Case Study: Equifax Data Breach
By Irini Kanaris Miyashiro
Credit Reporting Agencies
The case study of the Equifax data breach exemplifies flaws inherent in management of Credit Reporting Agencies (CRAs). CRAs aggregate and sell historical credit information of individuals and companies. Credit card companies, banks, employers, and landlords sell consumers’ borrowing and repayment history to CRAs. This data is compiled into credit reports which are bought by lenders and used to assess the creditworthiness of individuals applying for loans. Those with a history of reliably paying back loans are more likely to receive credit and favorable interest rates. Credit reports might also be requested by landlords and employers to screen tenants and employees (Dollarhide).
The Players
Equifax
Equifax is a multinational credit reporting agency, founded in 1899 and headquartered in Atlanta, Georgia. One of three major US credit reporting agencies, including Experian and Transunion (known together as “the big three”), Equifax holds the information of millions of consumers and businesses worldwide (Investopedia). Equifax sells both commercial credit reports and consumer credit reports (sold to banks, insurance firms, and healthcare providers among others). Additionally, Equifax sells credit monitoring services, including credit fraud and identity theft prevention services (Equifax).
Equifax CEO Richard Smith
In 2017, Equifax’s management was led by chair and CEO Richard Smith, who took on the role in 2005 (LaMagna).
Equifax CSO Susan Mauldin
In 2017, Equifax’s security division was headed by Susan Mauldin, responsible for designing and implementing Equifax’s first patch management policy. Mauldin proposed comprehensive changes to Equifax’s cybersecurity policy, but by 2017, the majority of her reforms had not yet been implemented (PSI).
Equifax CIO David Webb
In 2017, Equifax’s global technology strategy was managed by David Webb, who was appointed chief information officer in 2010 (Equifax).
Equifax Security and IT
Equifax’s Security and IT teams are the primary divisions responsible for patch management, the process of applying updates to computer assets to address identified security vulnerabilities. Generally, security scans for vulnerabilities on Equifax networks, while IT employees implement necessary software patches (PSI).
Equifax Customers
- Companies or businesses which request the credit reports of consumers or businesses.
- Members of the public or businesses that request credit reports or pay for information about their own credit rating, such as credit monitoring services.
Consumers
Members of the public assent to their information being shared with CRAs when, for example, they open up bank or credit union accounts, take out a line of credit/mortgage, or open up any kind of credit card (FTC). However, the long and convoluted language of such agreements is rarely read or fully understood, and consumers have no choice but to assent to the sharing of their information if they need a credit card. For the vast majority of people, establishing a credit history is essential to participating in society: credit checks are necessary for being hired, renting a home or taking out a mortgage to buy a home, buying a car on credit or leasing a car, and so on. Most consumers have little option but to share their information (Khalfani-Cox). Consumers who request and pay for credit monitoring services are also clients. But CRAs hold the information of millions of people irrespective of whether they or anyone else has requested a credit report for them. In fact, many members of the public are not even aware of the existence of credit agencies, what their function is, or that such agencies hold their personal information.
Federal Trade Commission (FTC)
The Federal Trade Commission is a government agency responsible for preventing unfair business practices and enforcing consumer protection laws including the Fair Credit Reporting Act (FCRA). The FCRA works to ensure the accuracy, fairness, and privacy of consumers’ credit report information by ensuring that consumers have access to a free credit report every 12 months, access to consumers’ credit information is limited, information provided in credit reports is accurate, and consumers can dispute information in their credit files, among other things (Experian).
Consumer Financial Protection Bureau (CFPB)
The Consumer Financial Protection Bureau is a government agency which oversees financial products and services offered to consumers. The CFPB works with the FTC to regulate CRAs through applicable provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act, designed to prevent unfair and deceptive acts and ensure “agencies provide meaningful and reliable credit ratings of the businesses, municipalities, and other entities they evaluate” (Hayes). The CFPB may also examine and supervise CRAs’ activities (PSI).
Mandiant
A cybersecurity research firm hired to investigate the Equifax breach (PSI).
Instruments
Personally Identifiable Information (PII)
Equifax’s assets include the PII of consumers whose financial data are collected. PII includes consumers’ names, addresses, dates of birth, social security numbers, and credit card numbers. Loss of PII can lead to identity theft (PSI).
