Equifax lesson: It's time for tougher rules, regulations, fines to combat breaches

Can oversight and stiff punishments spur enterprises to prioritize cybersecurity and secure their data?
Written by John Fontana, Contributor

Video: Equifax teaches us what not to do after a data breach

Jeez, I turn my head for a couple months and things go to hell.

Just when it looked like the end-user population might rally the torches and pitchforks against passwords and demand stronger access controls, we are reminded on the back end of the numerous cracks that permeate corporate cybersecurity and the liability that is data collection and storage.

There is colossal failure among corporate digital gatekeepers, and ineptitude usually reserved for the other end of that spectrum, end-users with crappy passwords.

Tech Pro Research: Self-serve tools can keep systems current and more secure

The debacle with Equifax is our latest proof, including nearly half the US population as victims, sensitive data that is fuel for re-victimization, poorly maintained systems, suspect reporting, predatory remediation tactics, sacrificial "retirements," and potential insider stock trading.

The Equifax drama and other major hacks are the equivalent of Netflix binge watching -- one episode after another that you can't take your eyes off. Except here, you are (potentially) involved in the drama.

So, where do we go from here to reduce these all-too-familiar breaches?

Equifax's cleanup may take two or three years to clear the courts, but the focus now must be on mandating the building of a breach foundation for protections that at least minimize victims and data loss?

Breaches won't disappear, but cybersecurity processes and policies that companies strategize and execute have to become more sophisticated, calculated, and measurable. And in most cases, regulated and reported.

Read also: Securing Windows policy | Securing Linux policy | Mobile Computing Policy | More IT Policies [Tech Pro Research]

Financial penalties need to be deep enough to elicit compliance, and states and federal courts need to standardize legal parameters that help prevent initial data theft, as well as clean up the on-going mess when prevention doesn't go as planned.

The goal is to shake complacency out of companies that mock cybersecurity with their shoddy work, and to remove victims from the brunt of this impropriety.

Regulatory mandates should be developed to foster stronger cybersecurity, and fuel penalties that are opposite of a company's first priorities -- revenue and stockholder value. Perhaps then cybersecurity will become a first priority, too.

The Security and Exchange Commission (SEC), the Federal Trade Commission (FTC), and the Federal Communications Commission (FCC) have all been increasing cybersecurity enforcement over the past few years.

In 2015, the FCC completed its first-ever data breach action involving a cable operator, settling the incident with Cox Communications. The company was eventually required to adopt a comprehensive compliance plan including an information security program with annual system audits, internal threat monitoring, penetration testing, and additional breach notification systems and processes to protect customers' personal information and proprietary network information. The plan is being audited yearly until 2022.

Also that year, the FTC, using its Safeguards Rule that covers customer data protection, sued Wyndham Hotels over inadequately investing in computer security after 600,000 customer records were exposed in 2008 and 2009. Wyndham had made claims to safeguard user data via its privacy policy. The FTC's Safeguards Rule covers, among other businesses, credit-reporting agencies.

In 2016, the SEC settled with Morgan Stanley, which agreed to pay a $1 million penalty relating to its alleged failure to adopt written policies and procedures reasonably designed to protect customer records and information. The alleged transgressions violated the federal government agency's Safeguard Rule.

These are all steps in the right direction, but what's needed are financial penalties that hurt.

These were 2017's biggest hacks, leaks, and data breaches

The European Union is an example with its General Data Protection Regulation (GDPR), which goes into effect in May 2018. The GDPR gives data protection authorities more investigative and enforcement powers along with clearance to levy substantial fines. These are fines for companies that through their actions (or inaction) clearly take data protection for granted. The GDPR defines "substantial" as $20 million or 4 percent of revenue, whichever is greater.

For example, if Equifax was subject to GDPR, its 2016 revenue of $3.144 billion would be trigger a $124 million fine on top of other breach costs such as legal cases, and damage to brand, reputation, and trust. In the previous Morgan Stanley example, a fine under GDPR, given the firm's $37.95 billion in 2016 revenue, would have been $1.5 billion, not $1 million.

Could this math get the attention of corporate executives and stockholders? It should. As of last week, Equifax lost $9.75 billion in market value and heard analysts warn of even deeper losses. Equifax stock dropped from $121.64 on Sept. 11 to $90.64 on Sept. 14. For an investor with 1,000 shares, that's $31,000, and, perhaps, a demoralizing double-dip if the investor's personal information was part of the breach.

"Boards are now feeling the pressure and responsibility to make sure this stuff doesn't happen," David Hickton, a former US attorney who now directs a cyberlaw institute at the University of Pittsburgh, told the Houston Chronicle last week.

For victims, federal courts should unilaterally align on the issue of "standing," which means recognizing that breach victims face on-going harm and can seek out penalties via a legal process. In the Equifax case, future harm for breach victims is almost a certainty.

Federal appellate courts, however, are currently split when reviewing trial court decisions involving data breach litigation, specifically in regard to "standing." Opinions get tricky when data has been stolen, but not misused.

Reuters legal columnist Alison Frankel said earlier this month, "sooner or later, the US Supreme Court will probably have to resolve uncertainty among the federal appellate courts on the standing of data breach victims facing increased risk of identity theft."

In addition, breach-reporting laws need to become uniform across states or be supplanted by federal law. Currently, 48 states have a myriad of laws that govern how companies need to report data breaches. Companies that are breached and have user data stored in multiple states encounter a quagmire of conflicting legalese before reporting.

Will putting teeth in rules, regulations, and victims' rights become a sign of the breach times? Will the feds and other regulatory bodies judge hacked companies by their pro-active defenses rather than post-breach declarations? And will negligence become the damning scarlet letter, and financial Armageddon trigger, for hacked companies?


    New alliance advocates the blockchain to improve IoT security, trust

    The Trusted IoT Alliance hopes to "set the standard" for IoT blockchain protocols worldwide.

    Hackers reveal leading enterprise security blind spots

    Mobile devices and facial recognition software have made the list this year.

    Double trouble: This ransomware campaign could infect your PC with two types of file-locking malware

    Victims around the world hit by criminals who can switch the malicious payload of emails between Locky and FakeGlobal on a whim.

    Editorial standards