The Equifax Breach – Possible Ways Forward
In 2017, Equifax suffered one of the largest data breaches in history. Attackers accessed Social Security Numbers, addresses, birthdates, credit card numbers, and other sensitive personal information relating to 143 million Americans and roughly 19,000 Canadians. Shortly after the massive breach, former Equifax CEO Richard F. Smith appeared before the U.S. House Subcommittee on Digital Commerce and Consumer Protection to explain the company’s widely-criticized response to the incident. In written testimony, Smith explained that the breach was caused by “both human error and technology failures,” and noted that consumers deserved more control over access to their credit reports (a likely nod to the company’s Lock & Alert credit protection service, introduced shortly after the hack). While Smith did not advocate for stricter regulation in the credit reporting sector, he nonetheless suggested creating a public-private partnership to look at replacing Social Security Numbers as the “touchstone for identity verification” in the United States. His recommendations can be contrasted with those given by consumer advocates who argue that direct regulation is the best, and perhaps only, appropriate response to incidents like the Equifax hack. For example, in a blog post published shortly after the breach, Bruce Schneier argued that governments must take action to “raise the cost of insecurity high enough that security becomes a cheaper alternative.” Below, we outline three possible ways forward in the wake of the Equifax breach, focusing particularly on Canadian law and policy. Preventing and mitigating future data breaches will involve multi-stakeholder approaches, including (1) improving consumer access to, and control over, personal information; (2) strengthening national privacy and cybersecurity laws and enforcement regimes; and (3) adopting more secure systems for safeguarding sensitive information, both online and offline.
###1. Give Canadians the right to “freeze” credit reports at no cost While Canadians can, under provincial credit reporting laws, place an alert on their credit report, there is currently no Canadian equivalent to the American notion of a “credit freeze.” A credit freeze allows individuals to prevent others from viewing or “pulling” their credit report without prior authorisation. Individuals must “unfreeze” their account, often by providing a PIN number, before information can be released to third parties. By contrast, placing an alert on a credit report requires that the party requesting an individual’s credit report must take reasonable steps to verify that individual’s identity (by, for example, contacting him or her at a phone number provided to the credit bureau). Introducing credit freezes in Canada, at no cost to consumers, would mark a significant step forward in giving Canadians control over how their credit data is accessed and shared.
###2. Strengthen privacy and cybersecurity laws and create penalties for non-compliance In Canada, companies that collect, use, and disclose personal information while in the course of commercial activities are regulated by the Personal Information Protection and Electronic Documents Act (PIPEDA). To enforce rights under PIPEDA, individuals must file a complaint with the Privacy Commissioner of Canada who will then investigate and make non-binding reccomendations to the company, if appropriate. Critically, PIPEDA does not provide financial penalties or compensation for affected individuals. Indeed, as the Internet Society notes in its 2016 Global Internet Report, the cost of data breaches is largely borne by individuals, and companies have limited financial incentives to invest in better protecting user data. Monetary sanctions and mandatory reporting may help to strengthen Canada’s privacy and cybersecurity regime. In the European Union, the General Data Protection Regulation and Network Information Security Directive both establish significant and dissuasive fines for poor data handling practices, and may provide a model for future reforms in Canada. Mandatory reporting requirements may also help to increase transparency around data breach incidents. While Canada’s long-awaited data breach notification regime will not come into force until November 1, 2018, the new rules will require companies to promptly notify individuals affected by data breaches, report to the Privacy Commissioner of Canada in respect of breaches, and keep records on every breach of security safeguards involving personal information.
###3.Explore alternative identity verification systems, such as chip cards Technological measures may help to safeguard sensitive personal information, including identifiers such as Social Insurance Numbers (SINs) in Canada and Social Security Numbers (SSNs) in the United States. White House cybersecurity coordinator Rob Joyce recently indicated that the SSN “has outlived its usefulness,” and noted that American officials are looking into alternative approaches to securing consumers’ financial identities. One such tool which could be adopted in Canada is a physical token, such as a chip in a smart card, which contains an individual’s unique cryptographic private key. Individuals could be required to tap their smart card on a chip reader to authenticate themselves before, for example, authorising a credit pull or release of sensitive personal information.