The Apache Struts Vulnerability
A flaw in the popular Apache Struts Java framework, used for Java based web applications, discovered by Chinese cybersecurity researcher Nike Zheng. The software flaw allows hackers to insert malicious code in the “content-type header” of HTTP requests, which is then executed by Struts (Riley, Michael, et al).
Patch Management
Patch management refers to distributing and updating software, often to correct known software errors or vulnerabilities. In cybersecurity, Security and IT divisions maintain patch management systems to prevent hackers from exploiting software vulnerabilities to gain access to company networks (Posey).
IT Asset Inventory
The complete documentation of a company’s hardware and software, as well as the information processed on these computers. Assets are typically documented and then classified by threat level so that the appropriate protections can be installed to defend them. Equifax management proposed a plan to create a complete asset inventory by June of 2017, but at the time of the breach, it had not yet been implemented (PSI).
SSL
SSL is a security technology that allows communication between web browsers and servers to be encrypted or converted into code. SSL also allows companies to analyze and detect unusual or suspicious encrypted network traffic. SSL certificates are typically renewed annually (PSI).
The Events
In the years leading up to the breach, Equifax struggled with outdated cybersecurity policies and instruments. In April of 2015, former CSO Susan Mauldin implemented Equifax’s first patch management policy. An internal audit of the policy later that year revealed numerous security deficiencies, including over 8500 unresolved software vulnerabilities (PSI). In May of 2016, Equifax’s W-2 Express website was also hacked, resulting in the leak of 430,000 names, addresses, social security numbers, and other types of personal information (Brewster). By 2017, most of Equifax’s security deficiencies had not been remediated, allowing hackers to breach Equifax’s network and harvest the PII of 147 million consumers’ personal information (PSI).
Events began on March 7th of 2017, when Apache publicized and provided a patch for Apache Struts, an easily exploitable software vulnerability. On March 8th, The Department of Homeland Security’s US-CERT team (a division within the DHS responsible for disseminating information on cyber security threats) notified Equifax of the software flaw, and an alert was distributed to 400 employees by Equifax’s Global Threats and Vulnerability Management (GTVM) team (PSI). Apache Struts was also assigned the highest possible criticality score, a 10, by the National Institute of Standards and Technology (NIST) using the Common Vulnerability Scoring System or CVSS (PSI).
On March 10th, hackers breached Equifax’s networks by exploiting Apache Struts via Equifax’s online dispute portal. On May 13th, attackers spread from the infected portal and gained access to other parts of Equifax’s network (Fruhlinger). From May through July, hackers accessed multiple Equifax databases and extracted consumers’ personal information. Stolen data included consumers’ names, addresses, dates of birth, social security number, and credit card numbers (PSI).
After learning of the breach, Equifax GVTM teams attempted and failed to locate Apache struts on servers by conducting multiple network scans. IT and Security’s inability to locate and patch Apache Struts can be attributed to the existing flaws in their cyber security policy, outlined in a report published by the Senate Subcommittee on Investigations (PSI):
Lack of Comprehensive IT Asset Inventory
At the time of the breach, Equifax lacked a complete IT Asset Inventory, meaning they did not know the locations of the Apache struts application on their network. Instead, IT had to conduct network scans, which failed to detect the software.
Failure to follow Patch Management Policy
Equifax’s security policy mandated critical vulnerabilities be patched within 48 hours of discovery, but according to Mandiant, the lack of IT Asset Inventory made meeting this deadline impossible. Struts was ultimately patched 5 months after Equifax learned of the flaw. IT conducted multiple network scans but could not find instances of the vulnerable software. After failing to locate the application, IT and security took no further action to find Struts, and management did not check the vulnerability had been remediated.
IT and Security Management
Communication among employees on the remediation of security vulnerabilities was inconsistent. Equifax held monthly GMTV meetings to discuss new vulnerabilities, but the status of the previous months’ threats was often not discussed, even if they had not yet been remediated (PSI). Equifax did not require attendance from employees or management or keep records of who attended meetings. Additionally, the only employee who knew of Equifax’s use of Apache Struts in the online dispute portal was not included on the GTVM distribution list and did not receive news of the vulnerability. The senior manager who oversaw this lead developer and his team received the alert but failed to relay the information.
Failure to Maintain Cybersecurity Technologies
The severity and duration of the breach was exacerbated by Equifax’s failure to renew an SSL certificate needed to inspect encrypted network traffic. Hackers encrypted their activities on Equifax servers, but because the certificate had expired, incoming traffic was not decrypted, and Equifax had no knowledge of suspicious activities on the online dispute portal.
