Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

8/14/2018
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Equifax Avoided Fines, but What If ...?

Let's imagine the consequences the company would have faced if current laws had been on the books earlier.

Equifax made headlines around the world in 2017 with a massive data breach of more than 143 million records worldwide. It waited 40 days before notifying consumers of the breach, exposing customers to further risk. And that's not all.

Things went downhill from there, with the CEO, CISO, and CIO retiring or resigning and multiple executives charged with insider trading related to the breach.

All this as the internal processes that led to the breach showed significant failures and a lack of basic awareness of why basic information security practices are in place. Although the company has been working to overhaul its approach to security, critical questions remain.

Why Do They Have My Data?
In the backlash, many customers — especially those in the EU and Canada, where strong privacy laws exist — wondered why a company they had never agreed to do business with was holding all of this personally identifiable information. This naturally leads to a larger question of what role, if any, data brokers should play and how they should be regulated and monitored.

In late June, it was announced that US consumers — the majority of those affected in the breach — would finally see the consequences of Equifax's (in)action.

The result: nothing.

Nothing?
Well, technically, not "nothing," but close enough. Reuters details the consent decree approved by regulators in eight states, including New York, Texas, and California. The required action by Equifax was to complete a detailed assessment of cyber threats, increase board oversight, and improve patching processes for known security vulnerabilities. In essence, security 101.

With the exception of "board" oversight — but not oversight in general — these are all common security basics. They are part of the PCI standard that must be adhered to by any company processing credit card information. However, the data broker that maintains a huge piece of the credit rating marker only now has to step "up" to this level of cybersecurity?

Alternatives
Let's work through a few "what-if" scenarios to explore the potential penalties that Equifax would have to face under various regulations.

1. If the Equifax breach happened under GDPR in the EU (which took effect May 25, 2018), it's likely that they would be hit with two major fines. The first for failure to adequately notify affected individuals, and the second for a failure to secure the data in the first place.

Failing to notify would cost Equifax up to 2% of its global revenue, and failure to secure would cost up to another 4%. In 2017, Equifax had global revenues of $3.36 billion. That means Equifax would have been fined about $201 million under GDPR for this breach.

2. If the Equifax breach happened under the new California Consumer Privacy Act of 2018 (which comes into effect in 2020), it could face financial penalties. The penalties for data theft under this act range from $100 to $750 per California resident, or actual damages.

We know from the initial data breach report that Equifax had records on 143 million Americans. That's about 56.9% of the eligible population. If we use that percentage for California, we have about 17.2 million affected California residents. That means that Equifax could have been fined between $1.7 billion and $12.75 billion for this breach.

Both penalties are a far cry from the $0.00 fine it received.

Frustration
The biggest challenge with the Equifax breach is the inability for any affected user to take reasonable actions to prevent any abuse of their information.

All of the recommendations (monitor your credit, carefully check your bank transactions, look out for identity theft, etc.) are all reactive. They will only help highlight something that has already happened. Legislation like GDPR in the EU and the California Consumer Privacy Act are designed to shift the balance of power back to the owner on the information.

Make no mistake: Your information is yours. You only entrust it to others. Part of that trust is that they will do their best to protect it.

That's the real issue at the heart of the Equifax breach from the consumer point of view. At no point was that information explicitly entrusted to Equifax. The company simply acquired it and started to monetize it.

This is a case where strong individual rights for privacy and control over our data make sense.

Enough?
Thankfully — as reported by the New York Times — Equifax is still under investigation by a number of agencies, including the Federal Trade Commission, Consumer Finance Protection Bureau, and the Securities and Exchange Commission. That means there is still hope that Equifax will face further punishment for a breach that never should have happened.

Hopefully, something will come of it. Cybersecurity as it is currently practiced is a constant and near overwhelming challenge. Companies need to develop and maintain a culture of security. A culture that respects data privacy. With that in place, cybersecurity becomes far easier.

Cybersecurity is everyone's responsibility. That needs to be acknowledged and practiced before we can move forward.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info

Mark Nunnikhoven explores the impact of technology on individuals, organizations, and communities through the lens of privacy and security. Asking the question "How can we better protect our information?," Mark studies the world of cybercrime to better understand the risks ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
Researcher Hijacks iOS, macOS Camera with Three Safari Zero-Days
Kelly Sheridan, Staff Editor, Dark Reading,  4/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The dead do not laugh...
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10551
PUBLISHED: 2020-04-09
QQBrowser before 10.5.3870.400 installs a Windows service TsService.exe. This file is writable by anyone belonging to the NT AUTHORITY\Authenticated Users group, which includes all local and remote users. This can be abused by local attackers to escalate privileges to NT AUTHORITY\SYSTEM by writing ...
CVE-2020-10621
PUBLISHED: 2020-04-09
Multiple issues exist that allow files to be uploaded and executed on the WebAccess/NMS (versions prior to 3.0.2).
CVE-2020-11553
PUBLISHED: 2020-04-09
An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28. There is pervasive CSRF.
CVE-2020-11554
PUBLISHED: 2020-04-09
An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28. It allows remote attackers to obtain sensitive information via info.php4.
CVE-2020-11555
PUBLISHED: 2020-04-09
An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 2020-01-28. It allows remote attackers to obtain sensitive credential information from backup files.