BREACH - SEASON 2 - EP 6 - Life Support
ALIA: Hey Breach listeners, Alia here. Before we start this episode (the finale of Season 2) we
have a request - We want to know what data security topics matter most to you, and what
breaches you’d like to learn more about in the future. Please head over to
podcastsurvey-dot-net to take a quick, anonymous survey. (Once you’ve completed the survey
you can choose to enter for a chance to win a $100 Amazon gift card. Terms and Conditions
apply.)
Once again that’s podcastsurvey-dot-net.
And if you have your own technology questions that need answering, stick around for the
episode credits - there may be more Bob and Alia in your feed soon.
Now, onto the show.
ALIA: Amazing, okay -
BOB: Many years ago -
AVIVAH: I actually remember the first call….
ALIA: I’m Alia Tavakolian.
BOB: And I’m Bob Sullivan.
ALIA: And this is us wrapping up a conversation about the Equifax breach -
BOB: With my old friend and colleague, Avivah Litan.
ALIA: Avivah is a highly sought-after analyst in the world of data breaches, aka a badass, and
she and Bob go way back. They’ve been having debates about digital privacy and data
breaches since the beginning of data breaches. We wanted to make sure to get her take.
Since this is our last episode of Season 2, Bob - I guess it’s time for us to talk with her and wrap
this whole thing up.
BOB: Yeah I guess it is!
ALIA: Um, Avivah, is there anything left burning in your heart that you haven't said that
you feel like needs to be said on this subject?
AVIVAH: Not really. I mean I wish I had some parting words of wisdom. I guess my
parting words of cynicism is I don't think anything's gonna change in the future either.
The only thing that could potentially change the situation is a consumer backlash and
consumers are not organized to, to rebel and that's the problem because businesses
have no incentive to change the status quo.
BOB: So is privacy dead?
AVIVAH: Privacy's been dead for years and consumers need to worry about that. And
do something.
ALIA: So, I mean, if privacy is dead, who killed it?
AVIVAH: Businesses killed it by not taking good care of our data and the criminals killed
it by stealing the data. They stole it for years it’s been dead.
BOB: Is there a date in your mind?
AVIVAH: I remember thinking it was dead like back in 2004 or five and my colleagues
saying, no, it's not dead. You can't say that. But yeah, it's dead. Don't you think it's
dead?
BOB: Life support, life support.
AVIVAH: Oh, you don't think it's dead.
BOB: Don’t think it’s dead.
ALIA: You think it's hanging on by the.
BOB: I think it’s on life support.
ALIA: Welcome to our final episode of Breach Season 2: The Equifax Story. Brought to you by
Carbonite. How businesses protect their data.
Intro:
ALIA: We started this season off asking about the great murder mystery of our privacy --
It’s been a useful metaphor, because it illustrates how bad it is that Equifax lost our Social
Security Numbers and PII. They lost, forever, this vital part of our privacy and identity.
But then, as we began to dig into the Equifax story, the question of who’s responsible for the
death of our privacy has become a much more complicated one - Are the dozen other big data
breaches implicated? Was Equifax already kind of murdering our privacy before the breach, just
in a legal way? Is the government on the hook for not passing good legislation? Are we
consumers responsible for not advocating hard enough for ourselves?
The murder mystery of our privacy has turned into a hellof a WhoDunnit.
But while we’ve been standing over our data privacy, mourning its loss - what if we missed
something.
What if there’s still a heartbeat?
What if we’re in a critical moment where we can turn things one way or another: bring our
privacy back to life, or kill it for good.
BOB: Today we’re going to examine: What’s hurting? What’s helping? And what do we do
now?
ALIA: So if we start with one of the biggest things that’s potentially bringing our privacy back to
life - I think it might be: large-scale action to hold Equifax accountable.
BOB: Meet Catherine Fleming.
CATHERINE: My name is Catherine Fleming and I'm based in Seattle. I'm an attorney.
And one of my areas that I like to focus on is privacy.
ALIA: Catherine is representing clients in a class-action lawsuit against Equifax. She recently
left a larger firm to start her own practice, which gives her the ability to take on more data
privacy cases without having to justify it to partners.
BOB: Why is it hard to justify to some partners “we should take on these privacy
cases”?
CATHERINE: Because there are, there's not really very much case law and there's
whole the damages questions that we see over and over again in like, for instance, the
target and anthem and now Equifax. There's a big question mark and the resources that
a firm has to devote as far as attorney time, paralegal time, and then the financial
resources are um significant. It's a big investment. So hopefully I-- did I answer your
question?
BOB: Um I think you're saying it's harder to make money suing people over privacy
issues.
CATHERINE: That's exactly right. And the short answer is there's not a cookie cutter
way per se
ALIA: Catherine has to consider each breach as a unique set of circumstances - this is still
largely uncharted territory. Which is exciting! There’s a new legal arena in which we might still
be able to (fingers crossed) invent consequences that protect us and our data!