On July 29th, Equifax renewed the expired SSL certificate designed to inspect encrypted network traffic. IT immediately noticed suspicious activities on Equifax servers, leading to the discovery of the breach (Fruhlinger). On August 2nd Equifax retained law firm King and Spalding LLP, which enlisted Mandiant to investigate the breadth of the breach. Over the next several weeks, Equifax employees identified a list of affected consumers (PSI).
On September 7th of 2017, six weeks after its discovery, Equifax issued a public announcement their networks had suffered a data breach that exposed the personal information of 143 million consumers (Equifax later discovered an additional 4 million affected consumers). Initially many expected the breach would result in widespread identity theft and fraud. Ultimately, investigators came to believe the breach was executed by Chinese state-sponsored hackers as part of a government operation to collect American data (Fruhlinger).
Outcomes
Investigations and Findings
The Equifax breach was investigated by several Federal authorities, including the FBI, the FTC, and the CFPB. An additional insider trading investigation was conducted by the Securities and Exchange Commission (SEC) and the US Attorney’s office in Atlanta related to the sale of $2 million of Equifax stock by executives after the discovery of the breach. Equifax also faced inquiries by at least 34 State attorney generals (EPIC).
Additionally, members of Congress from the House Financial Services Committee, the Senate Banking, Housing, and Urban Affairs Committee, the Senate Commerce, Science, and Transportation Subcommittee, the House Energy and Commerce Committee, the Senate Banking Committee, and the Senate Judiciary Subcommittee on Privacy held congressional hearings covering the breach (EPIC). The breach was also investigated by the Senate’s Homeland Security Permanent Subcommittee on Investigations (PSI), a subcommittee responsible for investigating government operations, compliance with regulations and laws, and cases of crime and fraud which threaten national welfare (HSGAC).
PSI published a detailed report that concluded the breach was likely preventable and outlined Equifax’s history of lax cybersecurity practices. The consensus of investigations was Equifax was responsible for the loss of PII through negligence.
Lawsuits
Equifax faced lawsuits by both local and state governments. The city of San Francisco sued Equifax over violations of California’s unlawful, unfair, or fraudulent business practices law and the city of Chicago sued Equifax over violation of the Illinois Personal Information Privacy Act, the Illinois Consumer Fraud and Deceptive Business Practices Act, and the Chicago Consumer Fraud ordinance (EPIC). Attorney Generals Maura Healey and Curtis Hill also sued Equifax on behalf of their states of Massachusetts and Indiana (Kovacs).
Resignations
CEO Richard Smith, CSO Susan Mauldin, and CIO David Webb resigned in the aftermath of the breach (Horowitz & Wiener-Bronner). Smith retained his full pension, valued over $18 million after his resignation (LaMagna).
Arrests
In 2019, former Chief information Officer Jun Ying was found guilty of insider trading and sentenced to four months in jail. Former Equifax manager Sudhakar Reddy Bonthu was also found guilty of insider trading and sentenced to 8 months of home confinement. No other Equifax employees faced arrest related to the breach (Musil).
Equifax FTC Settlement
In July of 2019, in a settlement with the FTC, the Consumer Financial Protection Bureau, 48 states, the District of Columbia, and Puerto Rico, Equifax agreed to pay up to $700 million in fines and compensation for the 147 million affected individuals. $300 million of the settlement was distributed to individuals whose personal information had been exposed during the breach. Equifax was also required to pay up to $125 million in consumer compensation for additional out-of-pocket losses if needed. Equifax paid $175 million to states and $100 million to the CFPB in civil penalties (FTC).
The FTC alleged that Equifax violated “the FTC Act’s prohibition against unfair and deceptive practices and the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program to protect the security, confidentiality, and integrity of customer information” (FTC).To address deficiencies in Equifax’s cybersecurity, the FTC also required Equifax instate a comprehensive information security program which would include “annual assessments of internal and external security risks and assure that service providers with access to personal information stored by Equifax also implement appropriate security programs” (FTC).
Several forms of compensation were offered as part of the $300 million paid out to affected consumers (JND):
Free Credit Monitoring Services
Consumers who filed a claim within the first claims period (prior to the January 22nd, 2020 deadline) were eligible for 4 years of credit monitoring services provided by Equifax, Experian, and Transunion with up to $1,000,000 in identity theft insurance. After this 4-year period, consumers who successfully filed a claim could enroll in 6 more years of credit monitoring services provided by Equifax.
