The fallout from the recent Equifax data breach is continuing as the Financial Conduct Authority begins its investigation into exactly what happened. Meanwhile fresh hype is being created as it emerges that thousands have turned to identity-theft-protection company Lifelock in order to protect their personal information, unaware that in doing so they are actually signing up for services that still rely on Equifax data.
The fact that Lifelock uses the company in order to carry out credit-score checking and monitoring is not unusual; organisations often use other outfits to provide components of their overall service. It can be more efficient and cheaper to use a specialist third party for a particular matter such as credit checking than to try to carry it out in-house.
The real cause for trepidation lies in the lack of transparency involved as it appears that those concerned about the whereabouts of their personal data following the Equifax breach are, in essence, seeking help from the same organisation that lost their data in the first place.
This is concerning on two fronts:
- Equifax is profiting from its own breach as it is receiving revenues from carrying out checks for Lifelock customers that would likely not have become customers had the breach not occurred.
- Customers simply have no idea that the organisation they are trusting to check their data so they can regain control of it, is using an organisation in which those very same customers have lost trust because it compromised their data in the first place
This lack of transparency is symptomatic of an age in which vast amounts of personal data are shared amongst organisations without the subjects knowing with which organisations such data is being shared and their locations, along with why it is being shared. Sometimes those sharing the data in the first place lose sight of where it ends up and how it is used once it is out of the original disseminator’s hands.
The new General Data Protection Regulation coming into force next year will place increased pressure on EU-based organisations. Greater transparency will be required from those outside the EU doing business with EU data subjects, in terms of who they are sharing data with, where and for what purpose. The GDPR has real bite too, as the fines are hefty if organisations breach the rules.
Opting to climb to a new level on the transparency skyscraper makes business practices more visible and ultimately gives consumers a better view. It also means that organisations will be held to greater accountability. And while the consequences of the Equihack may loom for years, as a society we must be more proactive in our decisions on what to share and what to safeguard, and organisations that use personal data must be more transparent about their practices in order to preserve their ability to continue to legitimately to do so to achieve their business goals.
This is the second article in a two part series. To view the first installment please click here.
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.