By Dennis Kelleher (this op-ed originally appeared in The Hill)
More than a year has passed since the American people belatedly learned about the shocking Equifax breach that exposed more than 145 million Americans’ personal information to the dark web where identities are sold and stolen. Now, a year later, nothing has been done to prevent this from happening again.
Worse, companies continue to worry more about their bottom lines than enabling the American people to protect themselves from exploitation once their information is hacked. That’s why companies must be required to promptly disclose any significant hacks so that people are informed and can protect themselves.
That is the only way to prevent Americans from being doubly victimized: first, when their information is stolen and, second, when the thieves use the information to steal their identity, drain their bank accounts or run up their credit cards. That’s happening now because companies repeatedly fail to promptly disclose hacks, putting profit protection above customer protection.
Think about it: under the current system of no rules and ad hoc company decision-making, the American people are the only ones left in the dark about the theft of their information. After all, the hacked companies and the hacking thieves know the information is stolen and are gleefully exploiting it long before the victims are even aware of what has happened.
Even in the face of the mindboggling Equifax hack affecting almost 50% of the entire American population, what was done to protect Americans from the next hack? Worse than nothing.
Last year, in the financial deregulation bill, most of the attention was focused on the impact on banks. However, there was a totally unrelated sweetheart provision in the bill for Equifax, as Democratic Ranking Member Sherrod Brown pointed out:
“In exchange for a small provision helping servicemembers watch their credit, the bill forces them to give up their right to take Equifax to court the next time the company’s recklessness exposes sensitive financial data. If that weren’t bad enough, the bill also gives Equifax a big new business opportunity, directing our federal housing watchdog to adopt a new credit scoring model that will benefit a company Equifax co-created.”
But there is now new leadership at the House Financial Services Committee and Chairman Maxine Waters has called the heads of the three credit rating agencies, including Equifax, to testify. This will be a new opportunity to extensively question their cyber security, data protection programs and the protocols in place to alert the public in a timely manner should another data breach occur.
The past simply cannot be repeated. After the Equifax hack was finally disclosed, the all too familiar post-scandal wheels were set in motion: the news broke; there was public outrage; and then calls for action. Next, a Congressional hearing was held, partisan wrangling ensued and ultimately nothing good was done.
The then-Republican led Congress took the minimum amount of action possible, allowing Americans to freeze and/or unfreeze their data without penalty. While this is a positive small step in the right direction (a little after-the-fact protection), it simply does not provide the kind of pro-active protection and transparency the American public deserve. Moreover, it is entirely dependent upon companies disclosing the hacks to the public.
Equifax’s conduct follows an all too familiar pattern of corporations failing to alert the public that their personal information has been compromised, exposed for exploitation and likely available to criminals. Yahoo, now a unit of Verizon, has been breached twice, the most serious being in 2013, which affected over 1 billion accounts. Yahoo did not tell the public its information was stolen until late 2016, almost three years later. Target suffered a similar breach in 2013 when the personal information of 70 million customers was stolen over the Black Friday holiday shopping season kick-off.
Left to their own choices, corporations seeking to maximize profits or minimize loses fail to alert the public in a timely manner, instead putting the interests of shareholders, executives and board members above consumers and customers.
Before there are tens of millions of more Main Street victims, the Securities and Exchange Commission (SEC), led by Chairman Jay Clayton, could require all companies to promptly disclose any significant computer hack to investors and the public. Failing prompt SEC action, Congress should require this, which we would call the “Equifax Rule.”
The SEC should act because there is no doubt that hacks are very important information to investors and customers. For example, when the Yahoo hack was finally publicly announced, Yahoo’s stock dropped 4.4% the next trading day. Target’s stock reported a 40% drop in fourth quarter profits following the breach, and Equifax’s stock dropped from $143 per share to $93 per share, or about a 33% decrease over the course of the following week after the hack was announced.
That significant stock moves prove beyond debate that information of significant hacks is in fact “material” to investors, which companies are supposed to promptly disclose if they have a duty to disclose the information. While we believe that companies have that duty now, the SEC must declare it a duty and insist that companies disclose all possibly material hacks promptly.
We know detecting, halting and investigating a computer hack can be difficult and often takes substantial time to determine with precision, but that is exactly why an “Equifax Rule” is needed. With such a rule, there will be no more delays while facts are gathered and conclusions are drawn. After all, the criminals don’t delay. They immediately start using the stolen information to rip off Americans who don’t even know their information has been stolen.
A simple “Equifax Rule” will directly fix that: if a company suffers a significant hack, it is promptly disclosed, and Americans can take action to protect themselves like freezing their accounts. Such a rule will end the current double victimization, first by the criminals and then by the corporations who fail to tell them of the hack.
The American people deserve to know immediately when their data has been compromised, not weeks, months or years later. That will not only protect their data, but also their identity and other personal information. It’s long past time for the SEC or Congress to take action and protect Main Street before this happens again.
Dennis M. Kelleher is president and CEO of Better Markets, a Washington-based independent, nonpartisan, nonprofit organization that fights for a financial system that supports the productive economy, jobs and growth by promoting the public interest in financial reform, financial markets and the economy.