Analysis of Equifax Breach

Equifax’s Financial Probity and Reputational Risk… A Continuing Story

We have all had a few days to digest the announced Equifax breach. What has been breathtaking was the methods of the company's response, compared to what it has been it's expectation-setting to individual and business customers over the last year.

Disclosure: On Equifax's UK website (now taken down) their recommendations for specific breach disclosures by a typical member of the public was seen by them "as soon as possible, within a few days." Unfortunately in this specific case Equifax took more than forty.

Financial Probity: Unlike a personal relationship with a bank or insurance company, Equifax is a financial data aggregator, and as individuals we have no direct relationship with them. Their direct customers are our banks, mortgage holders, vehicle loan providers and insurance companies. In the end all we are is data and/or product, without an SLA to respond to a breach of this type.

Financial data processors like SWIFT and the Payment Card Industry worldwide has had similar growing pains recently.

Geographical Exposure and Potential Litigation: A lot of initial comment over the weekend was on the initial exposure to the USA marketplace. Based on my knowledge of their European business customer footprint it is clear at least 95% of all UK adults with bank accounts, mortgages and paying for their home's energy are in scope.

Luckily for Equifax this breach happened before GDPR enforcement kicks in. European based fines next year would have been 4% of worldwide revenue, in the order of at least $130 million. The potential USA and Canadian legal exposure and regulatory fines is developing rapidly, with Equifax being told yesterday that forcing the general public to binding arbitration on their breach website was illegal.

A parting muse for this week: Ironically we as individuals are scored by Equifax for our financial prudence, but we have no structured method to evaluate an aggregator's handling of our data. Based on agreed changes to European data privacy regulations, and the noises from USA state attorneys this time there should be momentum for regulatory change.

David Dingwall has been embedded within IAM marketplace and other infrastructures required by enterprises to support their business for three decades, previously as a Consulting Architect and in Business development. Responsible for Product Management and Marketing at Fox Technologies, he is focused on how real people use software tools to make their working day easier, and jokes that he is the “Fox Technologies Storyteller” when writing marketing material. His experience includes working with or for Hi-Tech, Healthcare, Energy transmission and distribution, Oil & Gas, FMCG, Mining organizations and Government police and national security departments.