The market can't - and won't - deal with IT security, it must be regulated, argues Bruce Schneier

Regulate the security practices of companies that store data, fine them if they fail to comply and let people sue if companies spill personal information, argues Schneier

Security guru Bruce Schneier has argued that the only way to force companies to take IT security more seriously is via Sarbanes-Oxley-style regulation, or a US equivalent of the European Union's General Data Protection Regulation.

"The market can't fix this. Markets work because buyers choose between sellers, and sellers compete for buyers. In case you didn't notice, you're not Equifax's customer. You're its product," wrote Schneier in a blog post.

He continued: "It's not just Equifax. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about you - almost all of them companies you've never heard of and have no business relationship with."

And its not just credit-reference agencies, like Equifax, that is collecting as much data on individuals as they can dredge - it's everyone, warned Schneier.

"Facebook is the largest surveillance organisation mankind has created; collecting data on you is its business model. I don't have a Facebook account, but Facebook still keeps a surprisingly complete dossier on me and my associations - just in case I ever decide to join."

Equifax is just the latest in a long line of companies that have been cracked in highly damaging security breaches, which in many respects appear to be caused by a combination of incompetence and negligence. They have also typically been slow to disclose the breaches.

"Market failures like this can only be solved through government intervention. By regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative.

"They can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm," argued Schneier.

The US Federal Trade Commission, he added, won't be able to step in without evidence of "unfair and deceptive trade practices" as opposed to basic incompetence.

"If you don't like how careless Equifax was with your data, don't waste your breath complaining to Equifax. Complain to your government," argued Schneier.