I was at a conference last May, when GDPR was a year out, and a number of the sessions and keynotes focused on preparedness. At one of the sessions I attended, I asked if legislation similar to GDPR would ever be implemented in the United States. The speaker chuckled and said no, she couldn’t imagine Congress getting its act together for data protection on that level (I couldn’t disagree, considering how security and privacy legislation languishes). But she did add that because almost any company is now capable of doing business with EU citizens, GDPR should make an impact on the protection of American PII. I hope she’s right because here is an excellent reason why we need it: The Equifax breach is worse than we thought.
I probably wrote that phrase more than once since the Equifax breach happened. In fact, I write it quite often after every major breach, because all tend to be worse than they initially appear. But now it is coming to light that Equifax did not reveal all of the types of data compromised. According to ZDNet:
A letter published Friday by committee member Sen. Elizabeth Warren (D-MA) to acting Equifax chief executive Paulino do Rego Barros summarized the senator's five-month investigation into the Equifax breach, which said exposure of tax identification numbers (TINs), email addresses, and additional license information -- such as issue dates and by which state -- was not originally disclosed.
And we have no legislation that will hold Equifax accountable for not being upfront or to do anything beyond some public relations gestures to protect customers from identity theft.
Of course, GDPR isn’t a magic bullet and we aren’t going to see data breaches disappear. As Carl Wright, chief revenue officer for AttackIQ, said to me via email comment:
Perhaps not surprisingly, it turns out that hackers behind the devastating Equifax breach managed to access even more data than previously suspected. That said, attackers are constantly developing and refining techniques to gain access to bigger and more lucrative targets. Even global enterprises need to assume that attackers will either find a way to enter their network or are already in and attempting to steal valuable data. As is evidenced by the massive Equifax breach and countless others, organizations are still unable to prevent these kinds of attacks, despite spending a significant amount of money on security infrastructure and investing more and more in next-generation solutions on an annual basis.
So, data breaches are going to continue to happen. GDPR will require U.S. companies to be more forthright with EU residents in a breach aftermath. Will they be more open with Americans?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba