A week after it was announced, the whole world is still buzzing about the breach of Equifax that compromised sensitive data of 143 million Americans between May and July of this year and the damning fact that Equifax insiders had a chance to dump their stock and avoid inevitable losses before last week's disclosure. Equifax has responded slowly, inadequately, and often ham-handedly.
Equifax's seemingly intended to follow a basic crisis communication playbook but go one better than companies and other organizations that have lost large sets of personally identifiable information (PII) in the past have done by offering "free" identity monitoring services to all consumers (not just those affected) for a period of time. Unfortunately, many have figured out that those services are backward-looking and don't do anything to prevent identity theft. (Try a security freeze instead.)
While there is a tendency to think that data breaches happen all the time and that it is not that big a deal, this data breach is not business as usual and users should not be complacent about it. There's a ton to unpack in this but let's start with the immediately actionable. I will follow-up with posts on the policy implications of the breach, color commentary, and lessons we have hopefully learned from this episode, but for right now:
What should you do?
Unfortunately, Equifax most direct, consumer-facing response––offering identity monitoring––fails to offer protection commensurate with the threat. Identity monitoring is a backward-looking service that doesn't prevent identity theft. In this case, the offer is also a form of self dealing. TrustedID, the identity monitoring service Equifax has offered consumers belongs to Equifax. Even though Equifax offers you that service for free, you will have to give Equifax, a company that monetizes information about you, more information about you in order to participate. Even if you never pay them any money, Equifax's currency is data and you will pay them in the coin of their realm.
The right way to protect yourself from identity theft before it happens is to freeze your credit file with all four credit bureaus (links: Equifax, Experian, TransUnion, and Innovis). (This will be hard with Equifax, which still finds its website oversubscribed. For those who don't know, Innovis is a lesser-known bureau but they keep a similar set of information about you so definitely freeze at all four companies.) Equifax is now waiving the fee for freezing your credit with them. Why is that not what Equifax offered immediately? And why doesn't Equifax offer to pay the fee at the other credit bureaus since a freeze at Equifax alone won't offer anything resembling comprehensive protection to consumers? Because they make money from having the easy and unrestricted capability to sell and market with your information. Freezing your credit and opting out of the ability of the credit bureaus to share your information with marketers (the ones who send you all those free credit card offers) impacts the credit bureaus' bottom lines and business models. They will only be dragged into making this easy and obvious to Americans kicking and screaming. So, you can understand why they do not want you to get a freeze or opt out but you now know why it is entirely in your interest to do it.
That's a good start for what you might want to do. I doubt that I've offered more or better advice than many other commentators but this advice needs the broadest possible distribution so here it is. Feel free to share widely. I'll be back in the next days with additional thoughts about Equifax, breaches, privacy, and cybersecurity.