But as exciting as it is - initially, Catherine didn’t jump at the opportunity to file a case against
Equifax. On the day the breach was announced, she was working and multitasking with a bunch
of monitors open - and she saw the news on CNBC.
CATHERINE: I just kind of gulped and I thought, ugh, just another horrible breach.
ALIA: And she gets a call from one of her plaintiffs from the Anthem data breach, a previous
case.
CATHERINE: And he said, did you hear about the Equifax data breach? And I said yes.
And he said, what are you going to do about it? And I said, Simon, we're still wrapping
up this other litigation and there are going to be other attorneys just jumping on this
BOB: But, he persisted -
CATHERINE: And I said, thank you. I really appreciate you thinking of me. I don't think
so.
ALIA: A few more hours go by -
CATHERINE: And then I got another call and then another call and another call -
ALIA: More potential plaintiffs, who want her to do something about this.
CATHERINE: And I said there are going to be other attorneys
ALIA: But she can’t stop thinking about it. It’s really bothering her. She brings it up to a couple of
partners -
CATHERINE: And one of the partners said it is, it's bothering me too. And then another
partner said I want to help. So I said, there we go.
ALIA: They work like crazy over the weekend, bang out a complaint, and file it on the following
Monday.
CATHERINE: My paralegal was so excited and I was like, really? This is going to be...
okay…
ALIA: Next thing she knows they hear from reporters - and they’re off!
CATHERINE: So we had a press conference. It just happened very quickly and it was
almost like I, I didn't, I felt like I just couldn't say no after a certain point.
BOB: So she went from on Friday, thinking she didn’t have time to even look at this. To on
Monday, filing a complaint and having a press conference.Complaints take weeks and months
and she did it over a weekend. That’s remarkable .
BOB: Can you, can you describe a plaintiff or a couple of plaintiffs for us? Like what's
the story here?
CATHERINE: Yeah yeah. The named plaintiffs are those that are in many ways
squeaky clean. So when I say squeaky clean, you know that they haven't been the
breach victims of 20 other data breaches, which is kind of bizarre as it's how, how do
you come out of this without having been a breach victim of Yahoo? I mean, some of
these never had yahoo accounts, target never shopped at target, et cetera. So, in many
ways they were quote unquote perfect? Um, because it'd be more difficult for a
defendant like Equifax to say, well, wait a second, how do we know that they were,
they’re the victim of ID theft.
ALIA: So the named plaintiffs she works with are those who, somehow, don’t have ties to those
other breaches. So they can isolate Equifax as the variable in these people’s lives.
Secondly - her plaintiffs are those for whom -
CATHERINE: There is demonstrable harm.
ALIA: “Harm” is exactly what it sounds like. And also - way more complicated than that. To
prove there’s been harm, Catherine has to show that her clients have experienced injury, loss,
or damage in some way - for example, Catherine represents a woman who had her identity
stolen 15 times in two to three weeks -
CATHERINE: And it all very coincidentally or not so coincidentally, was timed near the
announcement right after the Equifax breach.
BOB: One of the things you hear again and again with the Equifax breach is “Oh well you know
nothing bad’s come of it”, some have said there’s been no proof of identity theft from Equifax --
but Catherine has heard from a lot of people with stories to the contrary. Anecdotes like -
CATHERINE: A car was rented across the country - in a state where they never set foot
and was never returned in their name. Um someone got a small business loan in their
name -- multiple credit cards, stayed in vegas and ran up a huge bill and now the hotel is
asking me to pay. That type of thing.
ALIA: Of all those examples of “harm” from the Equifax breach, one of Catherine’s clients stood
out to me. At the time of the breach, she was in the state equivalent of the witness protection
program.
CATHERINE: And so when you seek that type of protection, there's very, very important
safety reasons, life and safety reasons why you want that protected, that information
protected.
ALIA: So this woman alleges that because her private information was breached, and in the
wrong hands, she had to move.
CATHERINE: She was very concerned about her young son. I want to say he was
around 9 or 10 at that time. His life was also gravely at risk. And so that was probably
one that really caught my attention because it was such an interesting set of facts and,
and so devastating to her and she was frantic.
BOB: How awful. You’re in witness protection program and suddenly Equifax loses your data.
Dear God.
ALIA: Right.
BOB: This is the unique challenge for data privacy cases like this - proving harm. You don’t
show up to court in a neck brace to prove your injury.
CATHERINE: That's the question that would come up in those meetings, at the tables
with a partner saying, look, and they would say, well, what's, how are you going to argue
damages? How are you, what's the harm and how are you going to get paid? How are
we going to get paid?
BOB: And if you’re Catherine, you have to show harm to a variety of different judges with
different viewpoints in different regions.
CATHERINE: The decisions vary across the country in different Jurisdictions.
BOB: Harm can be seen as one thing in Washington DC and another thing entirely in California
which has far more progressive data protection laws.
CATHERINE: Harm is in the eye of the beholder. And in the court’s eye it just, it varies.
ALIA: In the case of the woman in that protection program, her life was turned upside down
when her PII was leaked - she had to relocate immediately because of the Equifax breach, and
incurred a ton of expenses. Well they can itemize each of those expenses!
