Equifax’s Financial Probity and Reputational Risk… A Continuing Story
We have all had a few days to digest the announced Equifax breach. What has been breathtaking was the methods of the company's response, compared to what it has been it's expectation-setting to individual and business customers over the last year.
Disclosure: On Equifax's UK website (now taken down) their recommendations for specific breach disclosures by a typical member of the public was seen by them "as soon as possible, within a few days." Unfortunately in this specific case Equifax took more than forty.
Financial Probity: Unlike a personal relationship with a bank or insurance company, Equifax is a financial data aggregator, and as individuals we have no direct relationship with them. Their direct customers are our banks, mortgage holders, vehicle loan providers and insurance companies. In the end all we are is data and/or product, without an SLA to respond to a breach of this type.
Financial data processors like SWIFT and the Payment Card Industry worldwide has had similar growing pains recently.
Geographical Exposure and Potential Litigation: A lot of initial comment over the weekend was on the initial exposure to the USA marketplace. Based on my knowledge of their European business customer footprint it is clear at least 95% of all UK adults with bank accounts, mortgages and paying for their home's energy are in scope.
Luckily for Equifax this breach happened before GDPR enforcement kicks in. European based fines next year would have been 4% of worldwide revenue, in the order of at least $130 million. The potential USA and Canadian legal exposure and regulatory fines is developing rapidly, with Equifax being told yesterday that forcing the general public to binding arbitration on their breach website was illegal.
A parting muse for this week: Ironically we as individuals are scored by Equifax for our financial prudence, but we have no structured method to evaluate an aggregator's handling of our data. Based on agreed changes to European data privacy regulations, and the noises from USA state attorneys this time there should be momentum for regulatory change.