In Equifax hearings, Congress should focus on bigger picture

In Equifax hearings, Congress should focus on bigger picture
© Getty

As members of the House Energy and Commerce Committee prepare to question Equifax CEO Richard Smith about the company’s recent data breach that exposed the sensitive information of an estimated 143 million Americans, they should focus on more than just Equifax.

Though there are serious questions to be answered about the steps Equifax took to protect the data with which it was entrusted, as well as about its response to the breach itself, this latest event is a symptom of a much bigger challenge facing the United States.  

Congress has an opportunity and responsibility in this and other hearings to begin a candid national conversation on identity protection — on how companies protect consumers before a breach, and on how they respond in the aftermath of the inevitable.

The first and most obvious question is about how companies can protect consumers’ data in the first place. Admittedly, this is the hardest part of cybersecurity: No matter how impenetrable a system may seem, at the end of the day, it was made by humans and can be breached by humans.

Nevertheless, in spite of these challenges, the need for strong breach protection will only increase in the years to come. With the rise of the Internet of Things, more and more devices and appliances will be attached to the internet — which means that there will be more and more opportunities for hackers to exploit and steal personal information. By beginning to think now how we can best secure data across various devices and applications, we can begin to prepare for a future that is both more connected and more secure.

The second question Congress needs to consider is about what companies are and should be obligated to do when data breaches do occur. In announcing its breach, Equifax offered all U.S. consumers, regardless of whether their information was exposed, a year of free credit monitoring. This kind of offer has become the standard response to breach, but it does not go nearly far enough.

Credit monitoring helps identify if the victim of a data breach becomes the victim of financial fraud. That is just one of nine different kinds of identity fraud that can be exploited by a breach, along with child ID fraud, social security fraud, driver’s license fraud, criminal behavior fraud, employment fraud, insurance fraud, synthetic fraud and medical identity theft. A comprehensive response would cover many — if not all — of these kinds of fraud, and would also result in a thorough inspection of the company’s current security system so as to improve consumer protection in the future.

In responding to its own security breaches, federal government agencies have answered both of these questions in a way that could be instructive to Congress as it considers them on a bigger scale.

First, by improving their perimeter protection by introducing two-factor authentication, among other technologies, and more extensive data monitoring. Second, it offered identity restoration services and identity theft insurance, as well as child, credit and other fraud monitoring services, to people affected by breaches. Though no response can undo the damage or eliminate all threats, the holistic response model of federal agencies can serve as a model for Congress as it begins to craft policy.

A third question Congress should consider asking is about whether the current credit system is still working for the American people. In a time when one breach can expose more than half of all American adults at once, is it wise to concentrate such vast amounts of our most sensitive data in just three companies — or is that simply perpetuating a system that is ripe for hacking?

These are weighty questions that will take some time to answer. But we must ask them, and ask them soon. Government moves slow, technology moves fast and hackers move even faster. We must start the conversation now, consulting the expertise and perspective of company stakeholders, industry experts and government leadership.

Industry alone cannot formulate a sufficient response, and government regulation alone risks excluding crucial industry insights. Only through constant collaboration can we develop a nimble, capable identity protection system that has the safety and security needed to endure well into the 21st century.

Thomas F. Kelly is president and CEO of ID Experts, a Portland, Oregon-based provider data breach and identity protection services. He is a Silicon Valley serial entrepreneur and an expert in cyber security technologies.