CATHERINE: It sounds really kind of gross in certain ways, but you have to attach a
dollar to each of that. So harm in something like that would be perhaps easier to kind of
articulate to the court.
ALIA: It doesn’t sound gross to me - Equifax lost valuable information. Like Social Security
numbers (which is what most freaked me out), but there are real, serious reasons other people
need Equifax to not lose their addresses, names, emails, passport photos. I think Equifaxshould totally pay for that. But Catherine has to convince a judge.
CATHERINE: In December, there was, oral arguments in front of the honorable Judge
Thrash in the Northern District of Georgia. Several months before then, Equifax filed a
motion to dismiss, saying, alleging that there was no harm. Their defense is, no harm will
come of this. We breached no duty, um, we had no duty to protect consumers’ sensitive
information. That is, that is what their line is. And yes.
ALIA: <<sighs>>
CATHERINE: So. Big sigh, I know. And disgust. Sigh of disgust. Yeah.
ALIA: I just don't understand that.
BOB: I just want to make sure I heard that correctly.
CATHERINE: Mhmm
BOB: Part of their legal argument is we had no duty to protect this data.
CATHERINE: Yes. I am not misstating that.
ALIA: Quote “The Plaintiffs allege that Equifax owed a duty to the Plaintiffs to quote “exercise
reasonable care in obtaining, retaining, securing, safeguarding, deleting and protecting their
Personal Information . . .The Defendants contend that they were under no duty of care toward the Plaintiffs.”
CATHERINE: My paralegal um laughed and had to point that out to me a couple of
times and I said, yes, I know that is what they're going to say.
BOB: What did you think when you read that?
CATHERINE: Um not to be an attorney, but what did you think? What would anyone
think?
BOB: Uh First of all, I'm not surprised
CATHERINE: Yeah
BOB: Because I've heard that before. Just fact, despite the fact that I've heard it before,
my blood is literally boil-- boiling, hearing it so, so boiling I can't say boiling, I mean, um,
they just treat people like meat.
CATHERINE: Mhmm
BOB: And you know, at, at a time like this, um, you know, when they're just caught with
their pants down.
CATHERINE: Mhmm
BOB: To not have any sort of common decency about it is remarkable.
ALIA: We asked Catherine to weigh-in on the murder mystery of our privacy - was Equifax the
murderer? Was privacy dead?
CATHERINE: I think that they're complicit in the death of a data privacy. I think there are
many, many co-defendants in the death of privacy, um but they are just a wonderful
example of how data privacy is getting killed over and over again in our country.
BOB: This is where I began to realize that the assumption that our privacy was murdered, now
that our Social Security number and personal identifiable information was out there in the world
- well - it’s a flawed one. You know who argues “Well it’s dead” - a company like Equifax. If our
privacy is dead from all these breaches, they could try and convince people they’re off the hook.
BOB: Don't surrender, right? Like privacy isn’t dead. It might be on life support, but it's
not dead.
CATHERINE: I like that Bob. I like that a lot because I have to. I mean that's the whole
reason why I want to litigate and be a data privacy attorney because I want to fight for,
for people to realize and for legislators and everyone to realize that data privacy is a
basic right, that we need to hold onto - it is our life.
ALIA: And now it’s time to take a Brain Break. When we get back we’ll get into nation-states,
another round of hearings grilling the current Equifax CEO, and reasonable hopes. But first -
let’s hear our final installment of our Great Quest to Find Every Specialty Credit Report that
Exists on My Friend Scott.
KELLY: Kelly here. After looking through Scott’s specialty credit reports and finding some
glaring errors like, you know, a *felony he didn’t commit*. I knew it was time to call in the big
guns to figure out how to get this report fixed. So we called our credit lawyer/knight in shining
armor Joel Winston:
KELLY: Hey Joel, this is Kelly
SCOTT: And Scott
KELLY: As a reminder: We sent out 45 requests to Specialty Credit Reporting Agencies. We
got 30 responses, though some of them were blank forms. The other 15 Agencies just didn’t
respond! There are a lot of people in the world who are allowed to ghost you - these guys legally
can’t.
JOEL: Yeah. I would like to help Scott follow up because these companies are breaking
the law.
KELLY: Joel reassured us that we used the most updated addresses possible given by the
Consumer Financial Protection Bureau. Even still we got a few return-to-sender, “unable to
forward”, “no longer here” responses, so apparently it’s not always up-to-date -
JOEL: I would like to say that this is a joke, but it's so much worse than that. This is an
injustice. This is so unfair...
KELLY: This is such a problem that Joel has to keep his own running list of agencies and
addresses -
JOEL: Um and the list that I have, of specialty credit reporting agencies is longer than
the consumer financial protection bureau lists. And it should not be that way.
KELLY: While we may not be able to fix that part of the broken credit system today, hopefully
we can fix one glaring error: Scott’s felony.
SCOTT: So Joel, what can I do to dispute this glaringly incorrect information that's on
these reports?
