The market can’t fix this. Markets work because buyers choose between sellers, and sellers compete for buyers. In case you didn’t notice, you’re not Equifax’s customer. You’re its product.
September 13, 2017
On the Equifax Data Breach
[I agree with his astute observation but not his conclusion (government legislation is required).
If someone is harmed by the carelessness of another the careless person can, and rightly so, be sued for damages. How is this any different?—Joe]
The question is whether these companies are given immunity by government edict.
In my view, a somewhat more general law is needed: a blanket prohibition on the collection and storage of social security numbers except where explicitly authorized by law.
Why limit it to social security numbers?
How about no collecting of data not needed, encrypting all data retained, and purging all data when no longer needed?
WRT Joe’s point, what recourse would one have if they sell your data to a 3rd party who is breached?
Encrypting doesn’t help. The problem isn’t that data left the building — which is what encrypting is designed to prevent. It was that the systems that were supposed to use that data were compromised. The plaintext was compromised, not the ciphertext.
I do agree with not limiting it; a ban on collecting SSNs would be a good start.
On selling data, I’d go after both parties. The seller, for disclosing data recklessly. The buyer, for causing damage by failure to protect personal data.
The problem is that there are laws which allow consumers to sue credit reporting agencies (like Equifax) and collection agencies for their abuses, which are widespread and largely go ignored. The problem is that the consumer is limited to suing for $1000 in the case of collection agencies, and $5000 in the case of credit reporting agencies. That won’t even cover legal expenses, and the damages are so low that the companies are willing to roll the dice.
All congress needs to do is raise or eliminate the limits of liability. Let the lawsuits do the rest.
Z’Truth! That’s how cars got safer, it wasn’t the CPSC that decreed safety glass for windshields.
I saw him speak this year about IoT. He rode the same hobby horse – we need government intervention. It was a spoken version of this writeup: https://www.schneier.com/blog/archives/2017/02/security_and_th.html