The personal and financial data of almost 146 million (and counting) U.S. consumers has been compromised by the Equifax breach, the latest in what is becoming a long line of data breaches. Congress has already conducted four hearings related to Equifax and data breaches in the first week of October, which just happens to be Cybersecurity Awareness Month.
Over the last several years, data breaches have affected many sectors, including retail (Target), health care (Anthem), entertainment (Sony), average consumers (Yahoo!) and millions of cleared government U.S. employees (Office of Personnel Management, or OPM).
But do consumers worry enough about such breaches? Research shows they have tended to be fairly forgiving and forgetful. In 2015, RAND surveyed members of the American public regarding how they behaved after receiving a data-breach notification and the attitudes they displayed toward the affected companies. Interestingly, 44 percent of consumers surveyed first learned about the breach from a source other than the affected company, such as news reports and other people. Of those who had received a data-breach notification in the year before the survey, 77 percent reported being satisfied with the company's post-breach response.
Almost 90 percent of consumers who had received a breach notification said they continued to do business with the affected company.
Almost 90 percent of consumers who had received a breach notification said they continued to do business with the affected company. But that doesn't necessarily mean they were happy with the company and its response. In many cases, it would have been a headache to switch. (Changing health insurance companies is timely and cost-prohibitive, for instance.) Or they felt that once breached, the affected company might have better cybersecurity so it might be worth staying. (They could be thinking: Better to shop at Target than a competitor with unknown cyber-hygiene practices.)
The RAND study was conducted before the announcement of the Equifax and OPM breaches. As these cases demonstrate, victims do not always have an option to switch providers. For the OPM data breach, there was no opt-out option for more than 20 million applicants who wanted to serve in one of more than 100 federal agencies since OPM conducts 90 percent of background investigations for the U.S. government. If they wanted to be considered for the job, applicants were compelled to provide a great deal of personally identifiable information—such as Social Security and passport numbers, birthdates, birthplaces—as well as detailed residential, employment, financial, and medical histories. All of this information—much of it permanent, unchangeable personal details about the applicants—has been compromised as a result of the 2014 breach.
Similar to the OPM breach, consumers didn't have a choice regarding whether Equifax held their data because of the way the U.S. credit system works. Credit is an accepted part of American life. Buying a car? Opening a credit card account? Buying a house? Leasing a car? All will surely require a credit check. And some prospective employers are even requesting credit reports on job applicants.
Equifax reports that the information compromised in the breach includes names and addresses as well as permanent, unchangeable identity information such as Social Security numbers and birthdates. For a small percentage of the Equifax victims, driver's license numbers and credit card numbers were also compromised. Given the nature of the credit bureau information and the magnitude of the breach, it may be that victims care more now about this breach, and more of them will take action to secure themselves from harm.
Protective actions require consumers to know that their information was breached and what options are available to them to protect themselves. Equifax's response to the breach had positives and negatives. On the plus side, an Equifax website was made available for consumers to verify whether their information was compromised. They can also sign up for free identity-theft protection and credit file monitoring through the site.
Equifax was also relatively quick to patch the vulnerability that let the attackers into their systems and to dismantle the channels through which the attackers had been exfiltrating information. But Equifax could have done a better job of getting the word out sooner—the breach was discovered in July but was not announced until September, delaying the ability of consumers to take action. In addition, the website has already been spoofed by hackers, so unsuspecting consumers could be further victimized by identity theft. And while free monitoring is offered, it is unknown how long it will continue.
Further, Equifax's main website indicates the company will send direct mail notices to consumers whose credit card numbers or dispute documents with personally identifiable information were affected, but it is not clear that Equifax has yet done so.
This month's congressional hearings on Equifax and other data breaches have covered several issues, including potential measures for how to improve notifications and response in the wake of a breach. One measure would require notification following a breach of security of a system containing personal information, and another would amend the Fair Credit Reporting Act to provide access to free credit freezes for all consumers. Another measure would require the extension of identity theft and credit monitoring services for victims to 10 years, keeping the requirement for private companies the same as what Congress required of the U.S. government (extended from three years) in the wake of the OPM data breach.
Regardless of what actions Congress takes to improve notification measures and response to consumers when data is breached, one thing seems fairly certain—this probably won't be the last time Congress will be moved to take action in the wake of a significant data breach.
Lillian Ablon is an information scientist at the nonprofit, nonpartisan RAND Corporation. Sina Marie Beaghley is a senior international/defense policy researcher at RAND.
This commentary originally appeared on The Hill on October 18, 2017. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.