The Equifax data breach disaster is the last straw.
This can’t go on.
We can’t let companies flout cyber security best practices and common sense, and we can no longer rely on Social Security numbers as a secure and discrete form of identification. Equifax hasn’t shared its own cybersecurity practices, but it’s fair to say even if they were indeed subpar, it’ll likely survive this storm longterm, even while victims suffer.
It’s time for some changes.
Equifax, a company best known for helping us check our credit scores and protecting consumers from identity theft(!) announced Thursday that it suffered a massive hack impacting 143 million Americans, that’s 44% of the population. The monumental security breach exposed millions and millions of personal data bits to hackers.
I would laugh if it weren’t so horrifying.
Equifax learned of the breach, which apparently came through its website (which is not nearly enough information about the cause), in late July, two months after it started. The company promises that the hackers did not access “core consumer or commercial credit reporting databases,” but they got everything that matters: Social Security numbers, birth dates, addresses and driver’s license numbers.
There is, it seems, no end to these kinds of breaches. Hackers see every company as a target, and they’ve been wildly successful with Yahoo, Target, Sony, the Democratic National Committee, Verizon, HBO, Ashley Madison, and many others.
Each time, the company (or group) apologizes, promises to fix it, protect their customers and do better.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer, Richard F. Smith in a statement.
Disappointing? The heart of who you are? You’re a freaking identity protection company. Through your credit check business, you have access to much of our most precious financial information and then you ask us to pay more for identity protection. This event should destroy your business. It won’t, but it should.
You know why it won’t? Because these breaches haven’t shut down any of these businesses. Some face civil litigation and pay, some just endure a lot of public shaming.
None of them face criminal prosecution.
No one learns anything, certainly not the next company that will be hit. They just look on and breathe a sigh of relief that it’s not them.
Some new rules
Nothing will change here until we have national standards for data security and strong penalties for not applying the necessary technologies, checks, and balances.
Currently in the U.S., only a handful of industries, have federal, mandatory cyber security regulations. These include the Health Insurance Portability and Accountability Act (HIPAA) for healthcare and the 2002 Homeland Security Act, which was enacted in the wake of the 9/11 attacks, for the federal government. Even in finance, which has other strict federal mandates for financial disclosures and internal controls, legislators struggle to implement sweeping cybersecurity rules.
Truth in financial reporting seems like a worthy goal, no less so than safety in data security. And yet there is virtually nothing to encourage general business to clean up its cybersecurity act. By comparison, the Sarbanes-Oxley Act, which brought sweeping financial management and corporate governance regulation to U.S. businesses in 2002, put in place hefty fines and prison terms for those who don’t follow it. Put simply, Sarbanes-Oxley mandates that company management must certify the accuracy of all financial statements and enact expensive internal controls.
One reason for the lack of cybersecurity rules is that data security and best practices in business is an intricate web of legacy hardware and software, byzantine practices, and bottom line concerns.
Companies running old operating systems have long been prime hack targets. Most of them continue running old software because 1) it costs money to upgrade and 2) the vertical industries they serve use old legacy software that doesn’t run on the newest platform or hardware.
It’s not just the software, though. Companies like Equifax, Yahoo, the Democratic National Committee, and others don’t follow best practices when it comes to cyber security. They don’t protect or back up their databases off site, they don’t train their employees to not open unknown emails, click on random links, or how to identify a social engineering attack.
Cyber-security regulations with the same power as Sarbanes-Oxley and penalties would change that. It would stop companies from sitting back and hoping they can dodge the bullet much like young people avoid the doctor because they believe they can never get sick.
In 2016, 28 states either had or were considering cyber security legislation, but most of it only considers state-controlled systems and services and doesn’t look at the businesses that manage consumer data.
If you think the idea of force-feeding cyber security to business is draconian, look at Microsoft Windows 10. This platform no longer asks you if it can upgrade, it only allows you to specify when. Why? So, home users can have the most up-to-date and secure systems. Microsoft doesn’t even leave cyber security in the hands of third-party companies any more (you can still buy it if you want). Instead, there’s Windows Defender. It’s free, always up-to-date and running 24/7 on Windows 10 PC.
Ideal legislation to regulate cybersecurity would create the foundation for rating agencies to keep track of companies’ cybersecurity prowess. So Equifax would get an Equifax. The quality of a company’s cyber security across a wide variety of metrics (up to date systems, encrypted data, company wide training) would result in a score, much like one’s credit score; 1 would be the worst and 5 would be the best. Simple.
If I were writing this legislation, I would also tie it to the winding down of the Social Security number as an identity tool. Numbers are flat, discoverable things and the fact that we use a combination of nine digits as the skeleton key for life stuff should be a grave concern to everyone.
We have options. Biometric security is growing by leaps and bounds. Facial recognition on the level I have with Windows Hello can’t be fooled with a picture or someone who looks almost just like me. Iris scanning is even more foolproof and now on smartphones like the Samsung Galaxy S8 and Note 8. We have heartbeat sensors that might eventually be used to recognize the unique rhythm of each heart.
A new Cyber Security Act, with some real regulatory teeth (read penalties) could set a timeline for retiring Social Security numbers, giving businesses and people five years to change systems and upgrade to biometrics.
Leaving these things to chance and the whims of business, which care more about money than they do about you, is no longer sustainable.
This must end.