It would be difficult to deny the severity of the Equifax breach. The potential cost of identity theft on the scale of the Equifax breach is difficult to contemplate and harder still to calculate.
After so many high profile breaches the last few years (JP Morgan Chase, Anthem, Home Depot, Target, eBay, Yahoo and the US Office of Personnel Management), the size of this breach deserves extra attention. It’s unsettling that such a breach would occur at a company whose purpose in life is to monitor consumer credit, but the big picture is that information breaches and identity theft are a growing problem.
Related: Cybersecurity, insurance execs see opportunity in Equifax data breach
The political response has been interesting. What’s the old saying? “Don’t let a good crisis go to waste.” We understand that legislators exist in order to make laws. It is just that there are legitimate concerns that should be addressed before additional regulation becomes the knee-jerk reaction:
-
Does the legislature understand the problem well enough to create effective policy?
-
Does the legislature understand the solution well enough to anticipate unintended consequences?
Before we answer these questions, let’s create the technical and legal context. This thing, this transcendental electronic medium of information exchange we call the internet is still relatively new. It is constantly evolving technologically and in its infancy from a legal perspective. So, how should society or more particularly, how should the government go about deciding who is responsible? Is the party who failed to protect the data or the party extending credit without properly identifying the applicant?
Specific to the Equifax case or cases like it, if someone’s identity is stolen, how does anyone go about discerning the source of the incident? Could it have occurred as the result of a prior breach? In short, legal accountability after the fact is going to be difficult and costly to establish in almost any case.
There are three parts to the process of protecting people from identity theft:
-
Protect personal information to the greatest extent possible. Breaches will continue to happen because technology isn’t any more perfect than the people who create it, and socially engineered breaches will always exist.
-
Protect credit profiles by creating a permanent fraud-alert framework using techniques already known to credit card companies and credit reporting agencies. This includes:
a. Fraud protection driven by artificial intelligence used by credit card issuers, and
b. greater emphasis on identity verification at the point of granting new credit, much like what it done today once fraud alerts are placed on your credit file.
Indemnity from fraudulent charges. This is a work in progress and among the most expensive options since someone ultimately must eat the losses that result from the theft.
Let’s attempt to work through these options and apply some commonsense analysis to each one:
-
I would argue this is a battle than has already been lost. My own personal information has been compromised at least four times in the last decade.
-
Some combination of these options is the most reasonable direction for the markets to take because:
Recommended For You
a. Credit card networks such as Visa, Mastercard and American Express have already proven they can add value in the fraud-prevention process, and
b. the technology exists to improve identity verification before the extension of credit. Today’s fraud alert system proves this. And don’t you use the finger print scanner on your smart phone for identity protection already?
This is the most expensive and disruptive solution to the problem based on unintended consequences and economic impacts. As mentioned earlier, under this scenario someone is eating losses that are likely to lead to higher costs, fewer consumer choices and potential job losses.
If after careful thought one agrees that protecting consumers from identity theft losses is best performed by those granting the credit, what then becomes of our original question as to whether new regulation best serves our collective financial security? Under that scenario, do you trust Congress to:
-
Understand the problem well enough to create effective policy in light of rapidly changing technology?
-
Understand the solution well enough to guard against unintended consequences?
My answer is no.
Ironically, using the FTC’s own data, you can see that the majority of reported incidents don’t result in losses. In fact, the lowest losses occur in bank and securities firm transactions, and the highest in fraudulent tax returns.
What can we learn? Regulation is not likely the best response to the data breach at Equifax. Until a better solution is found, it is imparative that you communicate with your clients and encourage them to protect themselves and consider adding identity theft protection and credit monitoring to the list of services you provide your clients.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
