RWU expert sees need for more regulation after Equifax breach

Updated 11:14 a.m.

PROVIDENCE – In the wake of a data breach at consumer credit-reporting giant Equifax, in which the private information of 143 million Americans may have been compromised, Roger Williams University professor and cybersecurity expert Doug White spoke out about the need for increased regulation of data-collecting corporations.

“These companies aren’t regulated very carefully and there’s no clear guideline as to what’s required in cases like this,” said White in an interview with Providence Business News. “The only real penalty is the company’s stock prices go down briefly and there’s a loss of credibility and a sort of brief hubbub about it before they go back to business as usual and continue collecting data.”

An insider of the tech industry for more than 30 years and chair of Cybersecurity and Networking at RWU, White teaches courses in digital forensics, computer networking and security. He also heads the school’s Forensics, Advanced Networks and Security Lab as director and is a member of the R.I. Cyber Disruption Team coordinated by the R.I. State Police.

White is also among the 143 million Americans – nearly half the total U.S. population – whose information might have been stolen by the hackers of Equifax. Full names, birth dates, addresses and Social Security numbers were all involved in the Equifax breach, and could be used by information criminals to steal the victims’ identities.

- Advertisement -

The fact that consumers are the primary victims of such data breaches can make it difficult to hold companies such as Equifax responsible for the loss of sensitive information, White said, even in cases when the company failed to invest in adequate cyberattack prevention measures.

“Some states have tried to pass requirements for reporting when someone’s personal data has been breached, but currently there’s not a lot of legislation that mandates these companies do much of anything,” said White. “It’s data they collect, and if they lose it, they just lose it.”

Equifax Information Services LLC is one of the three largest credit-reporting companies in the U.S. along with Experian Information Solutions Inc. and TransUnion LLC.

In 2015, Rhode Island received a $90,000 slice of $6 million in settlement money from all three agencies, the result of a multistate investigation into alleged credit-reporting errors, insufficient monitoring of data furnishers, inaccuracy in consumer credit reports and improper marketing of credit-monitoring products.

Credit-reporting agencies aren’t the only corporations holding sensitive consumer information at risk to security breaches, however. On Sept. 1, less than a week before the Equifax breach went public, a Providence-based nonprofit called The Neurology Foundation Inc. released a public statement acknowledging that a former employee had, without authorization, transferred information about the nonprofit and its patients onto a hard drive that was then stored at the employee’s home.

The Neurology Foundation, which is associated with the Warren Alpert Medical School of Brown University and Rhode Island Hospital, said that while a third-party forensics investigation is ongoing, there is no evidence the employee misused the information in any way.

The data that was transferred onto the employee’s hard drive included patients’ names, addresses, phone numbers, insurance policy numbers, medical record numbers, Social Security numbers and bank account numbers. Information related to patients’ medical diagnoses, treatments and medications may also have been compromised.

The Neurology Foundation indicated in its statement the nonprofit would notify individuals by mail if their information was violated and offered victims 12 months of complimentary credit-monitoring – provided by Equifax, Experian and TransUnion.

The fact these three agencies are so ubiquitous in providing credit-report services for all manner of financial queries is one reason breaches such as the one at Equifax have such a dramatic impact, White said.

“It’s very difficult for a company or an individual to live without a credit report,” he said. “There’s no way I could open a business in Rhode Island without giving them all this information about myself, for example.”

In fact, White said, “Unless you go live in a cabin somewhere and trade gold coins and shotgun shells as currency,” there’s virtually no way for consumers to avoid handing over sensitive information to a credit-reporting mega-firm such as Equifax at some point in their lives – whether starting a new business, taking out a loan for a new car, or applying as a tenant in an apartment complex.

R.I. Attorney General Peter F. Kilmartin urged Rhode Islanders to check and monitor their credit in the wake of last week’s Equifax debacle, and immediately report any suspicious transactions in addition to taking the steps advised on the Equifax website established to help consumers affected by the breach.

“This may be one of the largest, if not the largest, data breaches that has ever occurred, and consumers are right to be concerned about the potential impact,” said Kilmartin. “We always advise consumers to utilize Equifax and the other national credit-monitoring services whenever there is a data breach, which makes this breach even more troubling. Even the most hyper-vigilant consumers are now vulnerable to identity theft.”

White and other cybersecurity experts have also cautioned victims against opting into the free year of TrustedID Premier credit-monitoring Equifax has offered consumers since announcing the breach. The free service offer includes a clause precluding any consumer to agrees to the offer from participating in any class-action suit that might be brought against the company in relation to the data breach.

The TrustedID Premier offer will be self-serving in terms of the company’s bottom line as well, White said, as Equifax could profit if even a small percentage of consumers who take the offer pay to keep the service after the year of complimentary credit-monitoring expires.

“I think there needs to be more regulation about people’s data being bought and sold,” White said, “but until constituents and businesses go down there with the torches out, saying ‘the monster’s loose and we want something done,’ that’s going to be very hard to achieve.”

Galen Auer is a PBN contributing writer. Email or follow on Twitter at @PBNAuer.