Equifax Breach Provokes Calls For Serious Data Protection Reforms

Equifax's data breach was colossal -- but what should happen next? The Guardian writes: The problem is that companies like Equifax are able to accumulate -- essentially, without limit -- as much sensitive, personal data as they can get their hands on. There is an urgent need for strict regulations on what types of data companies can collect and how much data a company can possess, both in aggregate and about individuals. At the very least, this will lessen the severity and size of (inevitable) data breaches... Without putting hard limits on the data capitalists who extract and exploit our personal information, they will continue to reap the benefit while we bear the risks.
Marc Rotenberg, president of the Electronic Privacy Information Center, adds, "we need to penalize companies that collect SSNs but can't protect [them]." Wired reports: Experts across numerous privacy and security fields agree that the solution to the over-collection and over-use of SSNs isn't one particular replacement, but a diverse array of authentications like individual codes (similar to passwords), biometrics, and even physical tokens to create more variation in the ID process. Some also argue that the government likely won't be the driving force behind the shift. "We have a government that works at a glacial pace in the best of times," says Brenda Sharton, who chairs the Privacy & Cybersecurity practice at the Goodwin law firm, which has worked on data privacy breach investigations since the early 2000s. "There will reach a point where SSN [exposure] becomes untenable. And it may push us in the direction of having companies require multi-factor authentication."
Meanwhile TechCrunch argues, "This crass, callow, and lazy treatment of our digital data cannot stand...": We must create new, secure methods for cryptographically securing our data... These old organizations -- Equifax was founded in 1899 and hasn't changed much since inception -- must die, to be replaced by solutions that (and I shudder to say this) are blockchain-based.

as they say, "let the free market decide"

[supernova87a]

I have a very simple solution for policymakers to implement:

- Name + phone hacked = $2 penalty
- Name + address hacked = $3 penalty
- Name + SSN hacked = $5 penalty
- etc., and combinations of the above, just multiply.

Things would get fixed right quick.

innocent until proven guilty

[at10u8]

Penalties are aiming in the wrong direction because leaks will continue to happen. Better to change finance law so that the victim is presumed innocent until proven guilty. A victim should not be penalized. Rather, the lender who fails to perform due diligence and verify identity before extending credit should lose. That would be a powerful motivation for the finance industry to adopt new techniques that minimize their risk of losing.

Witness the power of this fully functional lobby

[hwstar]

Nothing will happen at the federal level right away because of this.

The banks are too powerful. These are the same guys who pushed binding arbitration in consumer contracts of adhesion.

States will need to take the initiative first. Let's hope that the banks don't have the power to pass a federal law to preempt the flurry of state laws which will come out of this.

Death by a thousand cuts at the state level might prompt a 'watered down' federal update to the Federal Credit Reporting Act, but it will end up pre-empting any state laws with a decent set of teeth.

Sometimes I worry about the rule of law and equal protection under the law in the US. It the banking cartel can rip off everyone by sidestepping the rule of law with binding arbitration, why can't a sniper take out a banker or two?

Re:Donald Trump playbook

[lucm]

When anyone accuses you of something you accuse them of it 10x.

It's easier when your adversary is a corrupt, thieving, lying piece of garbage. At this point I'm starting to wonder about the real involvment of the Russians in the election; if they are indeed smart as chess players, maybe what they did was make sure that the Democrats picked the worst possible candidate instead of the guy that clearly embodies the real liberal values.

But when it comes to Equifax, this comparison hardly applies because Equifax are not evil, they're merely incompetent, and have been for a long time. They're just like Diebold (the makers of those hilarious MS-Access based voting machines); once you start scratching the surface you just can't help but freak out when you realize how fucking retarded they are.

Re:Donald Trump playbook

[jimtheowl]

Sone would argue that Equifax has always been evil, and now they are showing that they are incompetent as well, so they could be both.

As for your other point, it is also possible that the Democrats did not pick the worst possible candidate, but one that was not as appealing to the TV reality entertainment mindset of the populace and nevertheless actually qualified to do the job.

But that is way, way in the past. No one cares about it except trolls who want to divert attention from the present. It would be nice If those who got elected were to focus on the job and stop reminiscing.

Re:Mandate that SSNs are not proof of identity

[bluefoxlucid]

The correct answer is to use UAF or U2F. The U2F keys all have UAF capability.

You walk into a bank, present your ID (driver's license, etc.), and they can see it's you. Online, you tell them what car you had in 1999, where you lived 6 years ago, and which bank holds a current loan. One of these is stronger than the other.

So what you do, you walk into a bank, present your ID, and then you take a brand-new, personally-owned, $20 security key to their terminal. You plug it in or wave it at the NFC, and it sends separate keys to Equifax, TransUnion, etc. Done. You now have an established trust with the credit reporting agency.

When you open a new credit account, the bank checks the CRA for your history. If you have a hold on your credit, the CRA tells them no loans. Same deal: when the bank talks to the CRA, the CRA sends a challenge; you use your security key to digitally sign the response, proving your physical possession of the correct key, thus your identity. Generally this is RSA or elliptical curve; and the devices are non-cloneable.

Lost your key? Call your bank and tell them. They'll put your trusts on hold with the CRA. You show up with ID and your key to re-establish trust. In the mean time, it's impossible to open a new loan account.

People can't hack the CRA or the bank and steal your identity to open new loans in your name if there's no shared secret to steal. You have the only secret; you can prove you have that secret; and you can prove it without revealing the secret. An adversary can only steal the secret by stealing a physical device; and they use secure hardware that resists physical and logical attack, so cloning is destructive at best, and destructive attacks tend to completely-fail on these devices.

That's the solution. It's the cheapest, most-effective, simplest option available today.