JOEL: That's a great question. So we will send in a letter that disputes this information
that instructs the Specialty Credit Reporting Agency that the information that you've
discovered in your report, is the result of fraud or of inaccurate information and that you
demand that they conduct an investigation into this information in order to confirm it.
They will have 35 days, which they will need to contact the furnisher to investigate and to
verify the information.
KELLY: Joel asked us to look at the report to see if it listed the furnisher, you know the
company that provided the felony information - but unfortunately —
SCOTT: And I would actually have to like call them or get another copy cause I have
shredded those things.
KELLY: Big yikes.
SCOTT: Having listened to breach and listening to the first couple episodes multiple
times already, I just was like, I need this to be gone.
BREACH - SEASON 2 - EP 6 - FINAL TRANSCRIPT 10
JOEL: Yeah. Yeah. And your, and your response is reasonable. It's not, it's not
unreasonable to look at these things and realize the treasure trove of what it is.
KELLY: But it's not gone when you shred it. It's still out there. It's just not physically in
your hands anymore.
KELLY: Luckily we can still dispute this random felony on one of Scott’s reports even though he
shredded it. We’ll just have to ask for a new one.
JOEL: If they said, well, you've already gotten your free one, then you have to pay $13
to get a copy of your report again.
KELLY: They had to give us that first report for free under the FCRA, which is our federal right.
Though it’s a limited one.
JOEL: You have no privacy. This law doesn't give you more privacy. It gives you access
to the information that's already been collected and sold about you.
But using this one federal fair credit reporting act as a sword. You can go in and demand
your report and demand that it be fixed.
KELLY: In other words: We only have the legal right to look at our private data being collected
by others. We don’t yet have the legal right to stop them from collecting it or selling it. Which
made me wonder; what did Joel think about the great murder mystery of our privacy -
JOEL: So I have to give a really lawyerly answer and wonder if the body existed at all.
There's no constitutional right to privacy.
KELLY: We started this experiment wanting to understand the sheer scale of the specialty
credit reporting industry. To request *all* the reports that exist on one person, so they could
Scrooge McDuck dive into the whole pile. Instead, we handed someone *30* of their specialty
credit reports and freaked them out so much they went and panic-shredded all of them.
But hopefully, with Joel’s help, we’ll dispute the felony on Scott’s record and right at least one
wrong.
SCOTT: Yeah. I think I'm going to go through this process every year. I think what's
invaluable is one, knowing what's incorrect that's out there about you and number two,
getting ahead of it before you come up on the life event where you need this information
or where it does affect you.
JOEL: The privacy that you have is the privacy you create. So everybody is now the
chief privacy officer of their own life. And if you don't enforce the privacy of your life, you
have none.
KELLY: Thank you for listening to these brain breaks, and thanks to the folks at Carbonite for
sponsoring Breach, these are way more interesting than ads. If you’d like to learn more about
how to get your reports and to dispute possible inaccuracies, Joel’s website has made it easy
for you to do so. See our show notes for the links.
ALIA: We’re back. I’m Alia Tavakolian.
BOB: I’m Bob Sullivan.
ALIA: We left off with lawyer Catherine Fleming, whose work on a large class-action lawsuit
seeks to prove that Equifax has in fact harmed people, and that they owe us something.
BOB: Catherine definitely has more optimism. Let’s check in with my colleague Avivah (who we
heard in the intro) she had a slightly more cynical take on privacy, and a different perspective on
where the danger is in the Equifax breach.
AVIVAH: My name's Avivah Litan. I'm a research analyst at Gartner.
ALIA: Along with a lot of other stuff, Gartner is a respected technology consulting firm.
BOB: Avivah is a world famous analyst and probably the most quoted cyber security analyst in
the world. If you google any news story about any breach, from the beginning of time in internet
world, she’s quoted in it. So she’s the authority.
ALIA: Unlike Catherine, Avivah is less focused on individual harm, like identity theft, as a result
of the Equifax breach.
AVIVAH: And actually the truth is most consumers don't see the results of the stolen
data. Like how many people do know they've had their identity stolen or credit card,
maybe credit card, but you just get another credit card. My theory on where the data is
going, and it's not a theory, It is being used by nation state adversaries to target our
population and that's been going on for years. We've been talking about it for years.
BOB: If we’re considering all the threats to our barely-hanging-on data privacy, Avivah zooms
out and asks us to think about the role of nation-states.
ALIA: So what I guess what I'm hearing from you then Avivah is that we're not really
afraid of the right things.
AVIVAH: We don't understand what's happening to our stolen data.
ALIA: So what is happening to our stolen data?
AVIVAH: Well I can't say with 100 percent authority, but I can say with 98 percent
authority that it's being assembled into data warehouses on the population and that'sbeing used by all kinds of people. So when the data is stolen, it gets resold to anyone
who wants to buy it. Sometimes that's a nation state. Sometimes that's a cyber criminal
that just wants to commit credit card fraud.
