It now seems clear that the massive data breach at Equifax was caused not simply by aggressive hackers but by clear and potentially negligent security errors by Equifax itself. But fundamentally, this isn’t a security problem. It’s a market failure and a legal and regulatory failure.
There are many businesses in which the cost and assumed liability of taking possession of certain goods – real or intellectual – is quite high. Indeed, that is often a major part of the business model itself – they are paid to take on that liability. Some extreme examples are transporting dangerous or volatile chemicals. This may be the biggest personal data security breach yet. But breaches that are nonetheless quite large happen basically all the time and the costs to the company are usually negligible. Yes, there’s a big PR hit and there’s usually some fine. But the costs in fraud and disruption in the lives of affected consumers totally dwarfs the financial cost to the company. On the most basic measure, the costs are not great enough to prevent companies like Equifax from making really basic mistakes like failing to install new security patches in a timely manner. It’s a cost of doing business.
Read More →