A short thought that came to me while listening to an Around the Coin (one of my favorite podcasts) discussion about the Equifax breach.
Equifax (and similar) personal data is used by banks (at least US banks) to authenticate and identify customers.
Considering the magnitude of the breach, effectively all US data has been compromised.
Now that the breach is public, banks should reasonably be expected to know that data is compromised. If they continue to use that data for authentication should they be held liable in the event that the data is used to compromise my account?
Asked differently, why shouldn’t banks be held liable if they’re willingly using known compromised data to protect my account?Is it negligent to use data known to be compromised to authenticate customers? Click To Tweet
Sounds like negligent behavior to me.