Though numbingly similar to many past incidents, the Equifax breach is also unusual in at least one important way. Most data breaches involve companies or organizations that consumers have knowingly done business with. Think about the intrusions at Target, Home Depot, and other retailers. Customers walk into these stores or go to their websites, shop around, and make conscious decisions to hand over payment cards and other personal data as part of the transaction. They understand how those transactions work and realize that they have to trust the retailers with their data in order to complete their purchases.
That’s not the case with companies such as Equifax. Although anyone who has ever requested a credit report or applied for a loan is aware of the existence of credit reporting bureaus, many people likely don’t realize the depth and breadth of the information these companies collect and store. It’s an enormous amount of data and for an attacker, a company such as Equifax is an irresistible target. Whoever compromised Equifax made off with data belonging to 143 million people, which is roughly equivalent to the population of Russia. The attackers got names, birthdates, addresses, Social Security Numbers, and other valuable data that attackers drool over. With that kind of information, a criminal could have a field day, applying for credit cards, taking out loans, and generally wreaking havoc on a victim’s life.
Anytime an incident like this happens, there are a couple of inevitable things that follow in its wake. The first is outrage from the victims. They’ve entrusted their information to an organization, and now that data is in the hands of criminals. The second is the call for tougher laws, penalties, and/or sanctions for companies that are hit by data breaches. In the weeks since Equifax disclosed its breach, lawmakers have called for investigations, lawyers have filed class-action lawsuits, and victims have been asking why there isn’t a national law addressing this problem. There have already been real consequences for Equifax. The company’s CEO, Richard Smith, resigned this week.
“The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right. At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward,” Smith said in a statement.
Meanwhile, legal experts are hopeful that the courts will begin considering the real and emotional harm that data breaches cause consumers when looking at the lawsuits resulting from these incidents.
“Courts need to start applying what they already know in awarding emotional distress damages, reputational damages, and prospective business advantage damages to data breach cases, along with the recognition of current harm due to future risks, as in medical malpractice and pollution cases,” Cindy Cohn and Amul Kalia of the Electronic Frontier Foundation said in an analysis of the breach’s legal fallout.
“If the fear caused by an assault can be actionable, so should the fear caused by the loss of enough personal data for a criminal to take out a mortgage in your name. These lessons can and should be brought to bear to help data breach victims get into the courthouse door and all the way to the end of the case.”
While lawsuits are common after data breaches, they don’t often result in major awards for the victims. Similarly, the long-term financial consequences for the companies hit by breaches usually aren’t too severe. They pay a fine, maybe pay some awards to the victims, and move on. Stock prices usually don’t take a long-term hit and consumers have proven that they will still do business with companies that have been involved in data breaches. Some lawmakers, security experts, and privacy advocates have been calling for a national data-breach law for more than a decade, one that would provide real penalties for organizations that leak customer data. Cohn and Kalia said the current climate may be right for producing such a measure.
“If the political will is there, legislatures, both federal and state, can step up and create incentives for greater security and a much steeper downside for companies that fail to take the necessary steps to protect our data,” they said.