ALIA: I’ve been picturing the latter - some cyber criminal with my Equifax data, a single person
stealing a single identity. But Avivah’s point is there are far larger, organized groups at work
here.
AVIVAH: So the bottom line, these attacks are ongoing all the time, right? And the
infrastructure that's running these attacks are controlled by probably less than 10 big
gangs.
ALIA: And these gangs can be working with nation-states. The ties connecting them are hard to
determine, and are intentionally left loose - but nation-states often work together with organized
cyber-criminals, just like we saw with the Russian FSB in the Yahoo breach last season.
AVIVAH: But how do nation states use the data? They build maps of the populations.
ALIA: One use case for your stolen Equifax data in the hands of a nation-state is getting as
much info on as many people as possible, create a vivid map of the population in order to
cherry-pick out the few people who have access to what they want.
AVIVAH: So let's say they're targeting Bob because he's a defense contractor and he's
got the goods on the F16 fighter jet.
ALIA: Or it’s less specific than that -
AVIVAH: Other use cases is they’ll slice and dice by demographics.
ALIA: They wouldn’t be targeting a specific person (Bob the defense contractor), instead all our
Equifax data would be aggregated into their comprehensive databases on the US population - in
order to continue sophisticated fake-news campaigns like we saw with Russia meddling in the
2016 election.
AVIVAH: But the Equifax data is just one piece of the puzzle
ALIA: Whatever this data is being used for, Avivah argues, it’s part of something much bigger
than just trying to steal your credit card.
AVIVAH: And if they really wanted that Equifax data to take out new loans, we would
have heard about that. And that's what we have to think to ourselves. They're not
stealing this data for fun. They've got intention and they're putting it to use and it's not
identity theft. It may be a part, but it's not the major goal.
BOB: So the good news is: your most valuable data might not be used specifically to steal your
identity. It might be used to access the identity of someone with important US military secrets.
Or it might be used to destroy democracy and/or our country. That’s the good news.
ALIA: This really scary. Like I know we did Yahoo in season one, which was tied to Russia, and
then we covered election hacking which is also tied to Russia. But nation-states having our data
freaks me out all over again!
So my Equifax data might be in the hands of a nation-state, who might not be interested in me,
but have a specific far-reaching purpose for it.
But, as we learned with the Yahoo breach, once they’re done with that data for their purposes,
they might just dump it on the dark web anyway, for everyone else who wants to steal my
identity. So it’s like six terrifying things, or a half dozen other terrifying things.
BOB: Whatever the intention of a nation-state, or criminal hacking ring, the system is broken.
Our data is out there to be used at someone else’s discretion. The best thing we can do as a
country is start over - from scratch! Render that data useless.
ALIA: Not surprisingly, in the weeks after the Equifax breach, many voices chimed in that we
need to replace our Social Security numbers entirely. Rep. Patrick McHenry introduced a bill
that would require credit reporting agencies to phase out their use of Social Security numbers
altogether by 2020.
Rob Joyce, who was the White House cybersecurity coordinator for President Trump at the time
of the breach, called upon technology to fix this Social Security number problem at a summit
shortly after the Equifax breach.
ROB: Yeah, I feel very strongly that the SSNs outlived its usefulness. Um, It’s a flawed
system.
ALIA: He floats the idea of a “public-private” cryptographic key. Something you can use publicly
but not necessarily put your private information at risk.
ROB: Something that can be revoked if it’s put in--uh if it’s known to be compromised.Right? How many people here today have changed your Social Security numbers
knowing that the Equifax breach happened? Nobody. Nobody. So it’s a flawed system
that we can’t rollback that risk after we know we had a compromise.
ALIA: Other suggestions that have been proposed to replace our Social Security numbers -
Biometrics - we’re already getting used to our thumbs and now our faces unlocking our phones,
could they be our unique identifiers? (Though that would mean giving up our fingerprints to the
government) Blockchain comes up a lot. (But some say that tech is not yet mature enough).
Others have suggested a national ID with a smart chip (although Americans aren’t generally
keen on national IDs.) Equifax itself has partnered with several coalitions leading the way in
replacing Social Security numbers, I guess it’s in their best interest too to make them less
valuable to steal. They’re working with The Better Identity Coalition, and Equifax’s new Chief
Information Security Officer Jamil Farshschi announced a partnership called ATLAS (Atlanta for
the Advancement of Security) that will use tech to address things like better identification. These
groups all acknowledge - there’s a lot of work to do before a new authenticator replaces the
SSN. One attendee at a committee hearing for better ideas than SSNs even suggested: printing
a phone book with every American’s name and SSN in it, just to force the marketplace to
instantaneously acknowledge: These numbers aren’t secrets. These numbers aren’t
authenticators. So then we’d *have* to move on.
Short of that, it’s going to take some time.
But at least now, a year and a half since the Equifax breach, credit data security is back on
legislators’ minds.
