Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

8/14/2018
10:30 AM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Equifax Avoided Fines, but What If ...?

Let's imagine the consequences the company would have faced if current laws had been on the books earlier.

Equifax made headlines around the world in 2017 with a massive data breach of more than 143 million records worldwide. It waited 40 days before notifying consumers of the breach, exposing customers to further risk. And that's not all.

Things went downhill from there, with the CEO, CISO, and CIO retiring or resigning and multiple executives charged with insider trading related to the breach.

All this as the internal processes that led to the breach showed significant failures and a lack of basic awareness of why basic information security practices are in place. Although the company has been working to overhaul its approach to security, critical questions remain.

Why Do They Have My Data?
In the backlash, many customers — especially those in the EU and Canada, where strong privacy laws exist — wondered why a company they had never agreed to do business with was holding all of this personally identifiable information. This naturally leads to a larger question of what role, if any, data brokers should play and how they should be regulated and monitored.

In late June, it was announced that US consumers — the majority of those affected in the breach — would finally see the consequences of Equifax's (in)action.

The result: nothing.

Nothing?
Well, technically, not "nothing," but close enough. Reuters details the consent decree approved by regulators in eight states, including New York, Texas, and California. The required action by Equifax was to complete a detailed assessment of cyber threats, increase board oversight, and improve patching processes for known security vulnerabilities. In essence, security 101.

With the exception of "board" oversight — but not oversight in general — these are all common security basics. They are part of the PCI standard that must be adhered to by any company processing credit card information. However, the data broker that maintains a huge piece of the credit rating marker only now has to step "up" to this level of cybersecurity?

Alternatives
Let's work through a few "what-if" scenarios to explore the potential penalties that Equifax would have to face under various regulations.

1. If the Equifax breach happened under GDPR in the EU (which took effect May 25, 2018), it's likely that they would be hit with two major fines. The first for failure to adequately notify affected individuals, and the second for a failure to secure the data in the first place.

Failing to notify would cost Equifax up to 2% of its global revenue, and failure to secure would cost up to another 4%. In 2017, Equifax had global revenues of $3.36 billion. That means Equifax would have been fined about $201 million under GDPR for this breach.

2. If the Equifax breach happened under the new California Consumer Privacy Act of 2018 (which comes into effect in 2020), it could face financial penalties. The penalties for data theft under this act range from $100 to $750 per California resident, or actual damages.

We know from the initial data breach report that Equifax had records on 143 million Americans. That's about 56.9% of the eligible population. If we use that percentage for California, we have about 17.2 million affected California residents. That means that Equifax could have been fined between $1.7 billion and $12.75 billion for this breach.

Both penalties are a far cry from the $0.00 fine it received.

Frustration
The biggest challenge with the Equifax breach is the inability for any affected user to take reasonable actions to prevent any abuse of their information.

All of the recommendations (monitor your credit, carefully check your bank transactions, look out for identity theft, etc.) are all reactive. They will only help highlight something that has already happened. Legislation like GDPR in the EU and the California Consumer Privacy Act are designed to shift the balance of power back to the owner on the information.

Make no mistake: Your information is yours. You only entrust it to others. Part of that trust is that they will do their best to protect it.

That's the real issue at the heart of the Equifax breach from the consumer point of view. At no point was that information explicitly entrusted to Equifax. The company simply acquired it and started to monetize it.

This is a case where strong individual rights for privacy and control over our data make sense.

Enough?
Thankfully — as reported by the New York Times — Equifax is still under investigation by a number of agencies, including the Federal Trade Commission, Consumer Finance Protection Bureau, and the Securities and Exchange Commission. That means there is still hope that Equifax will face further punishment for a breach that never should have happened.

Hopefully, something will come of it. Cybersecurity as it is currently practiced is a constant and near overwhelming challenge. Companies need to develop and maintain a culture of security. A culture that respects data privacy. With that in place, cybersecurity becomes far easier.

Cybersecurity is everyone's responsibility. That needs to be acknowledged and practiced before we can move forward.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info

Mark Nunnikhoven explores the impact of technology on individuals, organizations, and communities through the lens of privacy and security. Asking the question "How can we better protect our information?," Mark studies the world of cybercrime to better understand the risks ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16413
PUBLISHED: 2019-09-19
An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.