The Equifax data breach is quite possibly one of the most significant cyber attacks to happen in history. This isn’t simply a matter of the size of the attack, but instead is about the role that Equifax plays in our modern data-driven society. While people continue to highlight that 143 million Americans had their personal data compromised it’s important to understand that each of these individuals are not direct customers of Equifax and never have been. Equifax and other credit reporting agencies operate on a business to business model and rarely if ever deal with private citizens directly unless they’re fulfilling a request. Equifax’s and their peers play a critical role of trust broker in society. When a bank wants to issue a loan but needs to vet who can pay it back they turn to credit reporting agencies to provide data on who the person is in front of them and if they’re capable of fulfilling the obligations of their loan. When an apartment complex seeks to choose the best renters for their neighborhoods, they run a credit check based on data from Equifax, TransUnion, and Experian. The business model of credit reporting agencies is to collect data on individuals, determine a score, and charge organizations to access that data which is accepted as reliable.
The Institution of Equifax
Equifax can reasonably be called an embedded institution in U.S society. The role the organization plays in society is the foundation of how people get homes, achieve social mobility, start businesses, and so much more. Equifax provides efficient trust between parties which is a tough role to play. This is why a data breach on one of the bedrock institutions that people and businesses trust is able to shake U.S. market society at its core. While Equifax doesn’t face an immediate threat from the public the long term impacts can be severe when public trust erodes and people start feeling the data breach first hand. The public doesn’t have the option of withdrawing from Equifax’s data collection operations. However. The public does have the ability to shift public policy which will impact the institution of Equifax and their operations in the future.
Imagine for a moment if the public actually started demanding an implementation of a carbon copy of Europe’s General Data Protection Regulation (GDPR)? How much would this disrupt credit reporting agency business models? One of the fundamental arguments raging in the U.S is centered around ownership of data. Does data belong to the one who generates it (the private citizen) or to the platforms who collect it? These are the questions underlying many of the angry comments online and all it takes is the right organizers to shape that into a policy matter. The GDPR establishes by default that data belongs to the private citizen and they have the right to revoke access at anytime. What would happen to Equifax, TransUnion, and Experian if the private citizens whose data they collect and rely on for business could suddenly revoke access from the organization? It would be a disaster for credit agencies. It’s for this reason that public trust must be restored or else there’s a risk of a fundamental demand for a policy shift in information security.
Advice on Restoring Trust
Right now trust is scarce among the public in the United States, this data breach has not helped to improve that. Credit monitoring institutions need to move fast to re establish trust. Below are some of the important ways by which they can do that.
Communicate Social Value
For a while businesses were operating on the idea that Milton Friedman proposed in 1970 that business only has one responsibility to the society, and that’s to increase profits. Shortly after this idea was practiced for a little, businesses quickly learned it eroded public trust. Years later famous strategist and academic Michael Porter and Mark Kramer developed a model titled “shared value” which aligns the profit-seeking behavior of business with long-term social value.
In the context of Equifax’s data breach this means reaffirming what role they play in helping people achieve social mobility and being the primary foundation of trust in U.S society. The goal here is to establish a common base of understanding.
Publish Cyber security Reform(s)
Beyond intention the public will be expecting significant reforms from credit reporting agencies. One of the best things that Equifax, Experian, and TransUnion can do right now is to be open about their progress on cyber security reform in their organizations. The public is demanding action and not just the standard script they’ve heard repeated every time there’s a data breach. Equifax is not just another company citizens can choose to not engage, instead it’s a fundamental part of society, thus people will be demanding results.
The public is one element of public trust, any organization has a variety of stakeholders. Equifax is no exception to this dynamic. In an effort to genuinely restore public trust there will likely need to be some changes in security practices that may impact any partners who work with Equifax. Coordination among stakeholders sends a strong signal that an organization is leading a strong effort to change how operations are done. Equifax and their peers have an opportunity to make this happen right now.
Low public trust is not a permanent problem and can be improved by way of clear and honest communication. The Equifax data breach is damaging, especially in these times, but it can be made into an opportunity to reaffirm the need for strong institutions that broker trust between parties.