BOB: There were two hearings, one in the house and one in the Senate, in February and
March of 2019, and in the Senate there was also an accompanying report where investigators
got into some, even more details. They peeled back the onion just a little bit more on what
happened at Equifax. Including this new piece, where the investigators found that instant
message style communication among employees in real time during the hack had been deleted,
never to be found. So, ultimately, the report concludes that the American public might never
really know what happened inside Equifax. Also in that report, the subcommittee asked security
executives at Equifax to assign a grade for how Equifax security protocols, and how Equifax
performed during the March 2017 Apache Struts incident. And the answers will probably
surprise you. One executive indicated, better policies and procedures probably could have
helped prevent the cyber security breach. Their grade? Quote “A B, because nothing is an A in
security.” In other words, the top grade. I’ve heard of grading on a curve, but giving Equifax the
top grade for how it performed in this hack? That just seems so out of touch.
Another executive admitted he’s a quote “hard grader.” Before the breach, he would give
Equifax a C, especially on the Apache issue, and after the breach, he’d still say a C because
they were quote “still getting there” on the remediation side. One executive wouldn’t give a
grade. But unprompted, made sure to point out that he’s met with representatives from
numerous other companies since the breach who told him a variation of quote “well it could
have been us as well.” Ok, sure. Every company knows, yes we could be hacked, and they
never want to dance on someone’s grave. But sure everyone can be hacked, not everyone has
expired security certificates for 19 months that are supposed to be protecting their data.
There was also a hearing of the House Financial Services Committee on Feb 26th, 2019. It
wasn’t specifically Breach related, but more broadly about Credit Reporting Agencies on the
whole - all the Big 3 were there, Experian, TransUnion, and Equifax. And I was there too, sitting
in the gallery. This time, instead of retired CEO Rick Smith, they had the current and real CEO
Mark Begor at the witness table. Which really means this was the first time Equifax had to
answer for itself before Congress.
Rep. Katie Porter used her time to question Begor personally:
KATIE: My question for you is um whether you would be willing to share today, um, your
social security, your birth date, and your address. At this public hearing.
MARK: Uh, uh, I would be a bit uncomfortable doing that, Congresswoman. Uh, if you’d
so oblige me, I’d prefer not to.
KATIE: Okay. Could I ask you why you’re unwilling?
MARK: Well that’s sensitive information. I think it’s sensitive information that uh, I I like
to protect, um, and I think consumers should protect theirs.
KATIE: If that sensitive information were provided at this public hearing, what, what are
you concerned about could happen?
MARK: I think like every American, Congressman, uh congresswoman, my apologies,
um, congresswoman, uh you know, I’d be concerned about identity theft. I’m actually a
victim of identity theft. I think like all Americans we’re concerned about that.
KATIE: Okay. So my question then is, if you agree that exposing um, this kind of
information, information like that that you have in your credit reports, creates harm,
therefore you’re unwilling to share it, why are your lawyers arguing in federal court that
there was no injury and no harm created by your data breach?
MARK: Congresswoman, uh, it’s really hard for me to comment on what our lawyers are
doing-
KATIE: Well sir, respectfully, excuse me, but you do employ those lawyers. And you,
you, they do operate at your direction. They’re your counsel, and they are making these
arguments in court. Arguing on the record, I have the pleadings here from the court
case. They are arguing on the record that there was no--that this case should be
dismissed because there is no injury and no harm created by the disclosure of people’s
personal credit information. And yet, I understand you, as I would, to believe that that
information, that the exposure of that information--I asked if you would give it to the
committee and you understandably said no--would in fact create a harm. So I guess I
would ask you to please look carefully at what your lawyers are doing, um and the
arguments that they are making because I feel that they’re inconsistent with some of the
helpful testimony you’ve provided today.
BOB: That was an excellent use of 5 minutes of questioning in Congress. And it was a moment
in the room. You could hear a pin drop. But, I was talking to Ed Miezwinsky that day, he also
testified. He’s a consumer advocate, works for Public Interest Research Group. Ed talked about
the fact that he’s testified over and over, maybe a dozen times before Congressional
committees on this. Over the course of ten, fifteen years, and we’ve had these moments before
that make for good TV, but do they really roll up into something meaningful? That’s the hope.
ALIA: One real form of accountability that exists right now, that can give us hope for our data
privacy, is GDPR.
BOB: And this is a big hope actually.
ALIA: GDPR is the General Data Protection Regulation, it’s a European law that took effect in
2018 that gives a whole bunch of rights to consumers as to how companies use their data and it
applies to any company doing business with the EU, including American companies.
BOB: What we see now, the conversation has really turned and it’s because of these enormous
fines that European countries can levy against companies. And what’s important about the fines
is that they’re not really dollar figures, they’re percentages. So, up to 4% of annual global
revenues, however big a company is, however much money it throws off, it has to pay attention
to a fine like that. And I really do think GDPR has changed the conversation - I don’t think it’s
protected our privacy yet, but at least now everybody’s talking about it, and that’s certainly a
move in the right direction.
ALIA: As for meaningful legislation and accountability in the U.S.-
CATHERINE: One would hope that everyone, regardless of whether you're Republican,
Independent or Democrat, realize that this is just not right. That we need to do
something and hold, to hold companies accountable. Um, that's, that's the hope.
