A version of this article originally appeared in CSO Online
By any measure, the Equifax data breach was and is a disaster.
Most importantly, it exposed the data of 143 million American consumers, which could cause years of trouble for all involved. It also revealed all too clearly the tenuous protections provided for consumer data in the credit reporting industry.
Not that anyone is inclined to feel sympathy for Equifax at this point, but it has cost and will continue to cost Equifax millions upon millions of dollars. Recent reports say that the crediti monitoring agency is facing more than 70 class-action lawsuits. The jobs of many who bear no blame for the failure are also on the line.
The Silver Lining
And yet … for those who are charged with educating employees and consumers about data protection, the breach could turn out to be a blessing in disguise. Call me crazy, but I think this may be a rare opportunity to shine the spotlight on an issue that every American needs to know and care about.
If you are involved in security or privacy awareness programs, you may already understand that this breach is an opportunity. Namely, because you may already be dealing with an employee population that is more tuned into the importance of protecting information than ever before.
The Equifax breach goes a long way toward addressing one of the big resistance points surrounding most education about these issues: people who rightly ask “What’s in it for me?” (or WIIFM ).
Because it’s so widespread, and because the potential for the aftereffects of the breach to hit home are so real, people are more ready than ever to pay attention to your messages about how to protect yourself and your company from harm related to private data or cybersecurity. Here are a couple practical ideas to make the most of this moment:
Software updates suddenly matter
It appears that the cause of the breach is traced back to a failure to patch a known vulnerability in an open-source software package. What a great chance to remind employees that keeping their software up to date—on their phone, on their home computer, and at work—can prevent huge hassles.
Watch who you trust with your data
In the immediate aftermath of the breach announcement, Equifax put up a site to allow customers to see if their data had been breached—all you had to do was enter your personal data!
The press howled in response: why would you provide this information to a company that had just shown they couldn’t protect it? But for you running awareness programs, what a great chance to open a dialog about “data minimization” and about the perils of what happens to a company that loses the trust of its customers.
Identity theft just got interesting
In the months since the breach, countless sources have helped us see how much our credit score can affect our lives. Most frighteningly, it has shown just how much information credit reporting agencies know about us, and how little control we really have over that data.
It’s been a wake-up call for anyone who didn’t already understand how widely dispersed their personal data is, and thus how easy it is for cybercriminals to perpetrate identity theft. The resources available for people to learn about identify theft have never been more readily available, nor have they been so good (check out this FTC video for an example).
Time will tell if this massive display of public interest in protecting data will lead to any long-term changes in the way the U.S. regulates consumer financial data, let alone to the overall protections offered to personal information. It’s still hard for me to imagine a U.S. version of the upcoming General Data Protection Regulation (of GDPR), but stranger things have happened.
However, if all of us involved in educating employees and citizens about data protection seize this moment to get people more engaged in understanding and acting upon information protection, it will turn out that the Equifax breach was a good thing after all.
Check out our collection of free resources designed to inform your employees about threats to cybersecurity and data privacy and help you up your security or privacy awareness efforts.