What Security Pros Want From Equifax

In the aftermath of the massive Equifax breach, consumers are scrambling to know if they were affected, the degree to which they were affected, and what to do now.

In an attempt to buy time while things get sorted out, and to ease the minds of consumers, Equifax is providing free credit file monitoring and identity theft protection to all U.S. consumers. Beyond that, there’s little coming from the company, which only contributes to the frustration of customers, and adds to an already existing air of suspicion around the company and their practices.

Not that Equifax is hiding anything, but there could be more support and transparency coming from them. After all, this affects 143 million people. That’s like the entire state of Delaware, but 151 times. There’s no getting around the fact that this was a breach of epic proportions, but it’s not the first time this has happened, and it most certainly won’t be the last.

Equifax has already differentiated themselves with the sheer magnitude of this thing, but they also have an opportunity to stand out by how they fix this. To do that takes courage and Equifax’ intent must be genuine. But to recover means doing hard things that will rebuild trust among customers, partners, and other stakeholders. Without that, Equifax will become a business school case study, but we have faith that they can do better.

Whether or not you care about the future of Equifax, we suggest these steps in their road to fixing this:

  • Admission of guilt: Apparently Equifax became aware of the breach on June 29, yet news to the public didn’t surface until September 7. It is fully understandable that before you go public with this kind of sensitive news, you want to ensure you’ve remediated any security issues and created a secure environment for your users and data. In some ways, you’re now more a target than ever, and a judicious approach makes sense. But five weeks to alert users? That just can’t happen; it’s sort of like “Dad’s Rule”: if you screwed up, don’t lie about it, because your dad will find out anyway, and the lying about the screw up will make the punishment for the screw up even worse. Equifax must explain why the delay, and assure customers that they will be more communicative and forthcoming in the future.
  • Complete Review: Like all organizations, Equifax has to have an automated incident response plan for security issues. They likely have something, but it clearly didn’t work in this case; one has to wonder how files for 143 million people were accessed without being noticed. The company needs to completely review their processes and report to stakeholders how safeguards will be put in place to minimize damage in the future. Every organization should be regularly reviewing these processes and making improvements where necessary, but this now has to become religion at Equifax. This is about more than a culture of security; this has to become a mindset of “security first, security always.”
  • Fix-It Plan: Equifax has to deliver a message that instills faith in their stakeholders. They can’t tell us the specifics of the security controls they’re going to apply to their cloud layers, but they can provide details on their security plans and what they hope to achieve. This is an opportunity to educate consumers and partners so know what to look out for on their end. It gives Equifax a chance to explain what proper ID, network, and other types of security is and how they address it. Right now, the company doesn’t look like it has a plan; it just looks like a big company that screwed up, got caught, admitted it, and is now grasping at straws. But these are smart people at Equifax, and they owe it to their stakeholder community to explain how this will be fixed.
  • Ecosystem Validation: It’s hard to imagine how many mortgage and title companies, specialized loan operators, banks, credit issuers, and other financial institutions are getting some backdraft as a result of edgy customers not wanting their information to touch Equifax. Smart financial companies are finding ways to unburden themselves of being beholden to Equifax, but it’s not that simple. There are partnership deals that are legally binding, and to unravel the legal language to determine fault could take years. It’s time for Equifax to do the right thing: offer their institutional customers an alternative form of credit reporting (possibly a temporary “out” of their current agreements), or provide some sort of insurance that protects consumers. Any measures taken in this regard will hurt financially, but without this, the entire Equifax ecosystem is tainted.

A modest proposal? No, this is much more stark than that, but the entire country is already on edge. Equifax is not responsible for restoring consumers’ faith in “the system”, but they do owe it to their constituents to act honorably and with good business sense. While a campaign of trust building kicks off, so too must their efforts to ensure continuous monitoring so this kind of thing never happens again. And it serves as a cautionary tale to all over companies. Protect, monitor, fix immediately, and avoid, as best you can, the overwhelming mess that a security breach can cause.