How Developing Countries Can Prevent Their Own Equifax Breach
Developing countries have a great advantage when it comes to data security — they can learn from the lessons of developed countries. The recent incident involving the security breach at the American credit bureau Equifax, that exposed the personal information of over 145 million people, provides two important lessons: avoid big databases where possible and give consumers more control over their personal information.
The development of digital financial services has brought millions of consumers around the world into the financial system, offering opportunities to transfer and save money in ways that can improve their lives. But digital finance leaves a digital footprint — lots and lots of data. In some countries, those data are being aggregated into ever-growing databases. Credit bureaus, which collect a huge amount of information on consumers’ past financial behavior, are among those creating such massive databases. And there has been a growing trend to expand the types of information held by these credit bureaus to include nontraditional data, such as the contents of SMS messages and emails, social media and even psychometric test results. In the past, it might have been most efficient for these bureaus to aggregate this information into massive databases. Yet it is obvious that collecting so much sensitive information in centralized locations creates attractive targets for cyber thieves. This is just what happened to Equifax, which despite being on notice of this significant risk, failed to take adequate measures to protect millions of people’s sensitive information.
Photo: Sudipto Rana, 2014 CGAP Photo Contest
For developing countries, the first lesson from the Equifax breach is that it would be far better to decentralize personal information, keeping it in the hands of the firms, such as banks and credit card companies, that use it on a regular basis to run their business. Why build and maintain huge databases in a high-speed, networked 21st century world despite the risks? One reasonable answer is that communications facilities in some countries may not be sufficiently fast, pervasive and reliable. Nonetheless, it’s a good time to consider whether decentralization is realistic and plan for it in the future. In a decentralized system, to fulfill a request for someone’s credit report, a credit bureau could poll a network of financial institutions for that consumer’s credit history and compile it into a report. Bypassing the need for huge centralized databases in this way could reduce the vulnerability to hacking and the resulting incidents of identity theft and fraud.
Potential Equifax victims have been encouraged to freeze their credit files to prevent criminals from obtaining credit in their names. Unless the freeze is lifted, creditors will be unable to access the victim’s credit report. Believe it or not, in some cases in the United States, consumers must pay the credit bureaus not to give out their information without their consent. It’s time to put consumers in charge of who can access their information.
India provides a lesson about how this can be done. India Stack is a collection of tools that are being used to bring more Indians into the financial system. A key component is the “digital locker,” which allows people’s records, such as birth certificates, driver’s licenses and bank statements, to be kept in a secure environment. Individuals can then authorize access to their information using a biometric national identifier when applying for a loan or opening a bank account, giving the lender electronic access to documents needed to consider their credit application. Access can be authorized at a granular level — permitting a lender to see certain documents in the locker, including bank statements and utility bills, but not others, such as medical records, which should only be seen by health professionals.
Financial institutions and other firms could report transaction information not to credit bureaus but to individuals’ digital lockers. These documents can be digitally signed by the reporting firm to ensure their legitimacy. This approach would address many of the concerns highlighted by the Equifax breach. First, while digilocker security can never be guaranteed, security practices are followed, such as encrypting transmissions to the locker and meeting international data center security practices. Second, instead of having to freeze access to their credit history, consumers’ information would be released only with their express consent. Third, it would give consumers the opportunity to review their credit history any time they wanted at no cost, and dispute it with furnishers so a more accurate, timely set of information would be available in their digilocker when they decide to apply for credit.
Now is a good time to start using network technology and digital lockers to better protect consumers’ privacy.