The Equifax hacks are a case study in why we need better data breach laws

It took six weeks after credit reporting agency Equifax found out it had been hacked for the company to notify the 143 million customers whose private data was at risk. Following what might be the worst data breach of the past decade, such a long delay is shocking — but given the lack of regulation it’s not all that surprising.

Companies have often taken liberties with time when notifying customers of a hack. But doing so brazenly puts their customers at risk while these companies avoid consequences. Such situations illustrate exactly how certain companies can easily prioritize their bottom line over customers’ financial security and privacy, especially when industry-wide standards for safety are largely unmet or simply nonexistent as more personal data becomes digitally accessible.

What sets Equifax’s latest breach apart has less to do with numbers — Yahoo’s data breach last year affected 500 million accounts — than the value of the data stolen. Still-unknown hackers gained access to a trove of names, birth dates, Social Security numbers, and addresses of Equifax users. With so much personal information, criminals can easily apply for fraudulent loans, open bank accounts or credit cards, make scams feel more convincing, and more.

It hasn’t helped that Equifax has handled the situation incredibly poorly. High-level executives sold off almost $2 million of the company’s stocks after finding out about the breach in late July, weeks before they went public about the hacks, which prompted the company’s stock to fall 18 percent as of this week.

To crown it all, Equifax sought to make good with customers by offering free credit monitoring and identity theft protection. But any customers who took advantage of the deal might waive their right to join a class action lawsuit against the company. After public outrage, the company made clear that the clause did not apply to the latest hack. Some 30 lawsuits against the company have already been filed.

A breach of this proportion serves as a warning for what may lie ahead. Hacks will only grow more sophisticated and prevalent. As our world continues to migrate to digital spaces, our data becomes more valuable — and more at risk — than ever.

But companies are not incentivized to prioritize our privacy. They need to be pressured. “The only good way for these things to be stopped is for the giant organizations holding this information to be better regulated,” said Jessy Irwin, a cyber security consultant.

Companies have legitimate reasons to delay informing consumers about a hack. But the decision can also driven by self-interest.

Right now, there is little national oversight on how companies handle data privacy. When it comes to notifying consumers that their data has been stolen, laws vary state to state and differ in how much time and how much information companies are required to divulge. Equifax is based in Georgia, a state where there is no timeline specified for when a company must notify customers about a breach.

There are legitimate reasons why a company would choose to wait before going public. Sometimes they are cooperating with law enforcement who don’t want to sabotage their investigation into the source of the hack. Companies also might not be aware of the extent of the damage, requiring time to investigate before letting users know. Some cybersecurity experts believe it’s best to assess the full scope of the hack before letting consumers know and causing panic.

That doesn’t mean that these companies aren’t also driven by self-interest. Data breaches look bad for a company’s reputation. “On the one hand, companies certainly would have a PR incentive to not report breaches to the affected individuals,” said Beth Givens, executive director of California advocacy group Privacy Rights Clearinghouse. In the case of Equifax, the company’s slowness combined with the executives who sold off their stocks prior to the public announcement make the company look like it was minimizing responsibility for a serious consumer problem. The Wall Street Journal also reported Monday that Equifax spent $1.1 million last year lobbying against regulatory laws, including data security and breach notification.

Last year, Yahoo faced criticism for waiting to go public about the data breach for potentially more than a year after it first discovered signs of an attack. In 2014, Target and Neiman Marcus were hit with similar criticism for not going public about credit card data breaches until a third-party cybersecurity blog needled the retailers into coming forward.

“I think it’s really necessary for someone to step up, especially a federal regulator,” Irwin said. “Having to just trust an organization when they have demonstrated that they’re completely untrustworthy, especially in figuring out if you’ve been affected or not, that’s not a viable solution.”

Equifax has yet to disclose why it waited so long to inform customers about the breach. A spokesperson told the Washington Post that the company’s executives had no knowledge of the breach when they sold their stocks. In a company press release last week, Chair and Chief Executive Officer Richard F. Smith said, “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”

But security risks are not isolated to Equifax. The other two main credit monitoring agencies TransUnion and Experian could also be the targets of future breaches. The companies have been criticized before for lack of oversight — including regular security audits — that other financial institutions are required to have.

