143,000,000 people were the victims of a recent data breach when their data was stolen from Equifax, a company that has an obligation to keep their data safe. Data security is tough. The bad guys only need to be successful once, while companies need to win every time. However, from the perspective of many consumers, Equifax has not responded in the most responsible way to this data breach. The company’s website did not have a section to help consumers with this breach. So, people had to find the special website, visit a second time to request free credit monitoring, and many have still not received acknowledgment that their requests were received.
Accountable organizations need to be responsible and answerable. They must be transparent about their processes and stand ready to demonstrate those processes. It seems like Equifax does not reflect these concepts of accountability. So does this mean that accountability does not work? I believe that the opposite is true.
Could the event have been prevented by a different regulatory approach? Like, for example, a regulatory system that describes, in great detail, the data security actions a company would have to follow. The reality is the rules would be dated the moment they were enacted. Instead, appropriate security is explicitly required by the safeguarding rule and implicitly by Section 5 of the Federal Trade Commission Act. So, the obligation is there. Regulators could do spot audits; however, regulators will never have the bandwidth to examine every organization. An accountability approach creates the obligation and requires companies to implement the right tools to meet that obligation. Data breach laws required the company to announce data breaches that are impactful, and Equifax did so, creating the mechanism for being answerable. Once the breach was announced, news reporters began their own investigation. At least three federal regulatory agencies have announced investigations, and they have been joined by 34 state attorneys general. The company’s stock has fallen by a third. Several class action lawsuits have been filed. I have great confidence that the company will be answerable for its behavior. The market and regulatory punishment will be what encourages other companies to behave in a manner that consumers would find more appropriate.
At the end of the day I believe accountability does work. Where laws require accountable behavior and appropriate disclosures the mechanisms to hold companies responsible and answerable do work. And I also believe that accountability allows for the best combination of data driven innovation and individual protections.
As innovation powers forward and companies find new applications of data use, they will increasingly be expected to be accountable for the impact those data uses have on people. The IAF recently issued enhanced essential accountability elements for artificial intelligence that are also applicable to advanced analytics. The IAF is arguing that the price for being trusted to use data robustly is stakeholder focused accountability. So, as data is used more and more robustly, let’s enhance accountability as part of data governance infrastructure.