporate communications.
Think: “growing pains” (not the TV show, but the phenomenon). Despite the pain (in the form of disruption and inconvenience) that it will certainly cause millions of consumers, the Equifax fail could be a growth opportunity.
As Henry David Thoreau observed: “All misfortune is but a stepping stone to fortune.” In that spirit here’s how one might view the glass half full – for Equifax, for companies of all types and sizes defending their networks, and for individual consumers.
Credit bureau overhaul
Johnson & Johnson wrote the playbook on how to communicate with consumers after the still-unsolved Tylenol murders of 1982. They were transparent, empathetic and took immediate action to protect consumers.
By contrast, Equifax Chairman and CEO Richard F. Smith provided a textbook example of what not to do. Not only did he fail to come up with a viable crisis communication game plan, he did nothing to stop three executives from dumping company shares before the data compromise was made public.
Smith’s glass-half-full moment: using the disclosure to herd victimized consumers into a product up-sell campaign, simultaneously maneuvering for legal advantage. (It should come as no surprise that it took plaintiff lawyers in Oregon a matter of hours after the company’s public disclosure to file a class action lawsuit against Equifax.
The company now likely faces a Security and Exchange Commission insider trading investigation, not to mention probes from state attorneys general enforcing data breach disclosure laws. Doubtless, more inquiries – and fines — will be levied for violations of Canadian and European data privacy laws. Total expenses for dealing with the breach “could easily surpass $500 million,” says Bob Ackerman, managing director, Allegis Capital. And before it’s all said and done, Equifax’s market capitalization could drop as much as $5 billion, estimates Venky Ganesan, managing director, Menlo Ventures.
The silver lining: The Equifax data breach could be a catalyst for lawmakers (if only Congress were a functional entity) to overhaul how the Big Three handle and profit from consumer data.
Sharing forensic intelligence
It’s to be expected that Equifax, like every other billion-dollar corporate entity, has spent tens of millions of dollars on network defense. The global market for cybersecurity products and services is expected to grow from $138 billion in 2017 to $232 billion by 2022, a compound annual growth rate of 11%, according to research firm MarketsAndMarkets.
The question is this: Has Equifax invested wisely in a well-thought out layered defense, enhanced by effective employee training, vigilance over third-party suppliers and consistent policy enforcement? I don’t think so. This is, in essence, what’s called for in New York State’s newly-minted cybersecurity certification requirements for financial services firms.
From everything the company has disclosed thus far, it would appear Equifax fell well short on a number of fronts. Smith did admit that a ‘web application’ was exploited, but gave no details.
So a silver lining for the rest of the business world would be this: Richard F. Smith somehow sees the light. He agrees to share details of forensic findings, if not publicly, then at least through channels in the financial services sector, as well as in the cybersecurity community at large. There is little in Smith’s curriculum vitae to suggest he might consider making this type of for-the-greater-good gesture. But peer pressure is growing. And one can hope.
Also, it would be a positive step for Equifax to fill its vacant Chief Information Security Officer position. Kenneth Geers, senior research scientist at Comodo, has made the following observation: “It’s alarming that, despite past cybersecurity compromises, Equifax today apparently has no chief information security officer (CISO) to talk to.”
Consumer privacy revolt
And what about us? There’s no getting around the profound damage done. The Big Three hoard vast amounts of personal and historical data, duplicated to a large degree at each bureau. Bad enough that Equifax lost the most sensitive kinds of personally identifiable information and payment card account information. It also gave up lists of residences, histories of loans, places of employment, names of close relatives and the like — for each and every victim.
“This is a really big deal because it isn’t just a few pieces of personal information that were hacked,” Menlo Ventures’ Ganesan observes. “A credit bureau has all of a consumer’s important information. This is the equivalent to penetrating the Federal Reserve, not merely robbing an individual bank.”
The silver lining for consumers?
Perhaps this will be the tipping point hack that compels the majority of consumers to consciously forego convenience and purposefully begin to pay much closer attention to reducing their digital footprint. A consumer movement – or revolt, if you will — is long overdue. Only when enough consumers demand that the companies we patronize truly respect our digital privacy will gaping exposures like the one Equifax failed to adequately mitigate become a thing of the past.