Most cybersecurity experts now agree that organizations should be planning incident response strategies for when, not if, their companies experience data breaches.
Credit reporting agency Equifax learned this lesson the hard way when it was hit by a cyberattack that exposed addresses, Social Security numbers and financial information for 134 million customers. Equifax is the latest in a line of breaches at large companies, following major incidents at Wells Fargo and Yahoo, among others, in the last year.
In the current cybersecurity threat landscape where breaches are all but guaranteed, companies often fall short of the regulatory standards set forth for data security. Regardless, regulators don’t seem to be letting up.
Government’s Privacy Pressure
Although cybersecurity’s regulatory landscape has perhaps not kept pace with the rate of data collection and hacker exploits, it has certainly expanded over the last few years at both the federal and local levels. These emerging regulations keep information governance staff on their toes.Specifically to Equifax, the Fair Credit Reporting Act of 1970 (FCRA) and its amendments in the Fair and Accurate Credit Transactions Act of 2003 (FACTA) were instituted at the federal level to ensure that third-party credit bureaus can use and retain consumer information.
Steve Rubin, head of the cybersecurity practice at Moritt Hock & Hamroff, expects that both will likely prove problematic for Equifax. “Those were both enacted to deal with companies like Equifax,” Rubin said.
Although Equifax may have taken all reasonable steps to secure its data, it’s often not possible to be one step ahead of cyberattacks. Nevertheless, Rubin said that the sensitivity of information at many companies like Equifax at this point is likely a stronger factor than how hard the company may have tried to secure that information. “They had to do what they needed to do. That all said, you can’t be hack-proof. It’s possible at the end of the day they did take all reasonable measures,” Rubin said.
“Settlements will occur well before they find out if [Equifax] took reasonable measures. They had to take fairly extraordinary measures to protect the data; I don’t know if they did that,” Rubin added.
Karen Hornbeck, senior manager at Consilio, further explained that if companies are going to retain highly sensitive consumer information, especially identifying information that cannot readily be changed, data handling processes set forth by regulators are a reality that companies will need to deal with.
“Companies have to start doing more from the technical and the people aspect, or they can only expect more and more regulation to start coming down the pipe. It’s one or the other. If companies don’t start doing it themselves, then the government is going to have to,” Hornbeck said.
In fact, the inevitability of cyberattack is prompting legislators at the state level to step up data breach notification and remediation policy in their states. “I think we’re going to see more and more states at the state level come out with regulations for companies that do business in their state and for issues that impact residents of their states. This is just going to spur it on more and more,” Hornbeck said.
While the Equifax hack can be attributed to external hackers, oftentimes data breaches are caused by internal mishaps. Wells Fargo’s recent data breach, which exposed financial information for over 50,000 of the bank’s customers, was the result of an attorney unintentionally handing over highly sensitive client financial information to another litigator.
Regulators, however, don’t differentiate in how they apply these mandates to data breaches caused by malicious hackers and those caused by human error. “The human component is just as important as the tech component,” Rubin said, adding that he didn’t anticipate regulators would apply policy any differently based on the type of breach. Wells Fargo’s recent breach drew scrutinyfrom the Financial Industry Regulatory Authority.
Planning for Disaster
Regulatory scrutiny around FCRA and FACTA paired with the high likelihood of a data breach make incident response a key piece of a company’s success following a data breach. Equifax’s response showed strength in some places, but significant weaknesses in others.