For anyone affected by the Equifax data breach (which is to say most adult Americans), it’s been a long 10-ish days of following the latest news, waiting on customer service hold, website errors, misinformation, frustration, and fear.
And with the follow-up news of the Securities and Exchange Commission (SEC) breach, the hits keep coming. Though I’m not one to dwell on what-ifs, following the most severe data breach of all time, I can’t help but think about whether this all would have gone down if more regulations were in place, and even if it would have, how the aftermath would be different.
As an American living in Europe, I’ve been following the news related to the EU General Data Protection Regulation (GDPR) for many months and to the Equifax drama for what certainly feels like months. But for those who haven’t needed to keep up to date with one (or both), lucky you - and a quick recap:
For Those Unfamiliar With GDPR
GDPR is a regulation that will begin to be enforced on May 25, 2018 and represents the largest shift in data privacy regulations in more than 20 years. It aims to protect all EU citizens from privacy and data breaches - you can read all the nitty gritty details on the official website, or check out our GDPR white paper on the subject for an overview of what it will take for businesses to comply.
Long story short, it’s a huge deal; businesses of any size and in any location that process the data of EU citizens will have to put specific protection measures in place and follow detailed requirements for preventing and reporting breaches.
For Those Unfamiliar With Equifax
Equifax is a consumer credit reporting agency in the United States (one of three major such agencies), which means they collect super sensitive information (personal information, financial data including credit cards, addresses, employer information, and much more) on more than 800 million individuals. Equifax gets this data from entities that report on the credit activity of individuals (banks, retailers, lenders, etc.) and via public record.
On September 8, Equifax announced that they had a data breach that impacted about 150 million people, with hackers accessing full names, social security numbers, birthdates, addresses, and sometimes driver’s license numbers. And the attack allegedly happened as early as May until it was discovered in July and only reported to the public months later.
So, What If...
Let’s take a trip down what-if lane and talk about Equifax in a world in which GDPR was active and being enforced globally (not just regarding the data of EU citizens). What would be, or would have been, different?
- Well, for starters, it may not have happened. Under GDPR, Equifax would certainly be required to have a Data Protection Officer (DPO). Generally, this person has to be an expert in data protection law and practices, and more specifically, there is a pretty big laundry list of requirements for this position. But ultimately, it means it would literally be this person’s primary responsibility to ensure the protection of data. Putting a single person in charge and having a single person responsible (not to mention a job on the line) could have brought about enough change in terms of data governance and security to prevent, or at the very least lessen, the incident.
- The fines would have been massive. For now, the United Kingdom is still in the EU, and estimates say that anywhere from hundreds of thousands to millions of British citizens were impacted by this breach. Had it happened after the enforcement period, the consequences would have been huge. With a maximum fine for the “most serious infringements” of up to 4 percent of annual global turnover or $21 million (whichever is greater), penalties for non-compliance for Equifax could have been well over $100 million.
- Cleaning up the aftermath would have been...well...cleaner. With proper data governance in place under GDPR, even if the incident had still happened, cleaning up the mess would have been much simpler. GDPR necessitates clear processes be in place in case of data subject requests so that they can be processed in a reasonable and timely manner. So while perhaps nothing could prepare Equifax for the influx of hundreds of thousands (perhaps millions) of customer service requests, being prepared with more clear paths to answer questions about customers’ data and having systems in place to empower customers service representatives to actually answer customers’ questions about their personal data certainly would have helped. If not from a logistical standpoint, then definitely from a PR standpoint.
- We would have known about the breach a whole lot sooner. In turn, we could have started protecting ourselves and our identities a whole lot sooner. Under GDPR, data breaches that may pose a risk to individuals must be brought to the attention of the Data Protection Authorities (DPA) within 72 hours. In addition, affected individuals must be notified without “undue delay.” That was certainly not the case in the Equifax breach, and it remains to be seen how many individuals might have already been affected in the time it took to be notified of the issue. A reminder that assuming Equifax did only learn of the May breach in July (again, we ask: would that have gone unnoticed for so long with a DPO?), they waited at least a month and a half to notify the public.
GDPR For Everyone, Anyone?
The United States has been notoriously lax compared to Europe (and perhaps the rest of the world) when it comes to attitudes toward protecting individuals’ data. Perhaps that’s because Americans, culturally, are less protective or less concerned about businesses having their data. Maybe more trusting. Maybe all of the above. Unfortunately (or maybe fortunately), that might change in the post-Equifax world.
And if Americans start to become more sensitive about data protection and more open to legislation on the topic, maybe it will mean GDPR (or GDPR-like regulations) for everyone. Though European businesses, and many outside Europe as well who handle EU data, are certainly grappling with exactly how they are going to comply, many are starting to agree that ultimately the regulation might be not only good for data subjects, but good for business. As anti-data-regulations as we have historically been, if GDPR will be good for businesses, good for consumers, and bad for fraudsters and data thieves… what do we have to lose?