People across the United States are worried, justifiably, about the impact of the Equifax data breach, which reportedly will impact more than 147 million people. In February, Equifax disclosed that the breach was even more damaging than originally reported, giving hackers all the tools they need to accomplish identify theft.
The Equifax debacle — which includes allegations of insider trading and substandard security — comes on the heels of a year of data breaches estimated to affect more than half of American businesses.
Data breaches come in a variety of flavors. Commonly, hackers penetrate a network, hang out for a while to scope out vulnerabilities, then collect and export either technical or personal information. That data eventually finds its way to the dark web, where it can be monetized by criminals engaging in identify theft or other nefarious deeds.
Incidents of ransomware, targeted mainly at hospitals, saw a marked increase in the past year, indicating that those institutions are simply not prepared for such attacks. Although more and more government agencies and businesses invest in cybersecurity, the balance still seems to be tipping in favor of the bad guys.
It's worth asking how we got here in the first place. How do data brokers acquire our personal and financial information if we never entered into a direct relationship with them? Why aren't these financial services and credit rating organizations under greater standards of care when it comes to securing our personal data?
Who's to Blame for Data Breaches?
In our era of Big Data, most American companies operate under very few legally mandated data controls. Your bank probably shared financial information with the three national credit rating agencies when you obtained a credit card, and buried the disclosure somewhere in the initial contract. Citizens frequently don't have the chance to give an affirmative consent to such sharing; it just happens through what is now the normal course of business.
Even fewer controls exist to limit how corporations share personal data with their partner companies or affiliates. Personal data is extremely valuable to companies, and they have incentives to monetize it wherever they can. While some companies offer privacy controls that allow users to adjust settings for data sharing and advertising, many don't.
In the event of a breach, consumers have very few options. Even contacting a company that has your credit rating data can be extremely frustrating. They may simply advise callers to purchase a credit-monitoring product from them. (That was the case with Equifax, until they responded to widespread criticism.)
So what can we do about this at the state and local government level?
States and Localities Can Do More to Safeguard Data
At the state level, we must examine our own agency practices and ensure that citizen data is well-managed and protected. The state of Washington has focused on how agencies coordinate data sharing, processing and storage. To limit our data footprint, we have also attempted to implement the concept of data minimization across the state enterprise, which means that entities should only collect the minimum amount of data required to render services to state residents.
CISOs and CIOs can address the problem on a working level by taking similar steps within their organizations.
First, ensure that agency employees receive privacy training. Investing in knowledge of privacy law and best practices can go a long way to protecting data and reducing risks of breach. Include security as part of the basic training, with attention paid to phishing, enforcing secure passwords, limiting administrative access to databases and having a plan ready in the case of a data breach.
Enter into data-sharing agreements. Agency data-sharing agreements should address not only the direct exchange of data, but the responsibilities for what happens when a project is complete: When will data be deleted or returned? How are third-party contractors monitored when their original task comes to an end?
Reach out to experts. If possible, form a privacy working group within the organization, comprised of individuals with an interest and/or expertise in such issues. The exchange of information can go a long way to building best practices.