Cash Payout
Within the first claims period, consumers who had already purchased credit or identity monitoring services for at least six months prior to the breach were eligible to claim a maximum of $125 in compensation in lieu of free credit monitoring services.
Identity Theft Compensation
Consumers were eligible to receive compensation (up to 20 total hours at $25 an hour) for time spent recovering from identity theft and fraud occurring within the first claims period. Consumers could also claim up to $20,000 in out-of-pocket losses occurring within this period.
Extended Claims Period Identity Theft Compensation
While the first claims period has passed, consumers are now eligible to receive compensation for out-of-pocket losses and time spent recovering from identity theft and fraud occurring within the extended claims period of January 23, 2020 and January 22, 2024.
Identity Restoration Services
All affected consumers are eligible for Experian’s Assisted Identity Restoration Services if they experience identity theft within seven years of the breach. These services include, “access to a U.S. based call center providing services relating to identity restoration, assignment of a certified Identity Theft Restoration Specialist to assist you in addressing an identity theft event, and assistance with a step-by-step process to deal with companies, government agencies, and credit bureaus” (Equifax).
Equifax Subscription Product Reimbursement
Consumers who had an Equifax credit monitoring or identity theft protection subscription between 9/7/2016 and 9/7/2017 were eligible for reimbursement of 25% of the amount paid if they filed a claim within the first claims period.
The terms of the payout garnered criticism by both consumers and lawmakers. Equifax’s settlement with the FTC promised only $31 million in compensation for consumers who had credit monitoring services at the time of the breach, with a maximum payout of $125 per customer. As Senator Elizabeth Warren pointed out, this would only cover the $125 compensation of 248,000 individuals. Because Equifax had millions of qualified customers, the realistic payout would be far lower (Higgins). This turned out to be the case. By the December 2020 deadline, over 4.5 million consumers filed a claim, resulting in an estimated payout of only $7 each (Siegel Bernard). Consumers and lawmakers also accused the FTC of misleading consumers about the size of the cash payout because some materials seemed to suggest that every affected consumer would receive $125 (Higgins). In response, the FTC recommended that consumers elect the free credit monitoring services option instead of the cash payout (FTC).
Equifax was also accused of complicating the claiming process to reduce the number of individuals able to successfully file claims. Affected consumers received an email from the Equifax settlement team that required them to verify they had credit monitoring services in place by October 15th, 2019. Without verification, consumers’ claims would be denied. According to some consumers, the email looked illegitimate, leading many to question its authenticity. The FTC clarified the email was legitimate on their site (Warzel).
Independent Settlements with States
Massachusetts and Indiana secured $18.2 million and $19.5 million in settlements with Equifax respectively (Kovacs).
Legislation
The FTC settlement resulted in calls for legislation that would increase penalties for CRAs which lost consumer information. In 2018, Senators Elizabeth Warren and Mark Warner introduced the Data Breach Prevention and Compensation Act, which specifically responded to the Equifax breach. The Act would, “give the Federal Trade Commission more direct supervisory authority over data security at CRAs, impose mandatory penalties on CRAs to incentivize adequate protection of consumer data, and provide robust compensation to consumers for stolen data” (Warren). This would include the establishment of an Office of Cybersecurity at the FTC responsible for conducting inspections of CRA’s cybersecurity. The Act would also impose, “mandatory, strict liability penalties for breaches of consumer data beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised and another $50 for each additional PII compromised per consumer” (Warren). Under this Act, Equifax would have paid at least $1.5 billion to consumers.
In March of 2018, the Senate passed the Economic Growth, Regulatory Relief, and Consumer Protection Act, which allows consumers free credit freezes and the ability to place one year fraud alerts on their accounts (FTC). However, lawmakers have not made progress in passing a comprehensive reform bill responding to the Equifax breach. The Data Breach Prevention and Compensation Act was reintroduced in 2019, but since then has not further advanced in becoming law.
Ethics Analysis
Several unique aspects of Credit Reporting Agencies’ function impact their position in the economic life of American society and on their ethical responsibilities.
- CRAs have become gatekeepers for essential functions, like finding work, housing, and managing one’s money. Consumers need credit to navigate the current economic system. While we might be able to choose not to shop at Amazon, for example, electing not to establish a credit history amounts to opting out of regular economic activity. Consumers therefore lack agency in their relationship with CRAs.
