On September 9, 2017, we all saw the Equifax breach make headlines, and then the unfortunate follow up and backlash. Up to 143 million Americans have had their private data hacked, including names, addresses, and Social Security numbers. This incident is being called the biggest hack in history. Security experts around the world derided Equifax’s security protection, as well as its response to the incident. Leading security researcher/blogger Brian Krebs noted, “I cannot recall a previous data breach in which the breached company’s public outreach and response have been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax.”
Clearly, we should not tolerate Equifax’s security model that has allowed for the breach to occur. And I cannot in good conscience defend their response: they allegedly waited months to report the hack, they suggested that consumers sign up for a credit monitoring services that included a confusing user agreement where consumers might waive their right to a future class action lawsuit, and they also disclosed that senior executives sold Equifax stock just after the breach occurred but before it was announced to the public.
That being said, while locking down corporate security is hard, I would suggest that informing consumers exactly what to do after a hack is even harder. So letting consumers know what to do is very tricky to get right.
We see that a consumer’s anxiety is ultimately rooted in a lack of knowledge. We all know that we fear what we do not understand. Given the complexity of technology, the mystery of how this happens, and lack of information in general, cyber crime is an especially scary topic for most Americans. Ultimately, consumers need clear and easy-to-understand information that explains what a security breach is such as the Equifax breach, what to do when you are a victim of a hack, and how to protect yourself in the future.
Consumers need to have education about identity protection and need to have it delivered just-in-time when these events occur. If you are an employee of a bank or credit union, your institution is probably already pushing out at least some communication and information about the Equifax breach. But make sure this communication includes clear and jargon-free education with suggested next steps.
Providing education on security breaches and identity theft will shine a light on this topic.