<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1977396509252409&amp;ev=PageView&amp;noscript=1">

SUITE OF SERVICES services menu




What have we really learned from the Equifax breach?

ONE YEAR LATER - What have we really learned from the Equifax breach?

Written by AVANI DESAI on Nov 12, 2018

Equifax announced the data breach that shook the world in September 2017—three months after the company discovered it. Malicious actors snatched consumer data by making the most of a security flaw within a tool used to build web applications. Equifax eventually admitted that it knew of the security flaw months before disclosing the breach.

In March 2018, Equifax reported that the breach victimized 2.4 million more Americans beyond the original estimate of 145.5 million. The company had unwittingly turned over their names, addresses, ID images, Social Security and driver’s license numbers, and passport data. Equifax pledged to notify victims and provide identity theft protection and credit monitoring.

And now, a year later, Equifax awaits another set of verdicts. Will the company pay for having leaked sensitive personal information to those bent on identity theft? Will states’ attorneys general and civil lawsuits point the finger of blame at Equifax? And will a frustrated Congress piggyback on the data breach disclosure laws now operative in all 50 states? Experts continue to question if U.S.-based companies should report a data breach within 30 days and if executives should face up to five years in prison for breach concealment.


One thing is for sure. The Equifax breach was a watershed moment for security professionals, C-suite executives, and the public relations, compliance and legal team members who plan for and respond to data breaches. Among the key areas of impact are the following:

Assumption of accountability: Before the Equifax breach, people assumed that the company had the controls to safeguard privacy and security. Post-breach, a growing number of organizations have accepted accountability for third-party performance, according to Avani Desai, president of Schellman & Company, a security and privacy compliance assessor. The result: an uptick of internal third-party vendor management to ensure proper testing of controls.

Attention to monitoring: “Organizations are more interested in monitoring specific pieces of personal and confidential information,” says Ron Schlecht, managing partner at BTB Security, an information and IT security company. “Independent of regulations or compliance guidelines, these organizations now compel vendors to install, monitor and test adequate security protections.”

“Five to 10 years ago, consumers didn’t realize the impact of stolen data,” says Desai. “Today, they’re more mature and demanding and pose questions like ‘Are you giving my data to a third party? Will you be encrypting it?’”

Enhanced consumer awareness: Both 2017 and 2018 were banner years for consumer awareness. For the first time, consumers developed genuine insight into the significance of safeguarding data, privacy and security.

“Five to 10 years ago, consumers didn’t realize the impact of stolen data,” says Desai. “Today, they’re more mature and demanding and pose questions like ‘Are you giving my data to a third party? Will you be encrypting it?’”

Enhanced employee awareness: Workers are more in tune with the fact that every organization stores personal and confidential information,” says Schlecht. “They realize that they must protect that information and understand what must be done in the event of a breach.”

Information security insight: “The breach was a wake-up call to the security community on the potential misuse of information because Equifax is a major data broker and a lynchpin to privacy," says Schlecht. "The breach got attention because of the unprecedented number of people who were affected."

"Send candid, supportive communications to employees, consumers, the media and anyone else affected by the breach," advises Desai. "Just as important, identify the causes and extent of the breach and specific vulnerabilities along with a pledge to prevent further data exploits."

Read full article at InfoSecurity Professional Magazine




Avani Desai is the President at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more. Avani also sits on the board of Catalist, a not for profit that empowers women by supporting the creation, development and expansion of collective giving through informed grantmaking. In addition, she is co-chair of 100 Women Strong, a female only venture philanthropic fund to solve problems related to women and children in the community.