As the lawsuits and criticism continue to pile up for Equifax Inc. after the disclosure of a massive data breach impacting as many as 143 million U.S. customers, the company is scrambling to mitigate the damage.
Equifax CEO Richard Smith apologized to all affected in a Sept. 12 op ed, promising that changes will be made. Days later, the company announced the retirement of its chief security and chief information officers.
Given the company’s missteps in the wake of the incident, however, is there really a way to rebound?
Charles Hoff, former senior vice president and international counsel at Equifax, told Corporate Counsel in an interview this week that “it’s not going to be an easy road back for Equifax.” But he said there’s a roadmap to follow to regaining public trust that relies on the company’s own playbook.
Hoff spent more than 19 years with Equifax before leaving in 2001. He is now CEO of PCI University, which aims to help small and medium-sized businesses improve cybersecurity.
Approach to Risk
The breach, which was discovered by Equifax on July 29, and announced on Sept. 7, was not the company’s first and likely won’t be its last. In fact, the consumer credit reporting agency suffered an unrelated breach just a couple months before the incursion found in July, Bloomberg reported.
“When you look at Equifax, this is a treasure trove for hackers,” Hoff said. “It doesn’t get any better for [hackers] in terms of the currency of the 21st Century, which is data and personal data.”
When Hoff was at Equifax, he said the company used what’s known as the “balanced scorecard” management system, “in which serious risks like cybersecurity are identified and assessed on a constant basis by senior management, which as a coordinated working unit, assumes responsibility for risk mitigation and constant vigilance.”
“What is appealing about this holistic approach,” he added “is that it encourages an integrated format wherein the different disciplines act together as a team and avoids a flawed silo environment where just, say, the CIO or CTO is expected to be solely accountable.”
At least while Hoff was at Equifax, the legal department had a vital role to play in this risk management system. “Within this framework, Equifax’s legal department maintained an integral leadership role in the risk prevention and management process,” he said, adding that while he has no personal knowledge as to whether this structure remains within Equifax, he has no reason to believe the legal department’s role has changed.
As of the publication of a 2012 independent service auditors’ report from KPMG, which seems to have been removed from Equifax’s website, the legal department still appeared to play a critical role in data security. Per the report, the “global security organization” at Equifax, which is responsible for “defining information security policies and standards and monitoring compliance with security policies and standards” as well as conducting monthly security scans of the Equifax network, reported to the general counsel and CLO.
The frequency with which companies fall victim to breaches suggests that it’s all but inevitable that a hack will happen at some point at companies holding valuable data.
And this is where incident response comes into play. “There’s an incident response plan that always goes into effect when there’s a breach,” Hoff said. “And legal oftentimes takes the lead and is very circumspect in terms of what is said and to whom in the public.” He explained that in-house legal typically works with human resources, public relations and other senior execs on a response.
Unfortunately for Equifax, “the optics are less than desirable” post-breach, Hoff said, pointing to, for example, the fact that the company waited over a month to disclose the breach, the revelation that senior management sold shares just days after the hack was discovered and that consumers wanting to join Equifax’s free identity theft protection program had to initially agree to terms that included an arbitration clause.
Step one, is obviously to do better with those issues, Hoff said. Beyond that, he added, Equifax would do well to “take a page out of their own playbook.”
While Hoff was at Equifax, he explained that the company faced a “public perception problem,” as some consumers were distrustful of the level of data and privacy protection that major reporting agencies, such as Equifax, and data aggregators were providing for their information.
“Instead of shirking from this perception, Equifax commissioned a Harris Poll survey of consumers to determine the precise nature of the public’s concerns and fears pertaining to data protection and privacy,” Hoff said. “The company also retained thought leaders in the field of privacy – who, in fact, had not always agreed with Equifax’s policies…to conduct an internal privacy audit to determine how the company can be more transparent and better satisfy the public’s concerns that the company was being a good steward of its data.”
This was “extremely effective” at the time and the same would likely be true now, Hoff observed.