- Information held by CRAs, including PII, is especially sensitive. Other businesses wouldn’t have access to this type of data. Loss of PII can result in identity theft with devastating effects, including financial instability, and lack of access to housing and employment, for consumers. Further, this loss of PII means credit information supplied to lenders is no longer reliable or valuable.
- Loss of information through data breaches not only threatens the validity of the credit reporting industry’s function but also threatens the United States’ national security and economic infrastructure. The current banking and taxation system utilizes social security numbers as PII. According to security investigators, the Equifax data breach was most likely the work of the Chinese government as part of a scheme to collect pools of consumers’ data. It’s not a stretch to imagine that a hostile international actor could use consumer data to significantly disrupt these systems.
In sum, the position CRAs hold in the US economy, the sensitivity of the information they have access to, and the serious consequences of loss of this data, heighten Equifax’s responsibility to the American public. These factors must be considered in examining the ethics of their behavior.
1. Promises and Trust: Failure to Protect Consumer Data
A company has an ethical duty to honor promises made to customers. This kind of promissory obligation is based on commitments to providing certain services and following a code of ethics and conduct. According to business ethicists like Manuel Velasquez, these promises can be understood as a kind of contractual relationship between a customer and a corporation (Velasquez). We require higher standards of performance from individuals and companies making these promises because clients put their trust in those individuals or companies based on these “contracts.”
Equifax’s failure to protect consumer data falls broadly into the category of negligence. Equifax IT and Security failed to adhere to cybersecurity policies specifically designed to prevent data breaches. Several contextual factors contribute to the ethical assessment of negligence:
- The potential consequences of negligence
For example, negligence in a trivial matter such as sorting recycling, would be weighed as far less morally repugnant than forms of negligence that could end another person’s life. Equifax’s failure to follow cybersecurity policies jeopardized the PII of millions of Americans with potentially catastrophic personal consequences as well as posing a continued threat to national security.
- Whether negligence was part of a pattern of behavior
During a senate testimony Former Equifax CEO Richard Smith blamed the breach on the actions of one security employee, who he reported was meant to apply the patch, but didn’t (Siegel Bernard & Cowley). However, the root of Equifax’s cybersecurity problem actually lies in management’s failure to create a robust patch management policy and culture of proactive and thorough cybersecurity. In a company managing thousands of employees, a reliable corporate policy should have back-up protocols to prevent the human error of one individual causing the collapse of the system. In 2015, years before the breach, Equifax’s management was made aware of systemic flaws in their patch management policy which left thousands of critical vulnerabilities unpatched (PSI). The Equifax breach was therefore the consequence of a formally acknowledged pattern of behavior.
- Whether negligence was ‘knowingly’ committed
An individual who acts carelessly, knowing she is taking a risk and understanding the possible consequences is judged more seriously than someone who acts carelessly due to forgetfulness or ignorance. Equifax management and employees were notified of the Apache Struts vulnerability by US-CERT, and NIST assigned the vulnerability the highest severity score possible, a 10. Equifax’s GTVM team circulated the notification to over 400 company employees following the alert (PSI). Equifax management knew of the risk Apache Struts posed as well as the ongoing risks associated with lax cybersecurity practices.
- Whether a company has made a promise to take certain precautions as part of a professional code
A higher standard of caution is generally required from professions or businesses that promise to abide by a code to protect their clients from harm. A physician who is careless with his patients’ health, by not checking their history of allergies before administering medications is subject to moral censure as well as the loss of license to practice. The fact this physician has sworn an oath to protect patients’ health makes carelessness even more damning. Equifax promises consumers it will protect PII and provide accurate and fair credit reports (Equifax). Thus, Equifax breached consumers trust in two ways. Firstly, Equifax clearly broke its promise to protect consumer data by failing to follow cybersecurity policy. Secondly, Equifax’s negligence created the conditions for widespread identity theft which could undermine the validity of credit information and jeopardize its promise to provide accurate and fair credit reports.
Thus, the severity of Equifax’s negligence makes this breach of trust especially difficult to accept and demonstrates Equifax’s culpability in the loss of consumer information.
