Last week, it was revelead that Equifax, one of the three major credit bureaus in the United States, suffered a data breach that might be the “worst leak of personal information ever.”
Through the breach, criminals obtained the full names, Social Security numbers, birth dates, addresses, and in some cases, driver license numbers, of 143 million Americans, creating a fraud and identity theft nightmare of epic proportions that will exist for years to come.
While companies have been aware of the data breach threat for years now, the unfolding Equifax incident is a stark reminder of just how high the stakes are today.
Here are five lessons every company should heed from the Equifax breach.
1. Data is more valuable than ever, and there’s more of it than ever
While most companies don’t store data as sensitive as a credit bureau like Equifax, companies of all sizes are increasingly collecting more and more data. And for good reason: for the past several years, companies have been told that data is critical to their success in the 21st century.
Take the digital advertising market, for example. To win, companies have been upping their efforts to gather and use first-party data.
This isn’t inherently a bad thing, of course, but as companies store more data, and more detailed data, about their customers and, in many cases, people who aren’t even their customers, the risks associated with data breaches increase substantially and that data can be toxic. Even if companies don’t store the most sensitive information about their customers, such as Social Security numbers, as digital data proliferates, criminals are becoming more savvy about how data can be exploited and that means companies shouldn’t underestimate how the data they store could be used, especially when it is combined with data from other sources.
2. Disclosure of data breaches needs to be made quickly
Equifax reportedly learned that its systems had been breached in late July, so one of the biggest criticisms of the company is that it took over a month to inform the public. While it’s understandable that a company might need time to investigate a breach and determine its extent, at the same time, companies need to understand that the public is not going to respond kindly when breaches are not promptly disclosed, especially when the information stolen could be used against them.
As a result, unless law enforcement demands otherwise, companies should err on the side of disclosing that they’ve been breached sooner rather than later.
3. The response cannot be botched
Following a data breach, companies have one chance to make things right to the greatest extent possible. Despite the fact that Equifax knew about a data breach for weeks, its public response to the breach has been roundly criticized.
The website the company set up to provide information was plagued with problems, some of them downright embarrassing. The data breach checker that purports to let individuals know if their data was part of the breach doesn’t appear to work, and an arbitration clause in a legal agreement for the free monitoring service Equifax is offering to affected consumers was the source of a firestorm that Equifax had to respond to.
Put simply, Equifax’s response has basically been a textbook case study for how not to respond to a massive data breach and because of this, everything the company does from here forward is going to be met with an even more critical eye from the public and media.
4. The actions of company leadership are going to be scrutinized
Thanks in large part to social media, there’s more scrutiny than ever over companies when something goes wrong. In the case of Equifax, it was quickly revealed that three members of Equifax’s senior management team sold nearly $1.8m worth of shares in the company in the days following the company’s discovery of the data breach.
According to an Equifax spokesperson, the trio “had no knowledge that an intrusion had occurred at the time,” something that some members of the public and media have had a hard time believing, especially given that one of the executives who sold stock was the company’s chief financial officer.
But even if one accepts the company’s claim, it’s a reminder to companies that the public scrutiny they will face in the wake of a data breach extends to the actions of company management and therefore, part of the response strategy should take into account the importance of ensuring that the actions of company management following a data breach don’t make a bad situation worse.
5. Data breaches are an existential threat
One of the big questions following the Equifax hack is whether or not Equifax will survive. While it might seem preposterous to question whether one of the three major credit bureaus in the US and a company with a market capitalization of over $17bn even after its stock has fallen by over 20% in recent days could go out of business following a data breach, all bets are off because there has arguably never been such a damaging data breach in the world’s history.
A lawsuit seeking up to $70bn in damages has already been filed and government agencies are circling. Given the nature of this breach and the number of Americans affected, it’s hard to see Equifax emerging from this with little more than a financial and regulatory slap on the wrist. And even if Equifax has money left in the bank when all is said and done, it seems likely the company’s name will be tarnished for years and possibly even decades to come.
Obviously, most businesses don’t store the same type and volume of data about consumers as Equifax, but it’s not inconceivable that as companies rely more and more heavily on more and more detailed data, the cost of data breaches could increase to the point where businesses, especially small and mid-sized companies, routinely don’t survive them.