Customer Data Protection: What Businesses Can learn from Equifax Data Breach

The massive 2017 Equifax data breach potentially exposed the personal information of more than 143 million American consumers to hackers. That number is almost half of the U.S. population and virtually 100 percent of the American workforce. Most consumers think of Equifax as a credit monitoring and rating agency. The data breach, however, focuses attention on the asset that creates Equifax’s real value, namely, the huge trove of personal and financial data that Equifax holds. However, there are still some steps you can take to protect yourself from this recent cyber attack.

Private businesses other than Equifax might not hold as large volume of data, but whatever data they do hold has a high value in the hacking underworld. For many reasons, calls for stronger laws to protect that data might put more pressure on private businesses to protect customer data, and at best they might force businesses to give consumers quicker notices of when a data breach has occurred. By themselves, however, new or enhanced laws will not stop hackers from plying their illicit trade.

Private businesses, in theory, maintain a social contract with their clients and customers that imposes a set of social responsibilities on those businesses. Protecting customer data from hackers has become a necessary and proper component of that contract. Realizing this, private businesses must adopt minimum standards and procedures to fulfill their obligation to protect customer data:

• Data encryption is no longer limited to military operations or top secret projects. If a business would shred data printouts after using them, or that data could compromise the business or its customers in any way if it fell into a third-party’s hands, that data should be maintained in an encrypted form inside the business. If a data breach does occur, the encryption of that data reduces the hacker’s ability to read and use it.
• Layered security is mandatory for all private business information systems. Layered security incorporates several levels of security procedures across a network, including multi-factor user login authentication, enhanced firewalls, monitoring that tracks incoming and outgoing data and data segmentation and silos that separate data into segregated storage units that are separately accessible only by employees who have a need for that access.
• Protecting customer data is a company-wide responsibility and is not just something that is relegated to the IT department. Regular training should instill a cybersecurity awareness and obligation in employees, including teaching employees not to click on attachments in emails from unknown sources, refraining from using free public Wi-Fi, and requiring that they use strong passwords that are changed regularly.
• Back up all stored data with technology and systems that are not connected to a primary information systems network. A ransomware attack can freeze a business’s access to its information systems and data, leaving the business in the unenviable position of not knowing exactly what data it had stored and maintained. A good backup will keep a backup data set quarantined from the business’s main operations to prevent malware from seeping into that backup set as well.

When these or other data protection strategies fail and hackers do steal customer data from a business, the social contract that the business has with its customers calls for that business to compensate their customers for the damages. This can be an expensive proposition, as any business that suffers a data breach will also need to rebuild its own internal systems that might have been damaged in the breach. For these times, data breach insurance can provide a valuable life line for the business.

That insurance, for example, can reimburse the business for expenses it incurs to provide credit monitoring services for customers whose data was lost in a breach. A business that quickly responds to a data breach in this manner and reaches out to customers with offers for credit monitoring and other services will also be better able to maintain its reputation as an entity that takes its obligations under its social contract seriously.