Every large data breach brings about rounds of angst from the media, a rush of innocent consumers wondering how to protect themselves and find out if their PII was, indeed, compromised, and apologies from and backlash for the company. The Equifax breach is not any different in those ways.
Much has been and will be written about the breach’s details – how it happened, when it happened, who is responsible. However, I think organizations of all sizes and verticals would be wise to take a close look at the Equifax breach and learn from the mistakes made in the aftermath. The post-breach behavior was a failure of epic proportions.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
There is, of course, the situation of senior employees who sold stock after the data breach occurred but before it was revealed. I have two takes on this news. First, it left me speechless that it was done, and as senior executives, they should know about the breach and following the company’s data breach plan. It’s hard not to think of something nefarious going on there. Second, as senior executives, if they didn’t know about the breach, there is a serious problem in the company with its cybersecurity communication and training, as well as its data breach plan.
So, there is lesson one: Do you have policies and plans in place for how to handle a data breach or cybersecurity incident within your organization? Who are you communicating with? Do you have an action team in place that is working internally with management and externally with officials and media?
And then there is the length of time it took for the breach to be made public. As Mark Sangster, VP and Industry Security Strategist at eSentire, pointed out in an email comment, the one thing being overlooked in many cases is that the breach notices would have required Equifax to report the incident to their clients in 24 hours, not weeks. And, because Equifax retains bigger clients in New York, they are governed by DFS NYCRR rules, which dictate 72 hours for breach reports – again, not weeks. Did their clients receive notification within this timeframe? He added:
Equifax waited over a month to respond and provide breach notice. Headquartered in Atlanta, Equifax is bound by the state breach notification laws of Georgia, which require a firm to report a breach, stating, ‘The notice shall be made in the most expedient time possible and without unreasonable delay.’ In some circumstances, notification is to be made within 24 hours. Did Equifax meet this requirement and do everything in its power to protect those affected by the breach?
Lesson two: Do you know what your state’s laws are in regards to breach notification requirements? Are you prepared to meet notification laws when the incident does happen?
In a more personal note, as I browsed Twitter in the evening after the news of the Equifax breach came out, I noticed that a few lawmakers I follow lamented about the amount of time it took for Equifax to go public. I wrote to these lawmakers to ask why nothing has been done to create federal standards, especially for companies that do work across state lines. I didn’t receive any replies, but here’s my lesson three: Encourage Congress to enact laws that will require more timely notifications no matter where you live.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba