A couple of days ago, Equifax was fined by the UK’s authority for its data breach last year. The fine is the maximum possible penalty that could be issued, but it is still only half a million pounds, an amount that I think is trivial to a company of Equifax’s size.
John Oliver did a great piece on Equifax here. For a quick summary, I’ll let the FTC explain it:
If you have a credit report, there’s a good chance that you’re one of the 143 million American consumers whose sensitive personal information was exposed in a data breach at Equifax, one of the nation’s three major credit reporting agencies.
Here are the facts, according to Equifax. The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.
Almost half of the American population had their sensitive data breached by the negligence of the credit agency. If you think that a breach of that size might have resulted in dire punishments and financial damages for the company, you are sorely mistaken. Per Quartz:
The credit agency kept news of the hack quiet for a month after its internal discovery, giving executives time to sell almost $2 million in shares. Once the news went public, Equifax first insisted that customers waive their right to a class-action lawsuit before accepting any credit protection; after an outcry, it backed down. A typo in a tweet from Equifax’s account directed customers to a phishing site instead of the actual website the company set up to tell customers if they’d been affected, which didn’t really work anyway.
A year after the hack, the lack of penalties for the company’s failures is equally laughable. Stock prices bounced back. Former CEO Richard Smith retired with his full $90 million package. No US federal agency has made any move to punish the company.
In Vietnam, we don’t have such a concept. In Europe, there isn’t an equally concept either, as far as I am concerned. I never encountered anything like that while in Finland. My European friends are baffled by the concept as well. Having been in the US for two years, I don’t pay much attention to the score nor can I understand how it works. I set up all payments automatically to make sure I am not late ever on credit payments. Yet, my scores have fluctuated significantly for absolutely no reasons that I could understand. All they could give me is that my credit profile has only been one year old!? I don’t think that the credit agencies don’t add any value to the society and yet, they are extremely profitable entities. They have access to consumers’ sensitive data and look what they did with the data.
Regarding the small fine due to the fact that the breach took place before GDPR was enforced, I have heard criticisms of the data privacy regulation from EU. Although the regulation isn’t perfect (the same goes for almost any regulation), it is a good start. The primary criticism is that the regulation is too expensive and difficult for SMEs to comply with, meaning that the big corporations can increase their competitive advantage further. My argument is that regardless of the size, any company can have consumers’ sensitive data leaked, easily in the hundreds or thousands of records. GDPR gives the users many rights and much needed power in the conversation. It is true that smaller firms may see their costs rise due to compliance with the regulation, but innovation should start from having higher standards, not lower ones. Would we have more environmentally-friendly cars by raising emission standards or lowering them?
Had the Equifax breach taken place after the enforcement of GDPR, the company would likely have faced a fine worth 4% of their global revenue. Since Equifax generated $3.362 billion in revenue in 2017, it would have amounted to a fine of $134.5 million. Wouldn’t it be worth having such a law to protect users/consumers?
Minh Quang Duong 