Lately, Equifax has attracted a plethora of commentary on how they handled their 2017 breach. As a cybersecurity expert myself, I would also like to highlight how their minimal cyber incident response plan has an array of impact beyond the firm itself. What I will be discussing in this article should be of interest to everyone, globally, that:
- Uses credit
- Is part of an executive leadership team and/or board of any organisation that stores and/or transmits any kind of Personally Identifiable Information (PII), not just Payment Card Industry information (PCI)
- Is a Directors & Officers insurance broker or underwriter
- Legal advisors
- The IT security community
That is a lot of stakeholders, and is demonstrative of how far and wide the impacts of a cyber incident can go and this one is a whopper and if the way that it was handled and has gone in general, especially in the last week, is any indication, then there are turbulent times ahead for those listed above. Equifax is just one of many data breaches, and they keep happening.
“I’ve never heard of Equifax so couldn’t care less…”
That’s easy for you to say. Going back a while there is a global hegemony of credit monitoring agencies. Very big globally are Equifax and Experian, there are smaller players in the region. While some of you may recall a local company called Veda but they were slurped up by Equifax in February 2016. Which by the way was before their big data breach so sit up straight Australia – more on the breach coming up next.
Without you knowing (you consented when you applied for credit – it’s in the fine print) these companies track and report on your credit activity – loans, credit cards etc. They do not only track if you paid on time or made any defaults, they can also track when you have been knocked back on a credit application. All of this is not information you want just anyone to have access to.
“So what happened to Equifax and could I have been affected?”
Equifax made public in September 2017 that they believed a breach occurred of their systems that contained ~145 million customer records between May and July 2017. Information that was taken included credit card details and other PII. They announced a further 2.4 million customers may have been impacted in March 2018. This is old news and there is a good summary here, basically vulnerable technology exploited:
“Can consumers take action against the company for not securing my information?”
Cyber insurers, brokers and lawyers have long been pointing out that as part of the “long-tail” of costs from a cyber incident there can be massive costs for compensation for those affected in the form of class actions. Whilst traditionally thought to be a very US legal activity, Australia has more than its fair share of litigation funding law firms.
In this case, it took a few years but is a precedent that will be followed for other data breaches.
“What did Equifax do about it once they became aware?”
Strong and accurate cyber incident response planning are fundamental and are the only way to reduce the brand and reputational damage of a cyber incident. Handling it well requires careful preparation with expert advice. All response planning needs to involve the executive leadership team (ELT) with oversight of the board. The good news here for anyone looking at cyber incident response planning is that Equifax has taught us exactly what not to do: https://www.wired.com/story/equifax-breach-response/
A key failure from this cyber incident stems from the “the former chief information officer of an Equifax business unit took advantage of nonpublic information to dump nearly $1 million in stock…” prior to notification. https://www.cnbc.com/2018/03/14/former-equifax-executive-charged-with-insider-trading-ahead-of-data-breach.html “Hey team – can we hold off telling anybody about our potentially criminal ineptitude until I’ve sold a few shares?”
“I’m a Director and/or member of the executive leadership team of an organisation that holds PII, what concerns should I have?”
Directors and officers of any organisation are responsible for cyber incidents. Law firm Norton Rose Fulbright puts it like this:
“In Australia, the emerging view is that managing cyber risk falls under the risk management umbrella of boards of directors. All directors and officers have a key responsibility to ensure that companies adopt appropriate risk management strategies to protect the company and its shareholders.”
CTRL Group would suggest boards and their advisors be proactive about these risks as organisations will always fare better with regulators and the law if they have taken measure or at the very least are acting on a remediation plan
“What has the US Federal Trade Commission (FTC) done about it?”
The FTC took issue with Equifax in many areas. Long story short at the end of July 2019 they settled over the breach for USD 575 million and potentially up to $700 million (however that works.)
“I’ve heard that I can get USD 125 back from a settlement?”
Whilst impacted consumers may be owed a lot more and can actually claim more, the FTC estimated that the settlement would allow for a payout of USD 125 for claimants. Apparently, the overwhelming response from people requesting compensation, and the structure of the FTC settlement means that people will be lucky to get $1. Equifax is hoping to not see many more class actions. But less than $1 in compensation is rather absurd.
CTRL Group can help you with adequate cyber incident response planning should you require assistance.