Equifax, Credit Agencies and Risk (mis-) Management
Recently, one of the largest credit reporting agencies in the US, Equifax, joined the long list of companies that have been the victim of a major data breach. Equifax is now trying to explain how over 143 million Americans — effectively most of the U.S. adult population — had their personal data compromised.
The company tracks the detailed financial affairs of all Americans in order to gauge their credit worthiness. Along with TransUnion and Experian, they maintain personal data on millions of US citizens, but that once breached, the information can expose nearly every American adult to identity theft.
Why Tight Data Management is Crucial
Under the threat of massive litigation, which may cause its downfall, Equifax is finding out how important it is to protect the personal information of its users and why data privacy has become a growing area of concern around the world. There are five main reasons why data privacy has become a major area of extreme risk requiring the attention of a company’s management. They are:
- Detailed Data Collection: Many businesses, through the use of the Internet and computers, compile and use large batches of data.
- Penalties: The European Union, Canada, and other countries, such as South Korea, have strict data privacy laws, which can levy significant penalties and fines for data privacy law violations.
- Publicity: As more and more people begin to jealously guard their personal data, a company’s violation of data privacy laws can create a publicity nightmare, creating in effect a crisis of potential epic proportions. This has to be managed or contained.
- Extraterritorial reach: More and more data privacy laws restrict the transmission of data abroad, creating cross-border risks.
- Tougher Regulations: More and more countries are enacting tougher penalties over the use and dissemination of personal data such as South Korea.
Assessing Your Data Breach Risk
Managing the risks inherent in data privacy related issues can be quite a task. However, failure to adequately protect customers’ personal data will lead to great reputational harm and risk to a company’s brand.
In determining the risks a company faces, an organization must answer a series of painful questions, including but not limited to the following:
- What data does the organization have and where is it located? This includes data that is already published or disseminated.
- What kind of data does the company have and how sensitive or confidential is it?
- What processes, if any, are currently in place to protect the data?
- What processes, if any, should be implemented to protect the data?
- What unexpected risks are involved when considering what processes to use or implement to protect the data?
- How many custodians have access to the data?
- Are protocols in place for handling the data?
- Has an inventory of all Electronically Stored Information (ESI) been taken?
- Are obsolete or unneeded records still being preserved and why?
- Has the IT architecture been reviewed and mapped?
Only once these questions have been answered and the risks associated with personal data has been considered is a company in the position of creating and implementing a risk management process to handle its personal data. But remember - the tough questions must be answered first.