The Equifax Breach
How the Prominent Credit Agency ‒ and Anyone Else ‒ Would Have Fared Under the EU’s Strict New Data Security Regime
Just as corporations are finally getting serious about the EU’s imminent General Data Protection Regulation (GDPR), comes news of a data breach of staggering proportions involving credit-rating giant Equifax. On September 7 the company revealed that 143 million names, addresses, dates of birth, drivers licenses, and social security numbers had been stolen from its network, putting almost half of all Americans at financial risk for perhaps the rest of their lives.
“Call Us Irresponsible…”
Exactly how do millions of sensitive personal data sets get exfiltrated without anyone noticing ‒especially from an outfit whose core business is collecting and analyzing confidential personal data? Experts say security controls should have existed at many points along the way to prevent this kind of breach.
Rahul Telang, a professor of Information systems at Carnegie Mellon University, states the issue more succinctly. “You would think that somebody like Equifax would go above and beyond the standard security precautions simply because it’s sitting on such valuable pieces of data and is such an attractive target for hackers.”
You might think so, but you’d have been wrong. And yet, as egregiously as Equifax seems to have neglected basic security best practices, they are hardly alone. The lion’s share of businesses across all sizes and industries are equally remiss. In a nutshell, most would be at a loss to identify where all their user data is, who can reach it, and how they obtained it. Neither do they encrypt, continuously monitor, and safeguard their information repositories. The metaphor of sitting ducks comes to mind, and it’s hardly an exaggeration.
“Call Us Unreliable…”
In Equifax’s case, the data breach began in mid-May and continued into July. The company discovered it on July 29th, but didn’t announce it till early September. For sure, the delay will trigger numerous repercussions, but Federal statutory penalties are not among them. Believe it or not, by sitting on the news of the theft for 40 days ‒ during which the stolen data was likely already being used by cyber-criminals ‒ the company violated no U.S. law. Oh, and get this: three Equifax executives sold nearly $2 million in company shares weeks before the company acknowledged the data theft.
This seemingly lawless landscape is about to be transformed, and it won’t be by an act of Congress, or for that matter, a Presidential tweet. A new sheriff is coming to town, and he’s packing heat.
Regional Rules, Global Impact
On May 25, 2018, the European Union’s GDPR comes into force. The rules are stringent, the penalties are severe, and most North American companies are not nearly ready to comply.
Never mind if you happen to be based in Brooklyn, Boston, Bangalore, or anywhere else outside the EU. You’re not immune to the GDPR, not as long as you want to keep serving European online customers or users. To get an idea of just how seriously the new regime will impact you, let’s put the massive Equifax breach under a microscope ‒ as it actually happened, and as it would be treated under the GDPR.
Truth or Consequences
40 days is a long time for millions of consumers to be kept unaware that their identities and personal data have been compromised. Still, as mentioned earlier, there is currently no federal law requiring companies to inform the public about data breaches at all. Equifax waited more than a month. Remember the even more massive Yahoo data breach? They took years to reveal it.
Radical change is on the way. Under the GDPR, a data controller (the enterprise or entity possessing the data) is allowed to wait “not later than 72 hours” to notify its customers after becoming aware of an intrusion. If this sounds harsh, wait till you see the penalties:
Do the Crime, Pay the Fine
Failure to report a breach within the 72-hour window is punishable by fines of $12 million or 2% of the company’s total worldwide annual revenue during the preceding year, whichever is greater. Equifax’s operating revenue for 2016 was $3.145 billion. Under the GDPR, they would face a levy of about $62.9 million for not revealing the data theft weeks sooner than they chose to. A $10 billion company behaving similarly would be looking at a fine of up to $200 million.
This, just for lax reporting after the fact. The GDPR specifies equally tough penalties for allowing a breach to occur at all. Or for failing to obtain consumers’ express consent to collect and use their personal data in the first place. Or for simply not having an audit trail to prove that they did. The new rules outline, and fine, many more sins of commission or omission: 99 articles in all. It’s no wonder that GDPR compliance was ranked a top data protection priority by 92% of respondents in a 2017 PwC survey.
Don’t think of it as a crisis…
Instead, frame it as an opportunity. The EU’s new rules compel companies to adopt the rigorous data protection and management practices they should be following anyway. That’s good for everyone, right?
Stay Tuned to this Channel
In upcoming posts we’ll examine two other aspects and implications of the GDPR, specifically:
Article 17, “the right to be forgotten.” This edict creates what is perhaps the GDPR’s biggest compliance challenge. It gives an individual the right to have you delete all their personal data in your possession ‒ and do so within days of the request ‒ on pain of enormous financial penalties.
Hardening your infrastructure. Modernizing IT with technologies like software-defined object storage can take you a long way toward meeting GDPR security compliance requirements. We’ll take an in-depth look at how to accomplish this.