Wide-Ranging Effects of Data Breaches

This is the text of my prepared remarks at the 19th Annual Privacy and Security Conference in Victoria, BC. I participated in a panel titled “Data Breaches—Another Day, Another Breach” which took place on February 8, 2018.

I would like to talk about some of the wide-ranging effects of data breaches and use last year’s Equifax breach as an example.

In the interest of full disclosure, I left Equifax in 2014, so what I know about last year’s breach comes from public sources.

Data breaches can have ripple effects far and wide. An organization that suffers a breach is likely to view itself as having been victimized—often with good reason if it suffered a sophisticated attack. However, if a breached organization is to maintain its reputation and its customer base, it needs to address and mitigate the effects of the breach beyond its own systems.

Discussions of data breaches usually focus on consumers. In many jurisdictions consumers receive breach notifications. When they do, they start contacting the organization and posting on social media, expressing concern, anger and frustration. After all, consumers can’t really protect themselves from breaches. No matter what they do, they remain dependent on the security practices of organizations that house their data.

A breached organization needs to be ready to respond to consumers appropriately and at scale. This means staffed contact centers with trained staff and appropriate online and social media presence. After the announcement of the Equifax breach, much consumer anger and frustration resulted from the inability to reach the company; staff who did not seem to be properly informed; a new website that asked for personal information and was easily spoofed; and an offer of credit monitoring with an arbitration clause. All these things got fixed in time, but while they were happening, the company kept getting bad press. It’s difficult to scale breach response as Equifax had to do, but most consumers don’t understand this and don’t really care. As far as they are concerned, the breach shouldn’t have happened in the first place.

To make things worse, whatever mitigation a breached organization offers consumers, such as a year of credit and identity monitoring, is unlikely to take care of long-term consequences of a breach for consumers. During the Congressional hearings on the Equifax breach the newly retired Equifax CEO was repeatedly asked about how Equifax would help consumers after the year of credit monitoring runs out, and his responses were not well received.

Depending on the type of business that experiences a breach, consumers may not be an organization’s primary customers. In the case of Equifax, the company’s primary customers are lenders. If an organization’s business customers incur losses or liability as a result of the breach, they are likely to have greater leverage to press for compensation than consumers do, either individually or as a class. For example, when a large credit card processor in the US experienced a data breach, its customer banks sued to recover the costs of re-issuing affected credit cards and the costs of fraud committed with compromised cards.

A breached organization’s competitors are affected by a breach in a variety of ways. They might gain business. However, they might also come under closer scrutiny and, possibly, increased cyber attacks. In one of my positions, one of our competitors was breached. We immediately activated our own incident response plan so we could determine whether we had similar vulnerabilities, respond to events as they unfolded, and field questions from consumers, customers, regulators, and the press.

Finally, organizations in different parts of the economy may be relying on the data that was breached. The breached Equifax “credit header” data is at the heart of identity verification systems used by government agencies and by businesses in healthcare, financial services and other parts of the economy. Now that the data can be used by bad actors for impersonation and fraud, all these organizations need to readjust their risk assessments and responses.

Large breaches like the one at Equifax are accelerating the search for risk mitigation techniques that rely less on static data and more on monitoring people’s behavioral and transactional patterns, the evolution of an identity and searching for possible anomalies, and on biometrics. Many of these techniques require increased collection, retention and analysis of personal information. In my view, this is the most serious consequence of repeated, large-scale data breaches. We need to have a societal conversation about the trade-off between commercial surveillance that might make us safer from fraud and the loss of privacy that comes from ever-increasing data collection and analysis.

I look forward to our discussion.