- The FTC's record settlement against Equifax highlights the need for CFOs to find the resources to invest in the tightest verification systems available if consumers engage with your company directly, said Chris Luttrell, Chief Operating Officer at consumer identity security company IDology.
- Luttrell recommended using "multiple layers and types of verification" when onboarding new clients or verifying current ones. "If I were CFO of a business that requires the consumer to sign up for the services, I'd need them to know that we're using the strongest verification tools available," Luttrell said.
- Only 4% of data was encrypted among all the breaches in the past 10 years, the Data Breach Index found, according to a recent release. The remainder of that data was "just sitting there [on the server], unprotected," Luttrell said.
Given the wide-reaching nature of the Equifax breach and eventual settlement, consumers are well aware of the precarious state of data privacy. In a report from Lutrtell's company, findings indicate that consumers are "much more likely" to do business in the future with companies that have the strongest verification protocols available. "If you're the CFO, and consumers ask how they can trust your company with their data, you need to be very transparent with them," Luttrell said. "If you require their Social Security number, you also should tell them why you need it."
Luttrell advised company leadership to tell their consumers upfront that you're collecting their information to protect you, not to amass a surplus of data. Company CIOs also must ensure that all client information is encrypted, she said. Given the hyper-technological state of data access today, it is "absolutely" worth revamping company-wide privacy protections, regardless of one's industry.
A data privacy audit should be done at least once a year, Luttrell said. "Beyond just being a complete top priority, it's your lifeline," she said. "You need to protect your consumers and their information, and the policies to do so need to be reviewed on an annual basis."
The European Union's General Data Protection Regulation (GDPR) law, which covers sweeping data privacy protection, took effect last year. It's much stronger than any law in the U.S., though California recently enacted a similar law, and other states have passed or are looking to pass tougher laws. Luttrell said she's "absolutely" confident that the Equifax settlement will spur a wave of new data protection laws across the country. CFOs need to be prepared if that happens, Luttrell said.
Businesses should open special portals or call centers for consumers to get in direct contact, request their information and exercise their right to remove their data from the server, Luttrell said. "If a data regulation law is enacted, lots of operational needs are going to follow," she said. "So you'll have to hire people to do that work — maybe even revamp your internal budget and open up a whole new department. But it's well worth it to maintain that consumer trust."