The credit bureau’s leakage and widely reported missteps in its assessment tool could proffer a cautionary tale for other organizations.
Most cybersecurity experts now agree that organizations should be planning incident response strategies for when, not if, their companies experience data breaches.
Credit reporting agency Equifax learned this lesson the hard way when it was hit by a cyberattack that exposed addresses, Social Security numbers and financial information for 134 million customers. Equifax is the latest in a line of breaches at large companies, following major incidents at Wells Fargo and Yahoo, among others, in the last year.
In the current cybersecurity threat landscape where breaches are all but guaranteed, companies often fall short of the regulatory standards set forth for data security. Regardless, regulators don’t seem to be letting up.
The Government’s Privacy Pressure
Although cybersecurity’s regulatory landscape has perhaps not kept pace with the rate of data collection and hacker exploits, it has certainly expanded over the last few years at both the federal and local levels. These emerging regulations keep information governance staff on their toes.Specifically to Equifax, the Fair Credit Reporting Act of 1970 (FCRA) and its amendments in the Fair and Accurate Credit Transactions Act of 2003 (FACTA) were instituted at the federal level to ensure that third-party credit bureaus can use and retain consumer information.
Steve Rubin, head of the cybersecurity practice at Moritt Hock & Hamroff, expects that both will likely prove problematic for Equifax. “Those were both enacted to deal with companies like Equifax,” Rubin said.
Although Equifax may have taken all reasonable steps to secure its data, it’s often not possible to be one step ahead of cyberattacks. Nevertheless, Rubin said that the sensitivity of information at many companies like Equifax at this point is likely a stronger factor than how hard the company may have tried to secure that information. “They had to do what they needed to do. That all said, you can’t be hack-proof. It’s possible at the end of the day they did take all reasonable measures,” Rubin said.
“Settlements will occur well before they find out if [Equifax] took reasonable measures. They had to take fairly extraordinary measures to protect the data; I don’t know if they did that,” Rubin added.
Karen Hornbeck, senior manager at Consilio, further explained that if companies are going to retain highly sensitive consumer information, especially identifying information that cannot readily be changed, data handling processes set forth by regulators are a reality that companies will need to deal with.
“Companies have to start doing more from the technical and the people aspect, or they can only expect more and more regulation to start coming down the pipe. It’s one or the other. If companies don’t start doing it themselves, then the government is going to have to,” Hornbeck said.
In fact, the inevitability of cyberattack is prompting legislators at the state level to step up data breach notification and remediation policy in their states. “I think we’re going to see more and more states at the state level come out with regulations for companies that do business in their state and for issues that impact residents of their states. This is just going to spur it on more and more,” Hornbeck said.
While the Equifax hack can be attributed to external hackers, oftentimes data breaches are caused by internal mishaps. Wells Fargo’s recent data breach, which exposed financial information for over 50,000 of the bank’s customers, was the result of an attorney unintentionally handing over highly sensitive client financial information to another litigator.
Regulators, however, don’t differentiate in how they apply these mandates to data breaches caused by malicious hackers and those caused by human error. “The human component is just as important as the tech component,” Rubin said, adding that he didn’t anticipate regulators would apply policy any differently based on the type of breach. Wells Fargo’s recent breach drew scrutinyfrom the Financial Industry Regulatory Authority.
Planning for Disaster
Regulatory scrutiny around FCRA and FACTA paired with the high likelihood of a data breach make incident response a key piece of a company’s success following a data breach. Equifax’s response showed strength in some places, but significant weaknesses in others.
Shortly after Equifax notified consumers of the data breach, the credit bureau launched a website, EquifaxSecurity2017.com, to help users assess whether their information had been leaked in the data breach and sign up for one year of free identity theft protection and credit file monitoring.
Equifax may have created new problems for itself, however, in the form of an arbitration clause and class action waiver the company included in the tool’s terms of agreement. While Equifax included a note in its Frequently Asked Questions section that the arbitration clause does not apply to the cybersecurity incident, swift and furious backlash from consumers forced the company to make a formal announcement on the website that use of its service does not require that users waive their rights to class action litigation.
Hornbeck said that while the company did a great job of putting together and publicizing the impact check website quickly, she found Equifax’s decision to quietly include the language in its terms of agreement “interesting.”
“It’s a mess to be honest, from the corporate perspective, from the response perspective,” Hornbeck said of the arbitration clause and its respective backlash.
Rubin added that the arbitration clause would likely be difficult to enforce. The credit bureau is already obligated to provide free credit monitoring in the event of such a breach under a number of state laws. Rubin pointed specifically to Connecticut’s data breach amendments, which calls for businesses to offer one year of free identity-theft protection service, meaning that Equifax would be obligated to provide this service regardless of whether or not consumers opted to forgo their right to form a class. “There’s no exchange there,” Rubin explained.
Further complicating matters, Equifax has also drawn public scrutiny and litigation from allegations that three company executives sold $1.8 million worth of stock before notifying customers of the data breach.
Hornbeck said that a big way that companies can learn from these mistakes is by bolstering their incident response planning. While it’s now more common practice to set up a formalized plan, Hornbeck noted that many organizations fail to drill their testing procures, leaving them susceptible to unanticipated problems.
“It is absolutely not enough to just have an incident response plan written down. You have to test that thing; you have to be sure it’s been developed and documented in such a way that it’s as airtight as it can possibly be,” she said.
This means, ideally, making sure that issues never arise. Regular penetration testing and third-party assessments can help organizations figure out how to begin addressing potential issues, including human error.
Andy Wilson, CEO and founder of Logikcull, said that for organizations using third-party vendors, as the attorney in the Wells Fargo breach attributed data leakage to, thinking through how to apply incident response standards outward is worth considering.
“I would demand to see what their quality control checklist was. If you’re going to use a human vendor, I would demand to see the checklist completed prior to the shipment of production. You don’t want to ship something before its ready,” he explained.
For Wells Fargo, some of the human error could have also come from confusing user interface design, something that could have potentially been avoided with a workflow assessment. “Most people don’t have enough time to evaluate their own workflow and look for new tools,” Wilson added.
Although keeping pace with potential hackers and leaks can seem like a truly Sisyphean task given the current complexity of cybersecurity work today, but the need to protect sensitive client data is worth the fight. In the eyes of regulators, it absolutely has to be.
“We are where we are. For whatever reason were not keeping up with the bad guys. States are going to do what they feel is correct to protect their residents,” Hornbeck said.