It would be difficult to deny the severity of the Equifax breach. The potential cost of identity theft on the scale of the Equifax breach is difficult to contemplate and harder still to calculate.

After so many high profile breaches the last few years (JP Morgan Chase, Anthem, Home Depot, Target, eBay, Yahoo and the US Office of Personnel Management), the size of this breach deserves extra attention. It’s unsettling that such a breach would occur at a company whose purpose in life is to monitor consumer credit, but the big picture is that information breaches and identity theft are a growing problem.

Related: Cybersecurity, insurance execs see opportunity in Equifax data breach

The political response has been interesting. What’s the old saying? “Don’t let a good crisis go to waste.” We understand that legislators exist in order to make laws. It is just that there are legitimate concerns that should be addressed before additional regulation becomes the knee-jerk reaction:

  • Does the legislature understand the problem well enough to create effective policy?

  • Does the legislature understand the solution well enough to anticipate unintended consequences?

Before we answer these questions, let’s create the technical and legal context. This thing, this transcendental electronic medium of information exchange we call the internet is still relatively new. It is constantly evolving technologically and in its infancy from a legal perspective. So, how should society or more particularly, how should the government go about deciding who is responsible? Is the party who failed to protect the data or the party extending credit without properly identifying the applicant?

Specific to the Equifax case or cases like it, if someone’s identity is stolen, how does anyone go about discerning the source of the incident? Could it have occurred as the result of a prior breach? In short, legal accountability after the fact is going to be difficult and costly to establish in almost any case.

There are three parts to the process of protecting people from identity theft:

  1. Protect personal information to the greatest extent possible. Breaches will continue to happen because technology isn’t any more perfect than the people who create it, and socially engineered breaches will always exist.

  2. Protect credit profiles by creating a permanent fraud-alert framework using techniques already known to credit card companies and credit reporting agencies. This includes:

a. Fraud protection driven by artificial intelligence used by credit card issuers, and

b. greater emphasis on identity verification at the point of granting new credit, much like what it done today once fraud alerts are placed on your credit file.

  • Indemnity from fraudulent charges. This is a work in progress and among the most expensive options since someone ultimately must eat the losses that result from the theft.

  • Let’s attempt to work through these options and apply some commonsense analysis to each one:

    1. I would argue this is a battle than has already been lost. My own personal information has been compromised at least four times in the last decade.

    2. Some combination of these options is the most reasonable direction for the markets to take because:

    Complete your profile to continue reading and get FREE access to BenefitsPRO, part of your ALM digital membership.

    • Critical BenefitsPRO information including cutting edge post-reform success strategies, access to educational webcasts and videos, resources from industry leaders, and informative Newsletters.
    • Exclusive discounts on ALM, BenefitsPRO magazine and events
    • Access to other award-winning ALM websites including and

    © 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.