Customers need to know if their data has been hacked to protect themselves

An enormous number of people have been left exposed from this breach. In addition to the 44 percent of the US population affected by this hack, an unknown number of customers in the United Kingdom and Canada were implicated.

Some individuals have used Equifax whether they’ve made the choice to sign up for it or not. Any credit report that gets pulled, such as for background checks for loans or to get approved to rent an apartment, could be from one of the big three credit agencies, including Equifax.

The Federal Trade Commission, charged with regulating credit bureaus like Equifax, has declined to state whether it will launch an investigation after the hack. “We’re trying to get a handle on the scope of all of this. We’re certainly taking this very seriously,” FTC Chair Maureen Ohlhausen told reporters at an antitrust conference, Reuters reported.

Anyone concerned that they were affected by the hack should check their credit accounts immediately for any suspicious activity, set up a fraud alert, and watch their credit card and bank accounts. You could also freeze your credit account to prevent anyone from fraudulently applying for your credit. It’s also a good idea to set up two-factor authentication on important financial accounts to deflect hackers with stolen information. (There are several good guides on what to do if you’ve been hit by this attack, including these suggestions from CNN and CNET.)

One of the most important factors is timing. Customers need to make changes and set up alerts as quickly as possible to prevent harm. There is likely a time lapse between when a company is first hacked and when they find out. In that time, it’s possible that the stolen data has already been sold to the highest bidder on the black market. That’s why it’s so crucial for people to be notified as soon as possible if their data has been hacked.

Demanding that companies come forward about breaches — and suffer the hit to their reputation — could also incentivize companies to take security more seriously. Greater transparency also provides more information to cybersecurity researchers who can use this information to prevent more hacks in the future.

Logistics aside, there’s the principle behind this: People have a right to know if their personal data is secure. Our digital identities are extensions of ourselves, and we have a right to know if we are physically and financially secure.

National data breach notification laws, explained

Rep. Lou Correa, a Democratic representative from California, announced on Tuesday he would introduce legislation to regulate data breach notification. House committees including the Judiciary Committee and Financial Services Committee also expressed interest in holding hearings about the issue. But this isn’t the first time there’s been interest in passing such a law. In 2015, Congress failed to pass a bill introduced by Obama mandating companies notify customers 30 days after first indication of a data breach.

Meanwhile, regulations continue to be left up to the states. Currently, 48 states require some sort of

But privacy activists aren’t necessarily in favor of a national law. Some, like Givens at Privacy Rights Clearinghouse, fear that federal regulation would be considerably weaker than what some states, including her home state California, require. “Congress is not known for strong consumer protection laws,” she said, adding that the technical world changes fairly quickly and that she has little confidence that federal law would be able to keep up to date.

There’s also the push for data security safeguards that take aim at deeper problems. Companies regularly collect data simply because they might want to use it sometime in the future — there needs to be laws that force them to only collect the bare minimum of data necessary. There should also should be limits to how long a company can store data, requirements to encrypt anything they collect, and regular security audits. Data breach legislation, Givens argues, should also include regulations like these.

Givens warns that putting the onus on consumers to protect their identity can only go so far. “It’s not fair to blame the victim,” she said. “In order to open up a bank account, rent an apartment, or apply for a job, you have to reveal a lot of personal information. It’s up to those entities that collect that information to protect it.”

Big hacks like the Equifax fiasco put into context just how much control companies have over our personal information. And as the digital world increasingly dictates where we work, play, and live our lives, we need to have control — or at the very least, basic knowledge — over how our digital identities exist in this space.

Companies aren’t incentivized to put their customers first. Whether it’s minimizing how much of our information they collect, fortifying security, or simply telling us they’ve been breached, we can’t depend on these companies in good faith. It’s up to government regulators to keep them in check.