I froze my credit file across all three bureaus. I’ve been comped various identity theft and monitoring services which seem to pepper me with really uninteresting updates about their “dark web scans” and erratic increases or decreases to my card limits. And I have Google Alerts set up for my social security number and other personal information that may one day make their way to the public web. These minor frictions aren’t all attributable to the 2017 Equifax breach but that’s the incident which sticks in my mind to this day. Because what do you do about a company like Equifax?
Moody’s just downgraded their outlook, which has real implications for their financial wellbeing (borrowing interest rates, etc). Is the market the ultimate regulator? Businesses and consumers decide that a hacked institution is no longer someone they trust, and Equifax experiences more difficulty hiring, partnering, and so on? Or does government have a bigger role to play in ensuring those companies entrusted with our most valuable personal data be held responsible for its care?
I *want* to say ‘yes, regulators do something punitive!’ but to be honest, I don’t know exactly what happens in situations where there perhaps wasn’t a single individual criminally negligent or culpable, but just a bunch of underspending or underperformance by those put in charge. Slap on the wrist fines not only don’t move the needle but actually do harm, because they erode public faith that their public institutions give a shit about the average person: trivial penalties which prove regulators and CEOs act out punishment theater in public and then hang at the same country clubs on the weekends.
But the other side of the spectrum is also problematic. If you shut down the company or deliver such a set of damages that you are effectively eliminating its ability to compete, who are you really impacting? Most likely the 99% of employees who had nothing to do with the issue at hand. They’re the ones with retirement plans in company stock, pensions at risk. If you want to kill the company, what about the collateral damage?
None of this is even close to my area of expertise but I remain unsatisfied with the answers to questions like “In wake of the Equifax breach, how do we prevent this from happening again and repeatedly?” Because it does all the time.