How Developing Countries Can Prevent Their Own Equifax Breach
Developing countries have a great advantage when it comes to data security — they can learn from the lessons of developed countries. The recent incident involving the security breach at the American credit bureau Equifax, that exposed the personal information of over 145 million people, provides two important lessons: avoid big databases where possible and give consumers more control over their personal information.
The development of digital financial services has brought millions of consumers around the world into the financial system, offering opportunities to transfer and save money in ways that can improve their lives. But digital finance leaves a digital footprint — lots and lots of data. In some countries, those data are being aggregated into ever-growing databases. Credit bureaus, which collect a huge amount of information on consumers’ past financial behavior, are among those creating such massive databases. And there has been a growing trend to expand the types of information held by these credit bureaus to include nontraditional data, such as the contents of SMS messages and emails, social media and even psychometric test results. In the past, it might have been most efficient for these bureaus to aggregate this information into massive databases. Yet it is obvious that collecting so much sensitive information in centralized locations creates attractive targets for cyber thieves. This is just what happened to Equifax, which despite being on notice of this significant risk, failed to take adequate measures to protect millions of people’s sensitive information.
For developing countries, the first lesson from the Equifax breach is that it would be far better to decentralize personal information, keeping it in the hands of the firms, such as banks and credit card companies, that use it on a regular basis to run their business. Why build and maintain huge databases in a high-speed, networked 21st century world despite the risks? One reasonable answer is that communications facilities in some countries may not be sufficiently fast, pervasive and reliable. Nonetheless, it’s a good time to consider whether decentralization is realistic and plan for it in the future. In a decentralized system, to fulfill a request for someone’s credit report, a credit bureau could poll a network of financial institutions for that consumer’s credit history and compile it into a report. Bypassing the need for huge centralized databases in this way could reduce the vulnerability to hacking and the resulting incidents of identity theft and fraud.
Potential Equifax victims have been encouraged to freeze their credit files to prevent criminals from obtaining credit in their names. Unless the freeze is lifted, creditors will be unable to access the victim’s credit report. Believe it or not, in some cases in the United States, consumers must pay the credit bureaus not to give out their information without their consent. It’s time to put consumers in charge of who can access their information.
India provides a lesson about how this can be done. India Stack is a collection of tools that are being used to bring more Indians into the financial system. A key component is the “digital locker,” which allows people’s records, such as birth certificates, driver’s licenses and bank statements, to be kept in a secure environment. Individuals can then authorize access to their information using a biometric national identifier when applying for a loan or opening a bank account, giving the lender electronic access to documents needed to consider their credit application. Access can be authorized at a granular level — permitting a lender to see certain documents in the locker, including bank statements and utility bills, but not others, such as medical records, which should only be seen by health professionals.
Financial institutions and other firms could report transaction information not to credit bureaus but to individuals’ digital lockers. These documents can be digitally signed by the reporting firm to ensure their legitimacy. This approach would address many of the concerns highlighted by the Equifax breach. First, while digilocker security can never be guaranteed, security practices are followed, such as encrypting transmissions to the locker and meeting international data center security practices. Second, instead of having to freeze access to their credit history, consumers’ information would be released only with their express consent. Third, it would give consumers the opportunity to review their credit history any time they wanted at no cost, and dispute it with furnishers so a more accurate, timely set of information would be available in their digilocker when they decide to apply for credit.
Now is a good time to start using network technology and digital lockers to better protect consumers’ privacy.
Digital lockers sound like a great idea. The business model of credit reporting firms is about releasing information, the business mode of a locker is about protecting it. Given the customers of credit firms are banks, not consumers, it is no wonder they prioritise the ability to access and release information over its protection
Thanks Michael. In the United States, credit bureaus used to err on the side of including negative information in people’s files, even if they weren’t sure it was the right person’s information, because the bureaus thought their customers preferred to buy thicker files and avoid taking credit risks, even at the price of rejecting some creditworthy individuals. It took legislation to help tilt the balance back toward consumers by imposing greater liability on bureaus for accuracy shortcomings.
The key idea in the consent layer of the india stack (now referred to as the data empowerment and protection architecture) is that to empower people based on their data, you have to invert the ownership of the data - it belongs to the individual, and they must have control over it, even though it is in the custody of the service provider.
There are many other learnings from the equifax case: the use of an identifier without authentication is fraught with danger, you need controls inside your organization, thus limiting exposure, as well as effectively creating multiple layers of security (and not just a single outer layer).
Sanjay, I agree that one of the things that make the India stack significant, particularly, its digital locker, is the shifting of power to the individual by providing greater control over personal information. As you note, effective data security measures are important to protect against external threats while not losing sight of the fact that oftentimes the greatest security threats come from insiders.
Thanks for the article. Digital lockers seems to be a very efficient solution. But could you clarify at which step and frequency the client would have to decide on the type of granularity of locking and unlocking the information he could do and weather it would be easy for him to do it properly. Would client always have a good understanding of what information they should unlock and what they shouldn't and would some firms still not try to pressure clients to give some confidential information in order to access their services ? so that there are quite a number of questions regarding the education of client and their rights on data privacy that need to ne addressed.
Thanks for your questions Christelle. You ask how often and with what specificity individuals would exercise control over access to information in their digital lockers. You also raise the question of how well it would be understood what information should – or should not – be unlocked, and more broadly how well people would be educated about these decisions and what data privacy rights they would have. These are excellent considerations that should guide the design of digital lockers. Ideally, the lockers would be simple enough to use and instructions clear enough that people understand what information they are choosing to disclose. The system could be designed to require item-by-item disclosure approval or approval of categories of information, e.g., payment histories, so as to limit the time spent making disclosure decisions. In addition, there could be blanket approvals for certain types of access requests, such as monthly credit reviews on outstanding loans, whereas other requests, such as to consider an application for a new account, could require approval on a case-by-case basis. Data privacy rules could be put in place to protect individuals, particularly from coercive efforts to gain access to personal information that is not required to provide the requested products or services. If well designed and implemented, digital lockers can significantly advance privacy by giving people more control over their personal information.