Lessons from the Equifax Data Breach
The recent data breaches should serve as a catalyst to more seriously consider what data we collect and store in our data warehouses.
- By Mike Schiff
- November 13, 2017
By now we have all heard about the massive data breach of Equifax's credit reporting database that potentially exposed sensitive consumer data such as the Social Security numbers, birthdates, addresses, driver's license numbers, and other supposedly private information of over 143 million people. Additionally, over 200,000 credit card numbers were compromised.
Effects of a Consumer Data Breach
From the consumers' perspective, this obviously now makes them more vulnerable to identity theft; from Equifax's perspective, it severely damages its reputation and exposes the company to a wide variety of civil and perhaps criminal charges including insider trading (three Equifax executives allegedly sold stock approximately one month prior to the breach being made public on September 7).
As data warehouse practitioners, we recognize that our data warehouses contain sensitive and proprietary organizational, sales, and product data that must be protected lest competitors gain access and use it for competitive advantage. Furthermore, as most organizations also store and analyze customer and prospect data, we need to ensure that this data is protected as well.
In fact, as companies including Equifax, Anthem, Target, and Home Depot have found, compromising customer data (e.g., credit cards, email addresses, etc.) can have negative consequences that can overshadow the compromise of other data, due to the loss of consumer confidence and long-term damage to the organization's reputation. For example, although Target cashiers will likely ask me if I wish to sign up for a Target credit card during the checkout process, my gut (albeit unspoken) reaction is still, "You must be kidding!"
The fallout from the Equifax data breach will likely lead to enhanced organizational procedures reinforcing data protection and to further governmental compliance regulations such as those affecting victim notification, follow-on identify theft monitoring, privacy, and investor disclosure. It should also push us to consider the potential liability our organizations would have if the data in our warehouses were compromised.
Think Before You Collect More Data
Our users, and in many cases, we ourselves, have come to believe that because the cost of storage continues to decrease while compute power continues to increase, we should collect and store more data on the chance that it could be useful for future, but currently unforeseen, analytics needs.
Instead, we should encourage our organizations to perform a cost/benefit analysis when evaluating additional data collection requests that includes the consequences of what would occur if the data were compromised or stolen as well as the cost of gathering, cleaning, integrating, and storing the data.
On a somewhat related topic, I am aware of several organizations that discourage collecting and retaining some historical data because they fear it might come back to haunt them if they were asked to provide it during a lawsuit's discovery process.
In summary, the recent data breaches should serve as a catalyst to more seriously consider what data we collect and store in our data warehouses. "It might be useful for later analysis" should not be a sufficient response, especially if a data breach would lead to adverse economic or reputational consequences. Your cost/benefit analyses should include the impact of having this data compromised and the marginal cost of taking steps to protect it.
Michael A. Schiff is founder and principal analyst of MAS Strategies, which specializes in formulating effective data warehousing strategies. With more than four decades of industry experience as a developer, user, consultant, vendor, and industry analyst, Mike is an expert in developing, marketing, and implementing solutions that transform operational data into useful decision-enabling information.
His prior experience as an IT director and systems and programming manager provide him with a thorough understanding of the technical, business, and political issues that must be addressed for any successful implementation. With Bachelor and Master of Science degrees from MIT's Sloan School of Management and as a certified financial planner, Mike can address both the technical and financial aspects of data warehousing and business intelligence.