The truth is that in our era of “Big Data,” companies operate under very few controls.

Share story

WASHINGTONIANS and people all across the United States are justifiably worried about the impact of the Equifax data breach, which is reported to affect more than 143 million people.

When personal data is breached, we should all be concerned. When hackers steal Social Security numbers, credit-card rating data and other personal information, they exploit this data through identity theft and other scams. This is the reality of cybercrime today.

At moments such as this, it’s worth asking how we got here in the first place. How do companies such as Equifax acquire our personal and financial information if we never had a direct relationship with them? Why aren’t these financial-services and credit-rating organizations under a higher standard of care when it comes to securing our data? Why don’t people have easy access to correcting or deleting information that identifies them personally?

The truth is that in our era of “Big Data,” companies operate under very few controls. Your bank probably shared financial information with the three national credit rating agencies when you obtained a credit card and buried this disclosure somewhere in the initial contract. People really don’t have the chance to give their affirmative consent to such sharing; it just happens in what has become the “normal course of business.”

There are also very few controls over how corporations share your personal data with their partner companies or affiliates. Our data is extremely valuable to companies and they have incentives to monetize it wherever they can. While some companies offer privacy controls that allow users to adjust settings for data sharing and advertising, many don’t. If you navigate websites or use GPS-enabled services on your phone, you leave an extensive and valuable data trail that predicts personal habits and preferences.

In the event of data breach, consumers have very few options. Even contacting a company that has your credit rating data can be extremely frustrating. They may just tell you to purchase a credit-monitoring product from them. This was the case with Equifax, until they responded to widespread criticism.

So what can we do about this?

In the short run, people should closely watch their individual bank accounts to look for suspicious activity. If you are concerned about identity theft and someone trying to obtain more credit using your name, instruct your credit companies to put a freeze on your credit. It’s also a very good idea to obtain a PIN number for the IRS to authenticate you when you file your tax return.

In the long term, we must exercise more control over our personal data. This applies both nationally and on a state level, where we are discussing new ideas about requiring companies to enhance transparency and security around their data practices. In Washington state, some of the policies we are considering could require transparency in the sharing and sale of user data, require companies to obtain consent from individuals to use data for purposes other than what was originally authorized, and to improve how companies coordinate data handling, processing and storage.

Our federal government also needs to do more internationally to create a regime where hackers pay a price for their bad actions. This would require an unprecedented degree of international cooperation and is necessary. Microsoft’s Brad Smith has proposed a new Digital Geneva Convention to advance the battle against global cybercrime.

As Washington state’s chief privacy officer, I work on a daily basis with our state agencies to try to limit the data we collect from residents and to establish best practices around its storage, sharing and management. Our state’s Office of Cybersecurity and state Military Department are national leaders in the effort to integrate cybersecurity into our statewide policies, and prevent and respond to cyber emergencies.

We understand the special obligation we have as stewards of your personal data. That obligation should apply to corporations as well. Everyone who collects and processes sensitive personal data must be held accountable for its security. That’s the bottom line.