A US Senate report on an investigation into the monumental Equifax breach chastises the company for lax security, and proposes heading off similar incidents in the future – by making American companies punishable by law for mishandling personally identifiable information.
The 67-page report is replete with information on the 2017 incident, including that Equifax was aware it had cybersecurity deficiencies as early as 2015. One statement in the report, though, could serve to summarize the investigator’s findings:
“Equifax was unable to detect attackers entering its networks because it failed to take the steps necessary to see incoming malicious traffic online.”
The Executive Summary is a few pages long, but it aggregates the key findings. Those curious to learn more can access the report here.
For those tired of reading stories covering the incident, an interesting proposal in the Senate’s report would create an American version of the E.U.’s General Data Protection Regulation. In short, the breach has convinced some lawmakers that America needs its own unified legal framework for protecting personally identifiable information of residents in all 50 states. Under Findings of Fact and Recommendations (page 11), the upper chamber of the legislature proposes the following:
“Congress should pass legislation that establishes a national uniform standard requiring private entities that collect and store PII to take reasonable and appropriate steps to prevent cyberattacks and data breaches. Several cybersecurity recommendations, including a widely known framework from NIST, already exist. However, the framework is not mandatory, and there is no federal law requiring private entities to take steps to protect PII.
Congress should pass legislation requiring private entities that suffer a data breach to notify affected consumers, law enforcement, and the appropriate federal regulatory agency without unreasonable delay. There is no national uniform standard requiring a private entity to notify affected individuals in the event of a data breach. All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring data breach notification laws. In the absence of a national standard, states have taken significantly different approaches to notification standards with different triggers for notifications and different timelines for notifying individuals whose information has been stolen or improperly disclosed.”
The report outlines some of this new law’s scope, such as forcing private entities to re-examine their data retention policies.
In related news, outspoken politician Elizabeth Warren last week proposed an amendment that would establish criminal liability for negligent executive officers of major corporations. The Corporate Executive Accountability Act seeks to fine and even imprison executives of companies that suffer data breaches or engage in scams. The act would apply to entities that turn over $1 billion or more annually.
Equifax’s blunder, revealed soon after the WannaCry and Petya ransomware pandemics that same year, has served as inspiration for legislators and corporations alike on a global scale. Two years after the incident, the repercussions are still palpable for the credit reporting agency, highlighting once again the importance of having the right tools and processes to keep hackers at bay.