Relatively recently, 143 million Americans had their personal data stolen by hackers through the Equifax website data breach. This included things such as their name, social security number, date of birth, and even addresses. I’m probably included in that list of affected individuals, as are you if you have utilized credit.
This breach happened at a credit agency that keeps tabs on everyone’s credit score. It can lead to not only having your identity stolen, but going through a long and drawn out court process to try to stabilize your identity and finances.
Given how massive this data breach is, you would think that there would be a way for those of us directly harmed by this breach to have some form of compensation. But there isn’t. There is no legal remedy (for now) that can target this massive data misuse.
They get to use our data, forcibly keep our data, and then lose our data with zero consequences.
And the hackers have actually done a favor to society for pointing this out. We all rely heavily on our own personal information—but it is kept by data collectors everywhere we turn. And that is dangerous.
The current anti-privacy data laws focus too much on people already harmed by having their personal information stolen.
They do not focus enough on stopping the breaches to begin with. Or providing enough negative financial incentives for companies to truly safeguard personal information, such as a “utilize then purge” method. Or to not ask for it in the first place.
There may be a lot of lawsuits against Equifax right now, but how they’ll be able to pay back 153 million Americans who lost their most important information is unclear. More than likely, the only ones that will receive a paycheck will be those who are directly affected by the breach, while the rest of us will have our personal information in limbo for the next few decades.
I see three glaring problems with this:
- Companies clearly do not have any incentive to be accountable to our sensitive data
- The courts will not help anyone out of the hundreds of millions of Americans that have reasonable reasons to fear reprisals following this massive data breach
- The lack of more widespread discussion on this topic clearly indicates a lack of general knowledge in the population on how important the loss of this information will mean to them, if they are the ones targeted.
I’m not saying that these companies should institute 100% fail proof security measures. We know that’s not possible.
But in the case of Equifax, it was because they failed to patch a TWO-MONTH-OLD (well-known) security vulnerability that was already shown to be exploited.
This was an incredible failure by a company that is supposed to be one of the big three “respectable” credit agencies.
Not only Equifax, but all companies need increased financial penalties for these type of obvious failures. It would incentive them to place more weight, and focus, on protecting the personal data of hundreds of millions of Americans.
We can accomplish that by allowing more and higher cost class-action lawsuits against these companies that treat computer security like it’s just an extra few employees they have to pay. That doesn’t see the importance in catering to protecting sensitive information.
For all intents and purposes, Equifax should be sued out of existence for this glaringly malicious misstep. To be made an example for other companies to focus more heavily on data security.
As Daniel Solove puts it in his recent paper (when discussing the payment from Gawker to Hulk Hogan over the release of his private sexual video):
“Why does the embarrassment over a sex video amount to $115 million worth of harm but the anxiety over the loss of personal data (such as a Social Security number and financial information) amount to no harm?”
Companies should be liable for these instances, to encourage them to not keep the data.
Another obvious example of these malicious courts in relation to data breach is the OPM Hack.
Back in 2014, the Office of Personal Management was also hacked and lost a lot of sensitive data.
The court required that the ones seeking compensation for their stolen data must demonstrate a “certain, impending, and substantial risk arising from the lost data”.
What a lovely bunch of jargon. Which in effect is impossible. So it boils down to waiting until after all of your information has been stolen and personally utilized, and then seeking a single-person remedy. No class-action allowed.
The fact that the OPM, or Equifax in our case, was so negligent, is insufficient grounds for legal reprisal.
But this is absurd. Do none of these courts know how the deep web or internet criminals work?
They aren’t going to steal 153 million Americans’ information and then use it within the next month.
This information will be kept confidential for a while, and then sold online to other criminals to utilize at different intervals. The single hacker (or team) that breached Equifax are not going to use all this data themselves. That would be impossible.
They would make a lot more money by selling that information to thousands of others. While also minimizing their individual risks of having it traced back to them.
Which is why that is exactly what they do. It’s been shown throughout the past two decades in almost every other data breach case.
So this data breach will be causing problems for decades. Not just immediately. And how will people be able to prove 10 years from now that Equifax was the one that caused them to lose their personal information to hackers? Unless they have the means of having their data loss directly traced, it would be practically impossible.
So any small-time fines and lawsuits now will serve as only a slap on the wrist to Equifax. Nothing compared to the actual damage that this data breach will cause looking toward the future.
What Do We Do About The Data Breach?
Considering how important data, and especially sensitive data, is to our lives, we need a much more focused discussion on how to protect it.
The biggest three things are 1) to create incredibly large negative incentives to force companies to do best practices regarding data security.
We can also 2) stop allowing courts to sideswipe any of these data losses by forcing individuals to only have a claim if they can show direct harm, because in many cases that harm will not come for years or decades after the actual data breach.
And finally, 3) we need to focus a large step in education regarding how data is collected and used. More people should know the amount of information that companies, and especially advertisers and trackers, have on them. They should be able to purge it at will, and companies should be liable for any data they do hold that is stolen. Many times, the amount of information can piece together a person’s entire life, which in this new interconnected world is levels of dangerous that none of us had previously considered possible.
Public pressure, honest media assessments, and activism are the steps to acquiring number 3. The first and second will require lawmaker intervention, and they won’t act without the public’s attention. There is too much funding coming from these companies to make them change their tune until public reprisal reaches their upper echelons.
One thing is absolute: As long as neither of these three things are fixed, we can expect to see more data breaches in the future. And as data becomes more and more important, these breaches will become more and more catastrophic.
The time for us to get active and start fighting these misuses of sensitive data is a decade ago. But we can still make up for lost time now.