ALIA: I hope that I continually wonder though, like, like what is it going to take if not
Equifax?
CATHERINE: Mhmm
ALIA: It has been over a year now.
CATHERINE: Mhmm
ALIA: I mean if not something like Equifax then what, like what will it take to get us some
decent legislation that will actually protect consumers?
CATHERINE: So I wasn't old enough to um remember all the details, but I went back
and looked at what happened during the Bork hearings
ALIA: The Bork hearings came up in our conversation with Father-of-Privacy-Law Daniel
Solove, who we interviewed in Episode 2, they led to one of the earliest examples of data
privacy legislation -
BOB: Yeah , The Video Privacy Protection Act was a bill passed by Congress in 1988 and
signed into law by President Ronald Reagan.
DANIEL: But the video privacy protection act was a response to journalists that tried to
obtain video records of supreme court nominee, Robert Bork. And they were looking to
see, you know, did he watch any naughty movies? So they tried to obtain these records
and this sparked outrage at congress.
ALIA: And why would this privacy law get passed while others didn’t?
DANIEL: My cynical view of Congress is that they often think mainly about themselves.
Uh, and so I think a lot of them thought like, oh my gosh, really the privacy of all the
naughty movies that they're watching could be compromised quickly pass a law and stop
that.
ALIA: Congress worked quickly, and got their act together: the bill was introduced in Spring of
‘88 and was a law by November of that year.
DANIEL: Yeah very fast. You know, what is in the id of the various members of
congress and then what do they most want to do for themselves? And that's what they
typically pass the fastest.
CATHERINE: My hope and I think our collective hope is that so many legislators even if
they love Equifax, the Equifax CEO and love Experian and TransUnion, etc. But
something so horrible happens to them or or their daughter or their wife that they'll say,
you know what? This is not good enough. It doesn't matter if I was just given countless
amounts of money from X, Y, and Z companies. I need to do something.
ALIA: So you're saying that legislators need, need um a personal incentive to sort of get
mad?
CATHERINE: Yeah, I feel, they're human too. They need it to be personal to them too.
And you know, I think about that famous elevator scene right before the Kavanaugh um
hearing where, um, I'm blanking on his name. I can picture him the Arizona
ALIA: Yep. Yep.
CATHERINE: Senator Jeff…
BOB: Jeff Flake
CATHERINE: Jeff, thank you. Jeff Flake and where there were people screaming and
crying and there just needs to be enough lawmakers with consciences that when they're
faced with these string of stories and, maybe some of them are closer to their homes,
their families. So I feel like there's just got to be enough momentum, but I mean we all
know the power of the tech lobby and the money that they spend in Washington DC, um,
so that's, that's a big uphill battle.
Reasonable hope?
BOB: What about the victims, what's the best case scenario for them?
CATHERINE: That's such a great question be cause the sad fact is they are going to
have to live with the danger, the prospect of ongoing uh misuse, because their most
personal information is out there and that's not gonna change. The best case scenario is
if we switch our system, switch and do not rely on Social Security numbers - we start
from scratch um and that a lot of the collected information that's now on the dark web is,
is not as valuable and useful. I guess, I mean I want to ask you I ask questions all day
long and I'm not used to having people ask me questions like this, but what I mean really
what, do you hope for as far as the future of data privacy? And I'm not talking about this
Pollyanna type of -- what do you think is realistic as far as what we can do for data
privacy? I really want to know.
BOB: It was striking me as you were talking that you know class actions are supposed
to somehow make you whole from what you lost. Right? But the actual remedy you
described, which I agree with, which is doing something so that this data is no longer
useful to bad guys, is something that you can't obtain in the lawsuit because it involves
other people who aren't party to the lawsuit. Right.
CATHERINE: That’s right
BOB: It's a system that has to change. So that is, that’s why it's such a thicket.
ALIA: I don't know if this is a reasonable hope, but I think my reasonable hope is that
there will be some kind of legislation that protects consumers because I feel so
unprotected right now as a consumer
ALIA: I’m in an interesting place where I’m trapped between feeling fatalistic -
AVIVAH: Consumers should be rebelling, but I don’t think they know how
ALIA: And scared -
DANIEL: We’re in a position where we’re going to have to be looking over our
shoulders for the rest of our lives.
ALIA: And outraged -
MIKE: And over a year later, they still haven’t been held accountable.
ALIA: And also ready to take action -
JESSAMYN: I, I want to do something about it.
ALIA: And proud and hopeful that there are people working to create accountability for Equifax.
CATHERINE: Data privacy is a basic right, it is our life.
BOB: See, this is why it’s so dangerous to think that our privacy is dead. There are a lot of
forces in the world that want us to think that. If our privacy is dead, there’s nothing we can do.
