The massive data breach suffered by Equifax has both serious consequences for consumers and potentially profound long-term implications for commerce and the nascent cyber insurance industry.
In the three days since Equifax’s press release announcing the breach potentially exposing names, addresses, birthdates, Social Security numbers and other information for about 143 million U.S. consumers, both the federal Consumer Financial Protection Bureau and New York State Attorney General Eric Schneiderman have criticized the giant credit bureau’s response and, in particular, an “arbitration clause” that may severely curtail the legal rights of any consumers who take advantage of free credit monitoring offered by Equifax.
The arbitration clause is included in the terms of service for Equifax’s credit monitoring program and, as reported by the Washington Post, bars consumers from participating in class action law suits, requiring instead that all disputes be settled by “binding individual arbitration” and limiting consumers’ rights to discovery and appeal. Equifax has stated the arbitration clause won’t apply in this case, but some have warned that the company’s statement may not be legally binding. Consumer beware.
See also: VPNs: How to Prevent a Data Breach
The harm to consumers may last a lifetime as people have the same birthdate from cradle to grave, most will have just one Social Security number and many will use but one name. Yet, Equifax is offering just one year of credit monitoring.
For now, it appears that Equifax is failing crisis response 101. Instead of impressing consumers, clients and public officials with its transparency and earnest desire to make things right, the company has attracted criticism that undermines efforts to limit damage to its reputation, rebuild trust and inspire confidence. The gold standard in crisis management remains Johnson & Johnson’s handling of the 1982 Tylenol tampering case that led to seven fatalities in Chicago. That is playbook for business.
But the Equifax breach and its response raise several other critical issues. Most obviously, what should consumers be doing to protect themselves? (See “The Equifax Data Breach: What to Do” at the Federal Trade Commission’s website for a number of useful suggestions, including checking credit reports.)
The less obvious but perhaps more profound issues raised by the massive data breach at Equifax pertain to the future of commerce and cyber insurance. With the breach exposing several of the data elements typically used to verify people’s identities, one must wonder what will happen if businesses and financial institutions lose confidence in their ability to confirm we are who we say we are. Imagine a world in which merchants can no longer accept credit cards. Imagine a world in which banks and credit unions can no longer make loans. Imagine a world in which one can no longer bank or trade securities online. And, lest one succumb to the notion that advanced biometric security measures will save the day, understand that biometric data is stored in computer files that can be hacked just like birthdates, Social Security numbers and the like. Changing stolen user IDs and passwords is easy, but what is the fix when hackers steal retinal scans, fingerprints and the like?
The hope is of course that bright minds will find ways to protect us from criminal hackers and other nefarious parties who would do us harm, and yes — bright minds are already on the case. Witness in particular the rise of cyber insurance, and focus not on the compensation paid by cyber insurers in the wake of cyber incidents but rather on the underwriting done when cyber insurance policies are written and insurers’ work with clients to prevent and control losses. In many ways, this is emblematic of a larger movement in insurance and risk management from indemnification to loss prevention as the application of advanced analytics to big data enables intervention before losses occur. But while this might seem a new model, it is actually one that has been with us for quite a long time. People don’t buy boiler and machinery insurance because they want to be paid after boilers explode. Rather, people would prefer that boilers don’t blow up, and they want the benefit of the engineering and inspection services delivered during the underwriting process.
See also: Aggressive Regulation on Data Breaches
Nonetheless, there will be times when cyber losses occur, and cyber insurers will be called upon to respond. The Equifax breach provides a mere hint as to the coverage limits insureds may require and the amount of capacity, or capital, cyber insurers may need to cover the risk. Insurers that can figure out how to price and underwrite cyber risk have a tremendous opportunity to do well by doing good. One key will be successfully quantifying and managing aggregation risk (the accumulation of risk as a result of covering multiple insureds using the same or similar systems, etc.).