Earlier, I read a quote from the inventor of a ChatBot that allows people to easily sue others in the US, who said that he hoped it would bankrupt Equifax.
It won’t, but I genuinely hope that lots of people do sue Equifax for their negligence. I hope this for a couple of reasons.
If I leaked 143 million personal records, I’d be in prison. I’d lose my job, my employability, and a significant chunk of my future. Frankly, Equifax as a company should face a somewhat similar fate.
Firstly, I believe that something like the Equifax breach is ridiculously negligent. Not only did they have a breach, but they managed to not notice for a lengthy amount of time — a decent Security Operations Centre should have spotted something as unusual as the leeching of 143 Million sets of personal data. It’s my opinion that that level of negligence should be met with an equivalent level of compensation. This is no small matter. If 1% of victims are affected, and get only $1000 compensation each, that would be 1.43bn dollars compensation, and that’s a fairly low amount, based on conservative estimates.
Secondly, Equifax desperately need to buck their ideas up. This breach was horribly extensive, massively disruptive to the lives of millions of people, and should have been spotted much sooner.
The concept of a credit reference agency — and Equifax grew far beyond this long ago — is an idea that society only accepts because we don’t all consider what it means. In nations like the US (by no mean unique in this), data aggregators like this have agreements with basically everyone who sells you basically anything, to share data about what you do, and they attach this info to personal details that can cause devastating disruption to your life if used to commit particular crimes against you.
More to the point, the data provided by agencies like Equifax for things like credit checking isn’t even that useful. Equifax in particular have demonstrated quite how bad they are at managing the mountain of data they sit on in the last few days, when they used the breach as an excuse to sell their TrustID protection service (it’s free for a year because of the breach, but will auto-renew, and will charge you for it), and when the site they used to tell you if you had been affected demonstrably produced unreliable, apparently random, results that some would speculate are another effort to encourage sign up to TrustID.
When a data aggregator leaks 143 million sets of personal data, they should face lawsuits (check) massive fines (hopefully check) and should cease to exist. This is a demonstration of incompetence that would cause any person to lose a job and probably face personal liability, and the outcome should be similar for a company. US courts famously ruled that companies have the attributes of people in a case in which a company wanted to deny birth control in healthcare packages on religious grounds, it’s time for that equivalence to bite back. If I leaked 143 million personal records, I’d be in prison. I’d lose my job, my employability, and a significant chunk of my future. Frankly, Equifax as a company should face a somewhat similar fate.
Unfortunately, it’s basically impossible to affect a corporate giant in this way without affecting lots of innocent bystanders. It would, however, be appropriate for Equifax to lose a lot of its saturation of the market. Consumers should be able to force Equifax to remove all their information, and to never store information for them again, without any adverse effect on themselves. In reality, removing your personal data from Equifax destroys your credit worthiness.
As a global society, we need a better approach to identity verification, demographic data, and especially credit checking. These monolithic single points of failure are problematic, and apparently, in at least once case, chronically incompetent.