In September 2017, Equifax, one of the largest consumer credit reporting agencies in the US, declared an enormous data breach. This infringement affected over 143 million US customers, which was almost half the population of the entire country. Once the cyber security incident was thoroughly investigated, the company announced that over 146 million US customers were affected, plus 15 million UK citizens and approximately 19,000 Canadians.
According to the press statement issued by Equifax, the stolen data included names of victims, their Social Security numbers, birth dates, addresses and in some cases, even license credentials. Credit card numbers for over 200,000 US customers and specific information containing identifying data for approximately 180,000 US customers were also breached. In this incident, more than half of Social Security numbers were exposed at one go. The company spent six hectic weeks in analyzing the data breach but planned its disclosure without urgency.
According to internal sources, the company took time to:
- Prepare a well-designed press announcement
- Rally cybersecurity lawyers from well-known law agencies
- Hire a forensics team to analyze the breach
- Report the breach to the FBI
- Set up a website for customers to check whether their credentials were affected and register for remedial packages
- Institute call centres to assist affected customers
- Hire and train thousands of customer service representatives in less than two weeks
- Create a package of remedial materials that included consumer credit files across the bureaus, access to credit information, insurance coverage for out-of-pocket expenses connected to identity theft and web scans to comb affected Social Security numbers on the dark web.
While the steps taken by Equifax appeared remarkably useful, it actually went downhill from there. Following the data breach notification, the stock prices of the company took a beating. Shortly, leading management directors such as the CEO, CIO and CSO resigned. In a span of two months, Equifax began to face more than 200 consumer class action suits as well as lawsuits from their shareholders and other financial companies. When Equifax released their first-quarter report in 2018, it showed how it spent over $240 million to handle the data breach. Further, in 2019, Equifax agreed to reimburse $700 million to settle with the FTC, CFPB and the rest of the United States and territories.
This incident brought to light the functionalities within the unregulated data brokerage sector. A slew of new laws was proposed in Congress, including bills to back national data breach notification, correction and credit report errors and specifically a ‘Freedom from Equifax Exploitation Act.’ Another unusual proposal, known as the Data Broker Accountability and Transparency Act, that suggested how data broker companies must be compelled to implement enhanced privacy and security practices.
The data breach at Equifax was a watershed moment for the company. Despite the measures that it took to contain the incident, what made it into an absolute failure was how the company responded in the aftermath of the breach. When Equifax promptly reacted to the data breach, it made specific choices that eroded consumer trust entirely by weakening the perception of its capability, integrity and caring. The manner of response led to a judgment not just for the company but for the entire data brokerage sector as a whole.
Today, while it is evident that data breaches seem to be the new standard, it can still be prevented with robust document security tools such as digital rights management (DRM). As can be seen that data breaches expose personal data and credentials to be misused in various ways, including identity theft, keeping customers personal information private is a prerogative for every company that deals with data. Document DRM could be a viable and valuable strategy for companies looking to deter threats from accessing secured content. Besides avoiding data breaches and ensuring your data is not copied, the most significant advantage in the DRM-based world is protection from authorized users misusing information.
A good document DRM solution can:
- Protect consumer data such as passwords, credit card numbers, bank account details and other personal data such as on-site purchases
- Safeguard trade secrets, intellectual property, and strategic business information
- Provide PDF protection beyond weak password authentication and Adobe resrictions
- Protect PDF documents from unauthorized access and misuse and help authenticate users in the cloud
- Protect sensitive and confidential data on any device.
- Safeguard your digital assets from copying, piracy, and unauthorized sharing.
- Control secured data and content even after they’ve been sent out, e.g. trigger expiry automatically after a specified period of time, or revoke access to a document or a user instantly.
- Ensure protected information stays secure in the event of an accidental leakage.
In addition, to prepare for more extreme situations, an organization should also have a method for managing document leakage and plan for the loss of data in extreme circumstances that are beyond the control of the organization.