Archive

Posts Tagged ‘infosec’

The merits of the credit freeze

On Monday, I wrote about my favorite source for InfoSec and Equifax breach-related news. Today, I wanted to add some important follow-up based on yesterday’s testimony.

Brian Krebs, my favored InfoSec resource, strongly recommends individual citizens pursue a legal credit freeze over a contractual credit lock. While a credit freeze might cost you a few dollars (depending on which state you’re in), it also affords you–the individual citizen–much more robust protection than does a credit lock.

Why? Krebs quickly gets to the heart of it:

Lawmakers on today’s panel seemed content with Smith’s answer that [a credit freeze and a credit lock] were effectively the same, only that a freeze was more cumbersome and costly, whereas credit locks were free and far more consumer-friendly.

It’s not only Krebs refuting this. He explains that Consumers Union staff attorney Christina Tetreault

notes that perhaps the main reason a security freeze is the better option is that its promise to guard your credit accounts is guaranteed by law, whereas a credit lock is simply an agreement between you and the credit monitoring company.

Krebs concludes:

What’s more, placing a freeze on your file is exactly what Equifax and the other bureaus do not want you to do, because it prevents them from making money by selling your credit file to banks and others (including ID thieves) who wish to grant new lines of credit in your name. If that’s not the best reason for opting for a freeze, I don’t know what is.

On a related note, now … retired … Equifax CEO Richard Smith made clear that “the company’s customers are in fact banks and other businesses – not consumers.” With credit bureau profits deriving from companies, not individual citizens, the bureaus have very little incentive to protect individual citizens’ data. This mindset shows in Smith’s testimony.

Once upon a time, I believed it was unequivocally good that tablet computers and EpiPens (for example) were made more widely available in schools. While there are indubitably some benefits, I now understand that improving citizens’ lives was not the corporate inspiration for such moves. Rather, that inspiration is in their profit margins.

Individual citizens can only pay pennies compared to what governmental customers can.

Recall from my last post my note on how “deregulation” is really re-regulation. Basically, when corporations lobby for “deregulation,” they invoke the idea of “free markets” while (1) transferring the costs of so-called market freedom to individual citizens and (2) reaping ample profits from the transfer.* As Kate Raworth succinctly put it, “financial deregulation actually just shifts the costs and benefits of financial crisis onto a different group of people.” Namely, you and me.

Doesn’t feel very “free,” does it? It sure doesn’t to me. This is why it’s so important to understand the difference between a credit freeze and a credit lock, and to show your legislators you both know the difference and expect them to favor your protections over corporate ones in the future.

* If you’d like to read an excellent explanation on the merger between corporation and U.S. government, check out Sheldon S. Wolin’s 2008 book Democracy Incorporated: Managed Democracy and the Specter of Inverted Totalitarianism.

 

Advertisements

What’s a citizen to do about Equifax?

My professional career has revolved around software contracts. Initially, I negotiated and managed them; now I reference them heavily while performing a different kind of work. Throughout, I’ve been especially interested in terms related to Information Security (“InfoSec”).

Some software publishers offer customers fairly robust InfoSec protections. I generally felt pretty good about companies (1) whose starting positions guaranteed specific measures to ensure protection of customer data and (2) who promised some kind of compensation if customer data became available because of the publisher’s software and/or hardware offerings. Such software publishers had “skin in the game,” or incentive to really ensure their customers’ data was protected. Why would they be lax when they’d experience specific, sometimes severe consequences for breach resulting from failure to do so?

On the other end of the spectrum were publishers who offered vague assurances with no guaranteed compensation for any breach. This was the opposite of having skin in the game: “We’ll totally check our software once every other year for major flaws and give commercially reasonable efforts to fix them. If there’s a breach that reveals bunches of your data, we’ll send you cake.” I was much more concerned with these publishers, whose lackadaisical approach to InfoSec practically screamed, “We care more about the money you’re required to give us than your ability to stay afloat!”

This all left me with a keen interest in InfoSec, especially when I saw how much less care companies give individual citizens* compared to paying corporate customers. If corporate customers at the very least got a cake, individual citizens got … nothing. Giving more than nothing would cut into profit margins!

I’ve subscribed and unsubscribed to bunches of InfoSec newsletters over the years. The only one I continue to follow now is KrebsOnSecurity.com. Brian Krebs’s coverage of the Equifax breach is a perfect example of why. He critically analyzes the breach and presents it in language even distant non-experts can follow. More importantly, he lets individual citizens know what they can do to limit their exposure.

If you’re concerned about what to do following the Equifax breach of 143 Americans’ credit data, Brian’s “The Equifax Breach: What You Should Know” is a great place to start. If you’d like more excellent analysis of the breach, I’d suggest “Here’s What to Ask the Former Equifax CEO.” His proposed questions for U.S. legislators to ask reveal a great deal about companies that give prominent indications they care much, much less about citizen data protection concerns than for whatever revenue they can milk from citizens. If protecting citizen data costs money (uuuuugh, maintaining software and hardware is expensive!), they’ll cut corners and hope for the best.

As individual citizens, we don’t have the financial leverage to demand better protections the way individual corporate customers can. This means that it’s critical for individuals to (1) find and use those protective measures that are available to individuals (thanks for highlighting them, Brian!) and (2) consider how re-regulation** impacts citizens’ ability to collectively mitigate citizen costs created when some corporate entities treat InfoSec not as a valuable investment in citizen well being but a drain on profits.

Otherwise? It’s important to remember: Unlike corporate customers, we individuals won’t even get a cake. 

* I originally typed “consumer,” so prevalent is such phrasing in reporting, but I reject that. We individuals are far more than consumers. We are citizens, and are far more valuable than the dollars we spend.

** There is no such thing as deregulation, only reregulation. Changes to regulation typically called “deregulation” aren’t neutral but heavily lobbied for by specific corporate beneficiaries. As Kate Raworth puts it here,

There’s always going to be regulation shaping what can and can’t be done, you’re just shifting the regulatory space. You ask how are those shifts benefiting, or how are the costs and benefits of that shifting re-regulation falling on other people? So financial deregulation actually just shifts the costs and benefits of financial crisis onto a different group of people.

 

%d bloggers like this: