Risk of Entitlement

Six months have passed since Equifax copped to the Exxon Valdez of personal confidential data spills (Krebs). Is this the death knell of what remained of Trust? No. Trust was roadkill long before Equifax’ epic stumble. The old network perimeter security mantra of “Trust but verify” had already been superseded by “Never trust, always verify.” Thus Zero Trust networking (Virtru).

Does the Equifax breach represent an egregious negligence of standard good operational security? (money.cnn.com). Absolutely. Is Equifax rewriting the book on How to Manage Incident Response Horribly Following a Catastrophic Failure? For sure. Will former CEO Richard Miller be prosecuted for insider trading by the SEC and DOJ? (California Lawyer). Probably not.

There are pertinent takeaways from this train wreck in progress:

• A black swan event is looming over the credit monitoring agencies. Equifax has inadvertently exposed their dubious value as arbiters of credit-worthiness (New Republic).
• We, the Equifax (or Transunion, or Experian) user, are not the customer. We are the commodity. The banks, lenders to whom our data is sold are the real customers.
• There is a compelling argument that disintermediating the credit monitoring agencies would benefit consumers (NY Times op-ed).
• But that probably won’t happen as the GOP-controlled Congress intends to ease regulations that would make credit monitoring agencies less accountable (LA Times) for their incompetence and duplicity.
• And yet a corner has been turned. The Equifax breach helps shift the onus for consumer data protection from the consumer to the service provider. Hello multi-factor authentication built into banking applications (Wired). Good riddance to “What is your mother’s maiden name” as an acceptable means of verifying identity.
• The Equifax breach is a boon for the concept of user consent, as embodied by the Kantara Initiative’s UMA (User Managed Access) standard. (kantarainitiative.org). Consumers should be active participants, not bystanders, in the control of personal data held by third parties.
• Ignore the hype. Your confidential data was leaked long before the Equifax breach was announced. LifeLock and other credit fraud and identity fraud protection services are fear-mongering racketeers, piggybacking on the paranoia (John Oliver).
• Reduce your risk surface. Close accounts you aren’t using. Monitor active accounts to make sure charges were made by you. Implement two-factor authentication on applications where sensitive data is at risk. Choose identity verification questions that can’t be guessed from your leaked data. Leverage alerts and notifications to know when an account has been accessed from an unfamiliar device.