Equifax Breach Under GDPR

19 Sep Equifax Breach Under GDPR

The big Equifax breach has been on the headlines for over a week. If you’re not aware of it – please google it. There are a lot of blogs and articles out there. This will be one of those blogs.

According to sources, the information of UK citizens have been amongst those 143 million records (or they maybe added on top of the 143 million, unknown at this point). This puts the Equifax breach firmly under the GDPR. Many of the posts I have read state that the GDPR becomes effective in May 25^th 2018. Well… That’s not really the case. It is already effective, has been over a year. On May next year, the regulation will be enforced.

According to the fiscal year 2016 numbers with around $3 billion in revenue and $500 million in net income, the penalty for non-compliance would be $125 000 000, about a quarter of the net income. I would imagine that this case would get the harshest treatment under (enforced) GDPR due to several contributing factors. Some examples:

• Breach notification after a month vs the 72hours required by the GDPR
• Storing EU Citizen data without their knowledge (How did that happen?)
• Gross negligence in securing the information

Whenever there was a better time for a data subject information request letter – this would be it. This means that any (EU/)UK citizen can ask Equifax basically “What do you have on me?”. And much more…

Privacy “gap” between the US and the EU

The gap between how US and EU view privacy is widening. Come May it will no longer be a gap. It will be a canyon so wide you can’t see the other side from the curvature of the Earth. This breach clearly shows that. US based companies offering services to EU citizens must realise that they cannot treat EU citizen data the same way they treat US citizen data. Or they might be in big trouble next year.

Private information is a business asset in the US. To be collected, refined, combined and sold. Without the consent and / or knowledge of the data subject (the user). A lot of money is involved here. Imagine Dr. Evil here with his pinky in his mouth shouting “billions!”. Personal data, as defined by the GDPR, fuels the online advertisement market of close to $50 billion in value in the US alone (in 2014, probably much higher for 2017). Then there are companies like Equifax that sell credit reports to their own customers. The breach might create a huge dent to the revenues of all similar companies in the US as their customers will put something called “credit freeze” in place. Essentially denying Equifax to sell their credit reports. Because the breach affected 143 million users, most likely the freeze must be put in place with all big credit companies.

The GDPR will affect how businesses can use the private data of an EU citizen. The private data that previously went into a black hole, will transfer under the ownership of the citizen. The business might store the data, but the citizen will hold much greater control and ownership of his own data, able to decide how it can be treated, request deletion or transfer of the data etc. Companies processing personal data will also have to be much more transparent about how they treat the data. Long T&Cs can’t be used to embed a clause that gives ownership and total control of everything the user submits to the company – instead clear and unambiguous consent must be asked, and proven if so requested by the user “Did I say you can sell my data forward?”.

What would happen here if my data was leaked Equifax way?

If I’m thinking about my own situation, if the same data would be in the public domain about me that was breached in the Equifax case, I wouldn’t worry too much. Let’s take applying for a line of credit as an example.

I’m looking for a line of credit in the amount of €10 000 and I browse to a site. I write down the information (that has presumably leaked, including name, address, social security number, e-mail, etc). I come to the end of the application. Instead of submitting the application and the provider doing all the checks in the backend using information provided by me (or someone using my leaked information), I have to authenticate myself using my government recognised digital bank identity. It’s an app, issued by my bank, on my iPhone and I use my username (could have been leaked) and my fingerprint to approve the application.

And here it stops. For this to work for the bad guy, he would have to be in possession of my phone and my thumb (still attached to the rest of my body hopefully). Credit companies, online businesses, banks and mobile network operators have created a trust network here. If you need to make an online transaction without using your credit card, like applying for a line of credit online, you need to prove your identity with a strong and government approved method. Identity issuers here include banks, mobile network operators (MNO) and of course the government. Though everyone uses either bank of MNO issued identities.

In the US – please start creating similar networks where you have (strong) digital identity issuers and digital identity consumers, i.e. online services. Issuers have a responsibility to vet the identity properly and when the online services are using (consuming) these identities, the issuer generates revenue for each transaction. This is an established business in Scandinavia and can work elsewhere as well. It’s already happening in Canada. The technology to create trust networks has been available a long time. Ubisecure is the number one European vendor delivering solutions that can be used to build trust networks and provide strong authentication and / or identity brokering services. And these are universal solutions, based on established standards.