We’ve all become so numb to having our personal information stolen again and again and again that in the aftermath of yet another massive data breach—in this case, the 143 million U.S. consumers whose information was stolen from credit reporting agency Equifax—there’s a tendency to try to explain why this one is bigger and scarier and more important than all the previous breaches. Sure, your date of birth and Social Security number and credit card information have been stolen at least a half-dozen times before, but this time you should really care—and take action!
But it’s actually pretty hard to know immediately after a breach is announced whether it’s going to be especially big or scary or important. The long-term consequences and costs, especially to consumers, will depend largely on who has taken the data and what they intend to do with it (and how effective they are at doing it). And less than a week after Equifax announced its breach, we still don’t have the answers to any of those questions—which means it’s way too soon to be declaring it the “worst leak” ever. Nor do we know how the breach was perpetrated or what safeguards Equifax did or did not have in place—so it’s also way too soon to be denouncing it as delinquent in its data protection duties. (It’s not too soon, however, to lambaste it for a truly disgraceful incident response strategy.)
We know that lots of information was stolen, and we know that the immediate response was a mess. That’s about it. By the time we can say anything meaningful about whether Equifax did a reasonable job protecting its data or how this breach will affect the 143 million whose information was stolen, most of those people will probably have lost interest in the story. And in a way that’s a pity, because the Equifax breach has the makings of some truly fascinating and complicated post-breach maneuverings and battles.
To understand why, it helps to know a little bit about what typically happens in the aftermath of major data breaches and what makes Equifax different. After a breach—after the notification letters go out, and the credit monitoring services are activated, and the public apology (or nonapology) statements are issued, and the news cycle has run its course—there are a few different ways organizations may be held responsible and affected consumers may protect themselves. Credit reporting agencies such as Equifax play a role in just about every single one of those efforts.
For instance, when you receive a free credit monitoring service because your data has been stolen, that service relies on one of the three major credit bureaus (Equifax, Experian, and TransUnion) to alert it to any new accounts or loans taken out in your name. So people affected by the Equifax breach will, unsurprisingly, apparently be offered a year of credit monitoring by … Equifax (or rather, by TrustedID, which was acquired by Equifax in 2013). If you don’t find that especially reassuring, you can go the next step of freezing your credit, so that no one can make inquiries about your credit without your express permission. But in this process, you will, yet again, be relying on the credit bureaus to keep you safe (and, in many cases, paying them for the privilege). Not to put too fine a point on it, but major data breaches are kind of a bonanza for credit reporting agencies—all our consumer protections pretty much rely on them.
Individual consumers could—and probably will—file class action suits against Equifax, but those suits are typically only successful insofar as consumers can point to specific instances when their money has been stolen as a direct result of a breach—like, say, fraudulent transfers or withdrawals from your bank account. Your loss of privacy or time or peace of mind is unlikely to matter to a court. And part of what often makes those losses difficult to demonstrate is that there are several protections in place to insulate individual consumers from bearing the costs of fraud—many of which come back to credit cards and, yes, credit bureaus.
Odds are good that if someone steals your information through Equifax and uses it to open up a new account or manufacture a fraudulent credit card or file a fake tax return in your name, you will not end up paying for those losses. (You will lose time and sleep and all sorts of other important things, but the direct financial losses will most likely be borne by someone else.) For instance, when someone else uses your credit card information to make charges, the credit card payment network (e.g., Visa or MasterCard), or your issuing bank, or potentially even the retailers where your stolen information is used to make fraudulent purchases end up paying for those, so long as you call up and report that your card has been compromised.
Your credit card company has to do that for you—both because there are legal protections in the U.S. to protect consumers and because the banks are desperate to keep their credit card customers in a cutthroat competitive credit card market. But in order to cover those losses in the wake of major breaches, the credit card companies and banks sometimes file lawsuits against whoever let the information be stolen in the first place. That’s why, for instance, Target ended up paying $67 million to Visa in 2015, after the retailer was breached in 2013. It’s not a perfect system, by any means, but it’s how liability gets assigned and costs get distributed. And it’s much harder to envision how such lawsuits would play out when the responsible party is a credit reporting agency—one of a very small number of trusted entities that the entire credit card industry is deeply, deeply dependent on.
A final line of defense is the Federal Trade Commission, which can, and does, file complaints against companies that fail to take reasonable measures to safeguard consumer data. But it’s unclear whether Equifax did, in fact, fail to take reasonable measures since we don’t yet know how it protected the stolen data—and there’s still a fair bit of uncertainty about what constitutes a reasonable amount of security in the first place.
There’s something both terrifying and a little bit comforting about the sheer scale of the Equifax breach and others like it. On the one hand, possibly everyone’s in big trouble—but on the other hand, at least it’s not just you who’s at risk. It remains to be seen whether that scale will translate into record amounts of fraud or theft—we don’t even really know whether whoever stole these records wanted them in order to make money or for some other purpose entirely, like espionage. But it’s worth paying attention to how this breach plays out not just for the next week or two in the news, but over the next few years in court, as we figure out how to hold accountable an institution that is deeply and inextricably embedded in just about every mechanism we have for dealing with large-scale data breaches.