Another day, another data breach, only this one was at Equifax, one of the three major credit reporting bureaus. Information on 143 million consumers -- including Social Security numbers, birth dates, addresses, and even driver's license numbers in some cases -- went hurtling out the door like a teenager granted access to the car keys. Another 209,000 consumers lost credit card numbers. All because of "website application vulnerability," according to the company.
You'd think the insanity of data security would end one day. Major Internet companies get broken into. Rock stars find sensitive information leaked through poor website practices. Laws require notification, which rarely happens immediately, and then there's all the bad PR and the chance of consumers suing the companies that had the data.
But nothing seems to change, no matter what's on the line.
Regulations don't change things
Financial industry companies like Equifax even face significant additional protective regulation through a number of laws. But it's business as usual. The breach in this case? Equifax discovered it on July 29. It had taken place from May through July this year.
The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company's investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks.
We're just hearing about it today, more than a month after the fact. And, from what I've seen, that's relatively speedy. But that's just knowing that there's a chance you may have joined an elite club with 142,999,999 of your fellow data victims. The company says that you can go to its website (oh joy, another website application) that can "help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection."
I tried it. You get prompted to "enroll" in this program, provide your last name and 6 digits of your Social Security number, and then ... you don't learn whether you're one of the group. Instead, you're given a date when protection will begin. But you still have to return and finish going through the app. No, you do not get a reminder.
Maybe Equifax figures that, with almost half of the country potentially on this list, it's easier just to sign everyone up. I'll be waiting for the pitch to pay money for this service after the year it's supposed to run.
Equifax Chairman and CEO Richard Smith wants you to know that this isn't how they really are:
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," said Chairman and Chief Executive Officer, Richard F. Smith. "We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident."
If they're a leader, boy are we all in trouble.
Spend money? Are you nuts?
And we are. I once looked into why companies don't fix their cyber security problems. There's an easy answer. If you look at the history of incidents and analyses of what it costs to stay current on security and keep pace with what criminals do, it's too expensive.
Back in 2014, the Ponemon Institute, which studies cyber breaches, surveyed 314 companies. The absolute smallest of them had revenues of $100 million a year. The biggest were multi-billion dollar firms. The average data breach cost in that year was $3.5 million. Folks, this is chump change. Even for the small companies, that's 3.5 percent of revenue -- not insignificant, but nothing to really break the bank. For the big ones, it becomes less than a rounding error. If it even happened.
Only 22 percent of companies surveyed had a breach of at least 10,000 records over a two-year period. The average breach cost, using a standard risk analysis over the whole group, was $385,000 a year. It's far easier to budget in the cost annually and then build it into the price of goods and services.
Yes, we consumers pay the price. And, here's the kicker. According to what Ponemon told me, even in extreme cases, brand reputation among consumers is back to normal within about six months. It's not even like you could boycott a company like Equifax. They do business with other companies. You have no leverage.
If you're one of the unfortunate masses, you might consider contacting the big three credit reporting agencies -- Equifax, Experian, and TransUnion -- and have a credit freeze put into effect. That locks your profiles and makes it next to impossible for someone to use your information to open a new credit account. Of course, it can be inconvenient to you and you'll need to give special permission any time you apply for a credit card, loan, or mortgage. But at least it helps keep you out of further trouble generated through the mistakes of strangers.