Equifax’s Bad News: 3 Takeaways
By Saad Gul and Michael E. Slipsky
As breaches go, they don’t get much bigger. Late Thursday, credit reporting giant Equifax reported that it had suffered a cyber-incident. 143 million consumer records, including names, birth dates, Social Security numbers, addresses, and driving license numbers have been compromised. For reference, the entire United States population is 324 million.
The breach was reportedly detected on July 29th, though it was made public on September 7 after the underlying issue was remedies. Breaches are not uncommon – rival Experian suffered a much smaller one last year – but the magnitude of this one, combined with the loss of Social Security numbers sets the it apart. Though not the largest known breach - Yahoo! reportedly exposed 500 million accounts, this puts Equifax in an awkward position. After all, Equifax is in the data business.
Attorneys and experts will be opining on this episode for a while. But even at this early stage, three points stand out.
One, with security breaches virtually inevitable, with the commensurate potential for increasingly significant repercussions, Big Data may be evolving out of the purely private or corporate domain into a quasi-public enterprise. Think utilities.
Second, with Social Security numbers compromised daily, their use as a universal identifier is increasingly ill advised.
Third, with data, more is not always better. With great data comes great exposure. Even before GDPR requirements and compliance issues prompted reevaluation of data collection practices.
With data, sometimes less is more. Collect what you need. Use it as necessary. And retain it only till required. We have the technology. But maybe we shouldn’t rebuild it.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or email@example.com. Mike may be reached at 919.783.2851 or firstname.lastname@example.org.