Equifax took six weeks to get around to bothering to tell us about it so we individual consumers could begin to take our own corrective and defensive action. That’s unconscionable, Equifax isn’t alone in delaying telling us about hacks into personal information those companies are holding for us, and it’s giving impetus to legislation that would force companies to disclose such hacks much sooner. One such proposed bill is Congressman Jim Langevin’s (D,RI) reintroduction of the Obama era’s Personal Data Notification and Protection Act.
I don’t like regulations, but one here is necessary. The hacks aren’t exposing company property; they’re exposing individual personal property entrusted to the company. Companies have an obligation to safeguard that personal property, and that obligation is strongly expanded by a company’s demand for that personal property as a condition of doing business with it.
Companies don’t want to be embarrassed…[by] having to disclose when people’s data is leaked….
People don’t want to be harmed by those leaks or by delays in finding out their data have been leaked. I’m trying to weight the one against the other in my balance. Oh, wait….
Under this proposed legislation, Equifax would have had to disclose its breach within 30 days….
No, there’s no need for any delay, indeed, delay simply compounds the damage that can be done to us individuals. As Christopher Mims put it at the end of his piece at the link,
When Equifax was breached, hackers got birthdates, Social Security numbers, and other hard facts about most of us. This data has the power to ruin our financial lives….
Any delay, let alone 30 days, is far too long to be held defenseless against that. The legislation’s proposed 30 days are forever in today’s information and financial world, an entire month within which hackers could work their nefarious ends without our being able to defend against those ends. Equifax, et al., should be required to disclose on the day the hack is discovered and then to keep us current on developments with frequent updates that, at the least, explain what’s being done about the hack to reduce the likelihood of a subsequent hack, what’s being done to mitigate the damage to us of the present hack, why the hack wasn’t discovered sooner, and what’s being done to speed discovery for next times.
We need to be able to act in our defense, too.
And contra the attitudes of those who defend delay, we Americans are not too stupid to understand what we’re being told—so long as it’s prompt and truthful—and we can make good use of the information which, aside from our being better able to defend ourselves, would let us see quickly what companies develop a history of exposing our personal information and so are unworthy of our business.