Critics say the Equifax breach settlement is yet another reminder of the failings of data governance laws. Could the tide soon be changing?

ANALYSIS Millions of US consumers had their hopes dashed last month, after those who were eligible to file for compensation for the Equifax data breach were advised to opt for free credit monitoring, rather than requesting any financial payback.

The news came shortly after the credit reporting agency reached a $700 million settlement with the Federal Trade Commission (FTC) over its notorious 2017 cybersecurity incident.

Although more than $30 million had been set aside for consumer cash claims, the FTC said that, given the “overwhelming response” from claimants, this fund would have been spread so thin it would barely be worth the effort.

“A large number of claims for cash instead of credit monitoring means only one thing: each person who takes the money option will wind up only getting a small amount of money. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed,” said the FTC’s Robert Schoshinski.

While the Equifax settlement was the largest yet seen for a data breach, critics said the case was simply another reminder of the failings of current data governance laws, which give organizations little incentive to implement security measures and safe data practices.

“We need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again,” US senator Mark Warner said in a statement.

Others, including fellow Democratic senator Elizabeth Warren, called for an investigation into the FTC for “misleading” breach victims over consumer compensation.

Warren, who has introduced various frameworks that place more onus on corporate responsibility, previously suggested that corporate executives should face jail time when their organizations fail to implement best data practices.

“When corporate executives at big companies oversee huge frauds that hurt tens of thousands of people, they often get to walk away with multimillion-dollar payouts,” she wrote in a Washington Post op-ed in April.

Unintentional exposure

In the case of Equifax, Warren is correct in pointing out the ineffectiveness of current legislation – the billion-dollar company has experienced nothing more than a blip in its share price following the 2017 data security incident, and the cost of reimbursing consumers will likely amount to little for the credit rating agency in the long run.

Lawmakers, however, are finding that placing responsibility for harm caused by the unintentional exposure of data is not always so clear-cut.

An organization, for example, could apply every basic security measure and may still experience a data breach, due to a careless employee, determined cybercriminal, or even a malicious insider who’s looking to make an extra buck.

This is why the debate on cybersecurity responsibility needs to be reframed, argues John McCumber, the North America director of cybersecurity advocacy at (ISC)2, a US-based non-profit focused on training cybersecurity professionals.

“One of our key problems is that organizations do not track data on their balance sheets,” McCumber told The Daily Swig. “What does Experian sell? It’s data, sliced and diced in so many ways.”

McCumber has been pushing for lawmakers to start examining the causes of breached information, rather than firefighting the symptoms that transpire when a company gets hacked.

This starts by looking at the moral, social, and ethical responsibilities of those who are entrusted with managing large repositories of personal information, he says, and finding new revenue models around our information economy.

“People take this as a security problem but, at the end of the day, this is a corporation issue associated with the corporate’s current risk model,” McCumber said.

“I believe, going forward, that we’ll eventually be able to capture information as a balance sheet asset, but we [currently] don’t see organizations being forced to account for part of their normal business operation.”

Sustainable data stewardship

But the tide may soon be changing, according to a joint statement (PDF) published last week by the Business Roundtable, a lobbying group consisting of some of the top CEOs, better referred to as Corporate America.

The letter, which is signed by the heads of blue chip companies including American Express, Amazon, and AT&T, states that quarterly profits should no longer be the primary goal of corporations, and that businesses should be “generating long-term value for shareholders, who provide the capital that allows companies to invest, grow, and innovate”.

It also commits to more effective engagement with shareholders – a statement that some advocacy organizations say is long overdue.  

“It’s been obvious to many stakeholders – including many shareholders – that achieving sustainable success in a 21st century corporation requires much more than blind devotion to short-term quarterly profits,” said Michael Connor, executive director of the Open Media and Information Companies Initiative (Open MIC), a group that works for greater corporate accountability at tech and media firms. 

“We’d like to think that companies will now be willing to listen to shareholders as the companies develop and implement key policies regarding the social implications of technology,” Connor told The Daily Swig.

“Environmental, social, and governance issues are critically important,” he added.

The Daily Swig has reached out to Business Roundtable for comment.

In 2017, Open MIC helped bring forward a proposal by Verizon shareholders to put a price tag on the company’s cybersecurity performance.

Shareholders requested a reduction in executive compensation in the event that the company was implicated in a data breach or incident that resulted from a failure to implement the appropriate security controls.

“Saying ‘trust us’ and providing a list of protocols is not enough,” said Jonas Kron, vice president of Trillium Asset Management, speaking on behalf of Verizon shareholders at the time.

“Executive compensation is already linked to key metrics such as earnings per share, free cash flow, and revenue; cybersecurity and data privacy are equally important mission-critical concerns.”

Swing votes and settlements

There have been multiple pushes for greater corporate responsibility when it comes to data stewardship.

This was most recently demonstrated at Facebook, where executives must now have any changes to the company’s privacy and data practices approved by an independent board, as mandated by FTC.

“I can’t think of another major publicly-held tech company that’s operating under similar government-imposed conditions, especially as they apply to privacy,” Connor told The Daily Swig.

Under the new rules, which come alongside a record-breaking $5 billion settlement for the Cambridge Analytica data scandal, Facebook must create an independent privacy committee.

“The unfortunate fact is that Facebook was forced to accept this [FTC] settlement; the company didn’t do it voluntarily,” Connor said.

“If Facebook had listened to shareholders three years ago, when some of its major problems first arose, perhaps it would have been better off.”

At Facebook’s annual meeting in May, 83% of independent shareholders voted to eliminate the company’s ‘one share, one vote’ structure, which, as it currently stands, gives Mark Zuckerberg the final say when it comes to any shareholder vote.

A majority of independent shareholders also voted to separate the roles of board chair and CEO.

“If Mark Zuckerberg is really listening, he’ll embrace those two recommendations in the coming months and make some substantive changes to governance at the company,” Connor said.

“That would be progress.”

YOU MAY ALSO LIKE GDPR: Have greater fines forced organizations to take data security seriously?