There’s nothing to worry about. It’s also this fatalistic notion like all our rivers are polluted so why
should we bother regulating companies anyway? Let’s just make a bunch of money. All our
data’s already out there, so why should we bother worrying about this? We can’t do anything,
your privacy is dead, get over it. It’s not true. That’s what they want us to think, but it’s such a
dangerous thought because privacy, privacy is intensely human. Privacy is what protects our
humanity. If you think about the most intimate moments that you have in your life, and this is
true in every culture and every time, you have them privately. You go off by yourselves. But
even among friends--you think about these circles that you live in, these concentric circles--your
closest friends are in a tiny circle, and then your acquaintances, and outside of them are your
coworkers, and then maybe people you only see a couple of times a week or people you see
once in your lifetime. If we can’t control the size of those circles and who gets in them and who
gets blocked out of them, we lose something absolutely essential to our humanity. So: privacy
might be really ill, we might have to give it some kind of extreme treatment, it needs CPR it
needs chemotherapy it needs something, but if we give up on the idea, I think we give up on a
very sense of humanity.
AVIVAH: But how can you say it's not dead if all your data's out there? I guess if we. We
have a different, um, interpretation of what data privacy means. To me, what it means is
that No one has my data except people that really protect it and they consent with me.
They, they consult with me before they share it. That's not been the case for many
years. That's what data privacy means to me.
BOB: Was that ever the case?
AVIVAH: Well, it wasn't as noticeable until everything became so automated and
electronic, but
BOB: I'm sitting here thinking from the invention of data itself
AVIVAH: Yeah.
BOB: Companies have taken it and done things with it that you didn’t know about.
AVIVAH: That's true. Data, there has never been data privacy in that sense
So to me, what's your definition of. Why do you say it's on life support?
BOB: Because I imagine a situation where I, I get to decide who has it, when they have
it and what they do with it.
ALIA: You get to get, it’s like consent.
BOB: Yeah.
AVIVAH: But you don't. You have no say over your Equifax data.
BOB: Well today, no, today I don't, but I can imagine a world where I do.
AVIVAH: Yeah.
BOB: Like, you're describing it, actually.
AVIVAH: Oh it's dead temporarily.
BOB: Well.
AVIVAH: I don't think it’s dead permanently. Oh.
BOB: I like to think of something being- can we agree it’s in a coma, then?
AVIVAH: Okay.
ALIA: Is it a vampire?
AVIVAH: I think data. No, to me data privacy is dead but. All right. I'm sorry. Data
privacy died but it can be reborn. You're saying it could never be reborn. I think it died
and it can be reborn.
CREDITS:
Breach is a branded podcast brought to you by Carbonite in partnership with Midroll and Spoke
Media. You can find transcripts and show notes at carbonite.com/breach.
Make sure you stay subscribed to Breach - in a few weeks Bob and I have a surprise coming
your way on this feed! When we’re not thinking about breaches, we’re considering data-security
questions that affect you.
But in the meantime, if you’re craving more (terrifyingly interesting) breach stories - check out
Season 1, the Yahoo! Breach. It’s got Russian spies, you won’t be disappointed.
A correction from last week’s episode, the person who dressed as Monopoly Man/Mr.
Moneybags at Rick Smith’s committee hearings is named Ian Madriga*, and more of their work
can be found at @iansmadrig.
If Cyber Security reporting were transforming the lives of others via heart-warming makeover
like the Fab 5, Bob Sullivan would be a Bobby-Karamo hybrid, and I hope I would be Jonathan
Van Ness.
Whether you’ve figured out how to wear a French tuck, or not -- we’d love to learn more about
you, our Breach listener! And we’d especially like to know what you want to hear about on future
seasons of Breach.
If you haven’t already - please go to podcastsurvey-dot-net to take a quick, anonymous survey
that will help us understand what data security topics matter to you.
Once you’ve completed the survey you can choose to enter for a chance to win a $100 Amazon
gift card. Terms and Conditions apply.
Once again that’s podcastsurvey-dot-net.
Our show is executive produced by me Alia Tavakolian -
and produced and written by Janielle Kastner aka “Producer Jan”.
With Associate Producer Caroline Hamilton, and Production Assistant Kelly Kolff.
Research by Haley Nelson.
When Bob and I are in the studio we’re recorded by Casey Holford and Jared O’Connell.
Today’s episode was mixed and sound designed by Evan Arnett.
The songs you hear come from APM Music and FirstCom.
Our head of post production is Will Short.
Production help this season came from the Spoke team: Reyes Mendoza, Cody Hofmockel,
Tommy Staley, Jenna Hannum, Carson McCain, Isaac Young, and Collyer Spreen. Thanks so
much you guys, you’re the best.
Our executive producer is Keith Reynolds, whose happy heart went beep beep beep all of
Season 2.
Special thanks to the folks you heard today: Catherine Fleming; Avivah Litan, and Daniel
Solove.
And thanks to our valiant Credit Report Volunteer: Scott Mosher, and Joel Winston, the Military
Advisor to our Credit Report battle.
And a special thank you to Carbonite, for having us back for Season 2, and backing us up
creatively, and backing up our data - literally. This has been a wonderful adventure, and we’re
truly grateful.
Thank you for listening.