2. Transparency: Failure to Report the Data Breach in a Timely Manner
Consider the maxim or statement, “Companies will lie to consumers to make more money.” Using Kantian moral reasoning, we can universalize this statement by imagining a world in which people always deceive each other for personal benefit. If we apply this maxim in this imagined world it creates a contradiction: In a world where people couldn’t make promises, how would a company deceive consumers? If companies lied consistently, trust between consumers and companies would be completely degraded. This maxim becomes irrational when made into a universal law of nature and is therefore unethical (Johnson & Cureton).
Thus, companies like Equifax have a duty of transparency. Even if customers are not directly lied to, withholding information that impacts the company’s ability to deliver on promises and may cause customers serious harm is also dishonest and unethical. Applied to CRAs, this creates a duty of timely disclosure of data breaches.
Equifax waited six weeks after its discovery of the breach to alert customers that their PII had been compromised. In most data breach cases, companies might take time to investigate the cause, identify affected consumers, and prepare a plan of remediation, but Equifax executives never explained the reasoning for their timeline (Tsukayama). During this six week period, it can be assumed management strategized on minimizing fallout and public scrutiny, choosing to prioritize the company’s reputation over the continued risk to millions of customers.
Equifax executives also sold $2 million in Equifax stock shortly after the breach was discovered. Individuals with influence in Equifax’s administration used their private knowledge of the breach for personal gain, while affected consumers had no opportunity to protect themselves from the potentially devastating effects of the loss of their personal information. Thus, executives valued the bottom line and their personal financial status over their duty to transparency.
3. Justice and Fairness: Lack of Compensatory Justice
Finally, companies have an ethical duty to follow principles of justice in compensating consumers for inflicted harm. Aristotle’s theory of corrective justice, concerned with the relationship between wrongdoer and victim, demands that “fault be cancelled by restoring the victim to the position she would have been in had the wrongful behavior not occurred” (Miller). The ultimate goal of corrective justice is to adequately reduce or reverse inflicted harm.
Equifax inflicted harm on consumers by failing to protect their PII and jeopardizing their financial security. Even if consumers didn’t experience identity theft immediately after the breach or within the extended claims period, in a digital age, loss of personal information is permanent. Consumers’ PII could still be exploited in future with little recourse.
The value of the FTC mandated cash payout did not match the severity of these injuries. The value of protecting personal information is far greater than $7 or even $125 dollars. This is demonstrated by Equifax’s own credit monitoring rates, which cost around $20 a month (Equifax). If greater numbers of consumers filed cash payout claims, the payout value would have been reduced to mere cents. Equifax’s settlement fund was not large enough to ethically compensate consumers for harm done, and thus corrective justice was not achieved. It is nearly impossible to value the price of personal information, but clearly, Equifax valued the company’s financial welfare over consumer compensation. Equifax suffered significant reputational damage as a result of the breach but has since recovered materially with few long-term consequences to their business. In 2018 and 2019, Equifax reported revenues of $3.41 and $3.5 billion respectively (Equifax).
While the free credit monitoring services offered were clearly a better deal than the cash payout, once the 10-year service period is complete, consumers will once again have to purchase credit monitoring services to regularly view their credit. The extended claims period in which consumers may be compensated for identity theft and fraud associated with the breach only lasts for an additional four years. Even though consumers’ PII are permanently lost, settlement terms do not compensate consumers in a long-term manner.
Finally, distribution of consumer compensation was poorly managed. The goal of compensatory justice is to reduce harm done to as many individuals as possible, but the FTC’s unclear representation of settlement terms and Equifax’s confusing communications with consumers made it more difficult for them to claim deserved compensation.
Policy Recommendations
The Equifax data breach should spur US regulatory agencies and the legal system to take seriously the responsibility to protect consumers from negligence and other wrongdoing by companies. The ethical failures in this case suggest the US regulatory system is inadequate as it pertains to the credit reporting industry. To prevent future breaches of this kind and properly compensate consumers for loss of PII, Congress should pass legislation that will:
- Increase regulation of CRAs cybersecurity practices
CRAs privacy practices should be regulated by an external body in the same way as other financial institutions. As senators Warren and Warner suggested, creating a division of the FTC specifically responsible for monitoring CRAs cybersecurity practices might prevent the kind of negligence in the Equifax breach by ensuring consumer data are adequately protected at all times.
- Improve breach notification laws
CRAs should be legally required to notify the public of data breaches within a few days of their discovery to reduce harm to consumers resulting from loss of PII.
