Congress Blog

Kudos to state attorneys general for action on Equifax breach

Big shout out to Massachusetts Attorney General Maura Healey for leading the pack of states' attorneys general now considering legal action against Equifax affecting the personal financial data of 143 million Americans. She stated, "This may be the most brazen failure to protect consumer data" that her office had ever seen.  What a difference a week can make for doing the right thing! 

Fair counterpoint: no company can ever offer 100 percent data protection. Cybersecurity is a dynamic field evolving constantly in response to a fast-changing global threat landscape. A breach can happen anywhere, anytime. But what is easy to assess post-breach is whether or not a company did everything it could have and should have to avoid it; especially if they are such an obviously rich target as Equifax should have known itself to be. Equifax failed us and spectacularly so. Adding insult to injury, there was no empathy or contrition for the millions wounded by its lax practices.

So, have we arrived at the point of no return in these recurring cycles of harm? Have consumers had enough? The bipartisan winds blowing through this issue seem to suggest consumer outrage. We are fed up with the one-sided nature of the relationship we have with credit scoring agencies exploiting our personal data for commercial gain with seemingly no responsibility or moral imperative to protect us. While perfectly happy to make profits exploiting us, companies seem less willing to help mitigate the damage after a breach. And so, states' attorneys general finally seem ready to act. 

Here's my three-part plan if I were lucky enough to formulate a state's response as their Attorney General: 

  1. Conduct a deep, thorough and public enquiry into both the origins of the breach and the dynamic of decision-making inside the company in response to the breach and its adequacy in protecting consumers and not strictly company interests. The wide-ranging nature of this public investigation is in and of itself a signal to others. 
  2. Level a significant fine equal to a multiple of the inadequacy of spending on cybersecurity in the first place and on the lack of adequate and timely response to ensure that never again will a company forsake consumer protections for profits.
  3. Use the findings from these first two actions to immediately enable regulators to begin imposition of routine fines for every single reported breach regardless of its scope or cause to force companies to put more resources into cybersecurity.

This last point is vital: today, companies face no particular financial pain-other than media embarrassment-when a breach occurs. And while some class action suits are now pending against Equifax that might reverse this trend, most consumers are unlikely to be able to prove definitively that any future damage wrought years later arose directly from Equifax's negligence. Knowing this, lawyers will act vigorously and viciously to defend Equifax and ensure that consumers cannot make their case for holding them accountable.

Therefore, automatic incidental fines are the only solution I see presently that might work.  These could even be put into a consumer protection and education fund to help victims of online financial crimes as a way of directing enhanced resources to a growing global threat.

More importantly, instead of the fixed amount of money that companies currently dedicate to cybersecurity through a self-determined analysis, the prospect of a fine becomes a relative budget allocation question of whether or not a company has truly dedicated enough time and money to avoid a breach. It forces cybersecurity investments to become less optional or discretionary. This approach will create a "pay me now or pay me later" mentality in company executives that they genuinely understand and that makes the real costs of cybersecurity breaches intolerable to them. We need this seemingly obvious tactic to break through the cavalier attitude that still prevails in many companies today.

This latest incident will not be the last-but let's hope it's the beginning of the end. If we can at least get this out of the Equifax breach, then some long-term gain can come from the short-term pain we all now face. That's as good as it's going to get right now.

Dr. James Norrie is the Dean of the Graham School of Business and Chloe Eichelberger Chair for Business Education at York College of Pennsylvania. He teaches courses in business strategy, cybersecurity, and information privacy and technology law and policy. Reach him at

View desktop version