I mostly agree, but my concern is that this is not the perspective most people, including practitioners, are bringing to the discussion when they talk about "encryption". They mean, "if you had encrypted, this data never would have been exfiltrated in a breach". Which, of course, is false.
Fair enough, but I think we should be careful not to encourage the replacement of this perspective with one that says Equifax (and other collectors of sensitive data) could not be expected to do / have done better. I was quite surprised (though I probably should not have been) by the number of IT people advocating that position.
