Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

8/14/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Equifax Avoided Fines, but What If ...?

Let's imagine the consequences the company would have faced if current laws had been on the books earlier.

Equifax made headlines around the world in 2017 with a massive data breach of more than 143 million records worldwide. It waited 40 days before notifying consumers of the breach, exposing customers to further risk. And that's not all.

Things went downhill from there, with the CEO, CISO, and CIO retiring or resigning and multiple executives charged with insider trading related to the breach.

All this as the internal processes that led to the breach showed significant failures and a lack of basic awareness of why basic information security practices are in place. Although the company has been working to overhaul its approach to security, critical questions remain.

Why Do They Have My Data?
In the backlash, many customers — especially those in the EU and Canada, where strong privacy laws exist — wondered why a company they had never agreed to do business with was holding all of this personally identifiable information. This naturally leads to a larger question of what role, if any, data brokers should play and how they should be regulated and monitored.

In late June, it was announced that US consumers — the majority of those affected in the breach — would finally see the consequences of Equifax's (in)action.

The result: nothing.

Nothing?
Well, technically, not "nothing," but close enough. Reuters details the consent decree approved by regulators in eight states, including New York, Texas, and California. The required action by Equifax was to complete a detailed assessment of cyber threats, increase board oversight, and improve patching processes for known security vulnerabilities. In essence, security 101.

With the exception of "board" oversight — but not oversight in general — these are all common security basics. They are part of the PCI standard that must be adhered to by any company processing credit card information. However, the data broker that maintains a huge piece of the credit rating marker only now has to step "up" to this level of cybersecurity?

Alternatives
Let's work through a few "what-if" scenarios to explore the potential penalties that Equifax would have to face under various regulations.

1. If the Equifax breach happened under GDPR in the EU (which took effect May 25, 2018), it's likely that they would be hit with two major fines. The first for failure to adequately notify affected individuals, and the second for a failure to secure the data in the first place.

Failing to notify would cost Equifax up to 2% of its global revenue, and failure to secure would cost up to another 4%. In 2017, Equifax had global revenues of $3.36 billion. That means Equifax would have been fined about $201 million under GDPR for this breach.

2. If the Equifax breach happened under the new California Consumer Privacy Act of 2018 (which comes into effect in 2020), it could face financial penalties. The penalties for data theft under this act range from $100 to $750 per California resident, or actual damages.

We know from the initial data breach report that Equifax had records on 143 million Americans. That's about 56.9% of the eligible population. If we use that percentage for California, we have about 17.2 million affected California residents. That means that Equifax could have been fined between $1.7 billion and $12.75 billion for this breach.

Both penalties are a far cry from the $0.00 fine it received.

Frustration
The biggest challenge with the Equifax breach is the inability for any affected user to take reasonable actions to prevent any abuse of their information.

All of the recommendations (monitor your credit, carefully check your bank transactions, look out for identity theft, etc.) are all reactive. They will only help highlight something that has already happened. Legislation like GDPR in the EU and the California Consumer Privacy Act are designed to shift the balance of power back to the owner on the information.

Make no mistake: Your information is yours. You only entrust it to others. Part of that trust is that they will do their best to protect it.

That's the real issue at the heart of the Equifax breach from the consumer point of view. At no point was that information explicitly entrusted to Equifax. The company simply acquired it and started to monetize it.

This is a case where strong individual rights for privacy and control over our data make sense.

Enough?
Thankfully — as reported by the New York Times — Equifax is still under investigation by a number of agencies, including the Federal Trade Commission, Consumer Finance Protection Bureau, and the Securities and Exchange Commission. That means there is still hope that Equifax will face further punishment for a breach that never should have happened.

Hopefully, something will come of it. Cybersecurity as it is currently practiced is a constant and near overwhelming challenge. Companies need to develop and maintain a culture of security. A culture that respects data privacy. With that in place, cybersecurity becomes far easier.

Cybersecurity is everyone's responsibility. That needs to be acknowledged and practiced before we can move forward.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info

Mark Nunnikhoven explores the impact of technology on individuals, organizations, and communities through the lens of privacy and security. Asking the question "How can we better protect our information?," Mark studies the world of cybercrime to better understand the risks ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
CVE-2021-27196
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...