Equifax announced the data breach that shook the world in September 2017—three months after the company discovered it. Malicious actors snatched consumer data by making the most of a security flaw within a tool used to build web applications. Equifax eventually admitted that it knew of the security flaw months before disclosing the breach.
In March 2018, Equifax reported that the breach victimized 2.4 million more Americans beyond the original estimate of 145.5 million. The company had unwittingly turned over their names, addresses, ID images, Social Security and driver’s license numbers, and passport data. Equifax pledged to notify victims and provide identity theft protection and credit monitoring.
And now, a year later, Equifax awaits another set of verdicts. Will the company pay for having leaked sensitive personal information to those bent on identity theft? Will states’ attorneys general and civil lawsuits point the finger of blame at Equifax? And will a frustrated Congress piggyback on the data breach disclosure laws now operative in all 50 states? Experts continue to question if U.S.-based companies should report a data breach within 30 days and if executives should face up to five years in prison for breach concealment.
THE BREACH’S IMPACT
One thing is for sure. The Equifax breach was a watershed moment for security professionals, C-suite executives, and the public relations, compliance and legal team members who plan for and respond to data breaches. Among the key areas of impact are the following:
Assumption of accountability: Before the Equifax breach, people assumed that the company had the controls to safeguard privacy and security. Post-breach, a growing number of organizations have accepted accountability for third-party performance, according to Avani Desai, president of Schellman & Company, a security and privacy compliance assessor. The result: an uptick of internal third-party vendor management to ensure proper testing of controls.
Attention to monitoring: “Organizations are more interested in monitoring specific pieces of personal and confidential information,” says Ron Schlecht, managing partner at BTB Security, an information and IT security company. “Independent of regulations or compliance guidelines, these organizations now compel vendors to install, monitor and test adequate security protections.”
“Five to 10 years ago, consumers didn’t realize the impact of stolen data,” says Desai. “Today, they’re more mature and demanding and pose questions like ‘Are you giving my data to a third party? Will you be encrypting it?’”
Enhanced consumer awareness: Both 2017 and 2018 were banner years for consumer awareness. For the first time, consumers developed genuine insight into the significance of safeguarding data, privacy and security.
“Five to 10 years ago, consumers didn’t realize the impact of stolen data,” says Desai. “Today, they’re more mature and demanding and pose questions like ‘Are you giving my data to a third party? Will you be encrypting it?’”
Enhanced employee awareness: Workers are more in tune with the fact that every organization stores personal and confidential information,” says Schlecht. “They realize that they must protect that information and understand what must be done in the event of a breach.”
Information security insight: “The breach was a wake-up call to the security community on the potential misuse of information because Equifax is a major data broker and a lynchpin to privacy," says Schlecht. "The breach got attention because of the unprecedented number of people who were affected."
"Send candid, supportive communications to employees, consumers, the media and anyone else affected by the breach," advises Desai. "Just as important, identify the causes and extent of the breach and specific vulnerabilities along with a pledge to prevent further data exploits."
Read full article at InfoSecurity Professional Magazine