The Equifax breach that affected an estimated 143 million Americans is making the rounds in mainstream media, more so than the other big whammies of the past few weeks (i.e., Deloitte, the SEC, Sonic, etc.). Public perception is that the Equifax incident has/will have a more direct and significant impact on the lives of ordinary citizens than other recent breaches, hence coverage in every media outlet. While on the surface this might be true—it is consumer PII that was lost to the intruders—B2B-focused breaches often net the same result. Only, the average American doesn’t realize it.
Correct or not, the public commotion has spurred a couple of state attorneys general to independently draft legislation that places the onus for lost credit-related data on the credit bureaus themselves. Attorneys General Andy Beshar of Kentucky and Maura Healey of Massachusetts have both stated that the management of the Equifax data breach disclosure and the company’s ensuing actions have been objectionable, and that companies handling such sensitive data need to act more responsibly—from the get-go, not just when a disaster strikes.
To address this concern, both AGs have drafted bills which require credit bureaus to pay for consumer credit freezes and monitoring rather than forcing consumers to do so. They want breached bureaus to provide longer term identity theft prevention mitigation services (the bills stipulate 60 months, or 5 years, versus the 3 months normally offered by credit bureaus today). They want companies to obtain express, written consent before requesting or accessing a consumer’s credit report. And they want entities to be required to encrypt, “to the extent technologically feasible,” personally identifiable information, both as its being transmitted and while it is stored. More details of the Healey bill can be found here.
It’s a sad state of affairs when state legislatures have to tell private businesses how to conduct business to protect consumers. Protecting customers should be standard operating procedure. As those in the security industry know, though, routinely it’s not. Speed, agility, and cost cutting are objectives often placed before security, and we’ve seen very few repercussions from data breaches/losses. Yes, some of the bigger breaches have resulted in new technology implementations, class action lawsuits, fines, short-term hits to stock price, etc., but how many of the headline cases have resulted in long-term financial or reputational loss? How many of the breached organizations are now out of business? How many executives have lost their jobs because of a breach that affected customers? None to very few, on all counts.
Because of this, businesses are not highly incentivized to improve defensive measures (much less, preventative ones). Cybersecurity has become a “boardroom topic” to an extent, but only inasmuch as it affects risk. Risk is an element of running a business and, to date, the risks of a largescale data beach aren’t enough to spur companies to do the “right thing” by security standards.
State legislatures, if they’re adamant and maintain enough stamina, could affect an effect by increasing credit bureaus’ responsibility—but only if these bills pass and only if additional states follow suit.
Still that might not be sufficient. Though the Equifax breach is perceived by the mainstream as worse than others, all breaches impact citizens and therefore similar types of increased consequences should be placed on organizations that require and store personal information. Court cases around the Office of Personnel Management (OPM) breach show us that consumers have limited ability to claim harm when an organization loses their data—the obligation is on the plaintiff to prove damages, and in identity theft cases, in particular, damages could take years to surface. Therefore, if the entry costs—i.e., the ability to collect and store PII—are higher right out of the gate, perhaps organizations will think a little harder before allowing lax security practices to linger.
For certain, information security is a complex discipline and no matter what businesses do, breaches will occur. However, if the risk of losing consumer data is higher, businesses are sure to start seeing it less as an ancillary risk and more of a core obligation.
To learn more about how to protect your organization's data and impending data protection legislation, attend InfoSec World Conference in Orlando, Florida, March 19-21, 2018.