Equifax Saga Highlights Cybersecurity Forum

The “Equifax Saga and Ramifications” and “The Mobile Lemon” (addressing smartphone app security and usability paradoxes), among other topics, highlighted the recent Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective. The University of Maryland’s School of Public Policy and Robert H. Smith School of Business hosted the event on Jan. 10, 2018 in Van Munching Hall.

“I’m probably preaching to the choir by saying this: What keeps most executives and policymakers awake at night is the extreme vulnerability to digital technologies,” said Ritu Agarwal, the Smith School’s Senior Associate Dean for Research and Robert H. Smith Dean’s Chair of Information Systems, in opening comments to about 60 scholars and practitioners in such fields as law, public policy, information security, computer science and economics.

“Cyber risk is like a multi-headed hydra, and to truly tackle this, we need a lot of smart people working on it – and not from a single discipline, she said. “Cybersecurity is not an academic pursuit. It’s a pursuit existing at the nexus of practice, policy and research. And it’s also noteworthy that there are people in this room representing all of these three areas.”

One of the experts, Rebecca Mercuri founder and CEO of Notable Software, Inc., and a visiting professor at Drew University, recounted and assessed the aftermath of the 2017 Equifax breach, which exposed personal data of 145.5 million individuals.

After highlighting proposed Congressional legislation to give consumers more control and protection of

their personal information including from customer data-selling companies, Mercuri noted a caveat: the nebulous dark web. “There’s yet to be a legal definition for the term,” otherwise regarded generally as a collection of websites on an encrypted network, she said.

Mercuri also noted numerous state attorneys general filing lawsuits against Equifax and singled out a potentially effective move by New York Governor Andrew Cuomo. “He’s directing his state to issue new rules requiring credit reporting agencies to register in New York in order to force them to comply with the state’s cybersecurity statutes, which actually are pretty good,” she said. “This would require Equifax and similar firms to adhere to the same consumer protection rules the state imposes on banks and insurance companies.”

Mercuri closed her talk with a post-Equifax breach checklist for stakeholders and policymakers to sharpen their focus on:

The ubiquitous use of social security numbers: “Why are we using these a means for identifying people? This should be redressed in the federal fair credit reporting act and related, state-adopted measures,” she said. “These rules generally address the correction, but not protection, of the data.”

Who’s the consumer?: Consumers in the context of credit-reporting policy discussion “are the lenders, employers and other agencies that pay the reporting services for information, not those whom this data this belongs to,” she said.

The identity theft protection market (estimated to have brought in $2.8 billion in revenue in 2017): “This market been doubling annually and received a real shot in the arm through consumer fear resulting from the Equifax breach. The same is happening with the virus protection companies.”

Creditors building fraud-loss into their operating expenses: Thanks to insurance and reinsurance, “the incentive or motivation to prosecute is very low, Mercuri said. “Creditors can absorb losing, for example, $1 million in fraud losses as part of the cost of doing business.” This contributes to perpetuation of breaches.

Among other speakers (see the entire program here), L. Jean Camp, professor in Indiana University's (IU) School of Informatics and Computing, delivered the Ira H. Shapiro Memorial Lecture. Her presentation, “The Mobile Lemon,” spotlighted and explored the risk-benefit tradeoff for smartphone app users.

The 2018 forum in its 14th year was coordinated by Lawrence Gordon, EY Alumni Professor of Managerial Accounting and Information Assurance, in the Smith School; Martin Loeb, professor of accounting and information assurance and Deloitte & Touche LLP Faculty Fellow, in the Smith School of Business; and William Lucyshyn, research director at DARPA and a senior research scholar at the Center for Public Policy and Private Enterprise in UMD’s School of Public Policy.