- Increase consumer compensation for loss of PII
CRAs should provide consumers with increased monetary compensation based on the quantity of PII lost. As senators Warren and Warner have argued, if consumers’ personal information is properly valued, CRAs will be incentivized to protect consumer data to avoid financial losses. Further, if a breach does occur, consumers will be justly compensated for harm done.
Citations
Dollarhide, Maya. “What Is a Credit Reporting Agency?” Investopedia, Investopedia, 9 Mar. 2021, www.investopedia.com/terms/c/credit-reporting-agency.asp.
“The Top 3 Credit Bureaus.” Investopedia, Investopedia, 13 Jan. 2021, www.investopedia.com/personal-finance/top-three-credit-bureaus/.
“Form 10-K.” Equifax , Equifax , 25 Feb. 2021, otp.tools.investis.com/clients/us/equifax/SEC/sec-show.aspx?Type=html&FilingId=14746446&CIK=0000033185&Index=10000.
LaMagna, Maria. “After Breach, Equifax CEO Leaves with $18 Million Pension, and Possibly More.” MarketWatch, MarketWatch, 27 Sept. 2017, www.marketwatch.com/story/equifax-ceo-leaves-with-18-million-pension-and-maybe-more-2017-09-26.
Portman , Rob, and Tom Carper. “How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach .” Permanent Subcommittee on Investigations United States Senate , 6 Mar. 2019.
“David C. Webb to Join Equifax as Chief Information Officer.” Equifax, Equifax , 11 Jan. 2010, investor.equifax.com/news-and-events/press-releases/2010/01-11-2010.
“Privacy Choices for Your Personal Financial Information.” Consumer Information, FTC, 13 Mar. 2018, www.consumer.ftc.gov/articles/0222-privacy-choices-your-personal-financial-information.
Khalfani-Cox, Lynnette. “Can You Avoid Equifax and the Credit Bureaus Altogether?” USA Today, Gannett Satellite Information Network, 29 Sept. 2017, www.usatoday.com/story/money/business/2017/09/27/can-you-avoid-equifax-and-credit-bureaus-altogether/706328001/.
Resources.display. “Understanding the Fair Credit Reporting Act.” Experian, Experian, 17 Apr. 2020, www.experian.com/blogs/ask-experian/credit-education/report-basics/fair-credit-reporting-act-fcra/.
Hayes, Adam. “Dodd-Frank Definition.” Investopedia, Investopedia, 4 Mar. 2021, www.investopedia.com/terms/d/dodd-frank-financial-regulatory-reform-bill.asp.
Riley , Michael, et al. Bloomberg.com, Bloomberg, www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros.
Posey, Brien. “What Is Patch Management and Why Is It Important?” SearchEnterpriseDesktop, TechTarget, 21 Jan. 2020, searchenterprisedesktop.techtarget.com/definition/patch-management.
Brewster, Thomas. “A Brief History Of Equifax Security Fails.” Forbes, Forbes Magazine, 11 Sept. 2017, www.forbes.com/sites/thomasbrewster/2017/09/08/equifax-data-breach-history/?sh=53b8d08b677c.
Fruhlinger, Josh. “Equifax Data Breach FAQ: What Happened, Who Was Affected, What Was the Impact?” CSO Online, CSO, 12 Feb. 2020, www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html.
“EPIC – Equifax Data Breach.” Electronic Privacy Information Center, EPIC , epic.org/privacy/data-breach/equifax/.
“Home Security & Governmental Affairs.” About The Permanent Subcommittee on Investigations | Homeland Security & Governmental Affairs Committee, U.S. Senate Committee on Homeland Security & Governmental Affairs, www.hsgac.senate.gov/subcommittees/investigations/about.
Kovacs , Eduard. “Massachusetts, Indiana Settle With Equifax Over 2017 Data Breach.” SecurityWeek, SecurityWeek, www.securityweek.com/massachusetts-indiana-settle-equifax-over-2017-data-breach.
Horowitz , Julia, and Danielle Wiener-Bronner. “Equifax’s Chief Information Officer and Chief Security Officer Are Out.” CNN Money, Cable News Network, money.cnn.com/2017/09/15/news/equifax-top-executives-retiring/index.html?iid=EL.
Musil, Steven. “Former Equifax Exec Gets 4 Months in Prison for Insider Trading after Breach.” CNET, CNET, 30 June 2019, www.cnet.com/news/former-equifax-exec-gets-4-months-in-prison-for-insider-trading-after-breach/.
“Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach.” Federal Trade Commission, Federal Trade Commission , 31 July 2019, www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related.
“Equifax Data Breach Settlement: Am I Affected?” Home | Equifax Data Breach Settlement, JND
Higgins, Tucker. “Elizabeth Warren Calls for Investigation into FTC for ‘Misleading’ Equifax Data Breach Victims over Compensation.” CNBC, CNBC, 14 Aug. 2019, www.cnbc.com/2019/08/14/elizabeth-warren-calls-for-inquiry-into-ftc-over-equifax-settlement.html.
Siegel Bernard, Tara. “Equifax Breach Affected 147 Million, but Most Sit Out Settlement.” The New York Times, The New York Times, 23 Jan. 2020, www.nytimes.com/2020/01/22/business/equifax-breach-settlement.html.
“FTC Encourages Consumers to Opt for Free Credit Monitoring, as Part of Equifax Settlement.” Federal Trade Commission, FTC, 31 July 2019, www.ftc.gov/news-events/press-releases/2019/07/ftc-encourages-consumers-opt-free-credit-monitoring-part-equifax.
Warzel, Charlie. “Equifax Doesn’t Want You to Get Your $125. Here’s What You Can Do.” The New York Times, The New York Times, 16 Sept. 2019, www.nytimes.com/2019/09/16/opinion/equifax-settlement.html.
Newman, Lily Hay. “All the Ways Equifax Epically Bungled Its Breach Response.” Wired, Conde Nast, 24 Sept. 2017, www.wired.com/story/equifax-breach-response/.
“Warren, Warner Unveil Legislation to Hold Credit Reporting Agencies Like Equifax Accountable for Data Breaches: U.S. Senator Elizabeth Warren of Massachusetts.” Warren, Warner Unveil Legislation to Hold Credit Reporting Agencies Like Equifax Accountable for Data Breaches | U.S. Senator Elizabeth Warren of Massachusetts, United States Senate , 10 Jan. 2018, www.warren.senate.gov/newsroom/press-releases/warren-warner-unveil-legislation-to-hold-credit-reporting-agencies-like-equifax-accountable-for-data-breaches.
“Starting Today, New Federal Law Allows Consumers to Place Free Credit Freezes And Yearlong Fraud Alerts.” Federal Trade Commission, FTC, 21 Sept. 2018, www.ftc.gov/news-events/press-releases/2018/09/starting-today-new-law-allows-consumers-place-free-credit-freezes.
Velasquez, Manuel G. Business Ethics: Concepts and Cases. Prentice-Hall, 2002.
Siegel Bernard, Tara, and Stacy Cowley. “Equifax Breach Caused by Lone Employee’s Error, Former C.E.O. Says.” The New York Times, The New York Times, 3 Oct. 2017, www.nytimes.com/2017/10/03/business/equifax-congress-data-breach.html.
“Equifax Code of Ethics and Business Conduct .” Equifax , July 2017.
Johnson, Robert, and Adam Cureton. “Kant’s Moral Philosophy.” Stanford Encyclopedia of Philosophy, Stanford University, 7 July 2016, plato.stanford.edu/entries/kant-moral/#ForUniLawNat.
Tsukayama, Hayley. “Analysis | Why It Can Take so Long for Companies to Reveal Their Data Breaches.” The Washington Post, WP Company, 8 Apr. 2019, www.washingtonpost.com/news/the-switch/wp/2017/09/08/why-it-can-take-so-long-for-companies-to-reveal-their-data-breaches/.
Miller, David. “Justice.” Stanford Encyclopedia of Philosophy, Stanford University, 26 June 2017, plato.stanford.edu/entries/justice/#CorrVersDistJust.
“Discover Which of Our Comprehensive 3-Bureau Credit Monitoring and Identity Theft Protection Plans Is Right for You.” Equifax, Equifax , www.equifax.com/personal/products/credit/monitoring-product-comparison/.
“Equifax Releases Fourth Quarter 2018 Results.” Equifax, Equifax , investor.equifax.com/news-and-events/press-releases/2019/02-20-2019-215733514.
“Equifax Releases Fourth Quarter 2019 Results.” Equifax, Equifax , investor.equifax.com/news-and-events/press-releases/2020/02-12-2020-221344372.
Image courtesy of RiverTree Advisors