One of my colleagues reminded me last week that I have been promising something on Equifax and why they have been in the news lately about their 2017 breach. I had left it till the last minute and then many of you may have seen even more media commentary over the last week. So, I am not putting this off any longer. It’s a bit of a strap yourself in thing. What I will be discussing in this article should be of interest to everyone, globally, that:
- Uses credit
- Is part of an executive leadership team and/or board of any organisation that stores and/or transmits any kind of Personally Identifiable Information (PII), not just Payment Card Industry information (PCI)
- Is a Directors & Officers insurance broker or underwriter
- Legal advisors
- The IT security community
It’s a lot of stakeholders isn’t it? This is demonstrative of how far and wide the impacts of a cyber incident can go and this one is a whopper and if the way that it was handled and has gone in general, especially in the last week, is any indication, then there are turbulent times ahead for those listed above. Equifax is just one of many data breaches, and they keep happening.
“I’ve never heard of Equifax so couldn’t care less…”
That’s easy for you to say. Going back a while there is a global hegemony of credit monitoring agencies. Very big globally are Equifax and Experian, there are smaller players in region. Some of you Aussies may remember a local company called Veda but they were slurped up by Equifax in February 2016. Which by the way was before their big data breach so sit up straight Australia – more on the breach coming up next.
Without you knowing (you consented when you applied for credit – it’s in the fine print) these companies track and report on your credit activity – loans, credit cards etc. They not only track if you paid on time or made any defaults, they can also track when you have been knocked back on a credit application. All of this is not information you want just anyone to have access to, I think you will agree. You may have a below average credit rating and not know it if you have been knocked back for credit.
“So what happened to Equifax and could I have been affected?”
Equifax made public in September 2017 that they believed a breach occurred of their systems that contained ~145 million customer records between May and July 2017. Information that was taken included credit card details and other PII. They announced a further 2.4 million customers may have been impacted in March 2018. This is old news and there is a good summary here, basically vulnerable technology exploited:
“Can consumers take action against the company for not securing my information?”
Absolutely. This is very recent news:
Cyber insurers, brokers and lawyers have long been pointing out that as part of the “long-tail” of costs from a cyber incident there can be massive costs for compensation for those affected in the form of class actions. Whilst traditionally thought to be a very US legal activity Australia has more than its fair share of litigation funding law firms.
In this case it took a few years but is a precedent that will be followed for other data breaches.
“What did Equifax do about it once they became aware?”
Anyone who knows me will attest to the fact that I never shut up about cyber incident response planning. I typically start out a conversation on the topic by stating that “the only way to reduce the brand and reputational damage of a cyber incident is to handle it well.” Handling it well requires careful preparation with expert advice. All response planning needs to involve the executive leadership team (ELT) with oversight of the board.
The good news here for anyone looking at cyber incident response planning is that Equifax have taught us exactly what not to do: https://www.wired.com/story/equifax-breach-response/
My personal favourite of the failures is that rather than finding a big rock to hide under, “the former chief information officer of an Equifax business unit took advantage of nonpublic information to dump nearly $1 million in stock…” prior to notification. https://www.cnbc.com/2018/03/14/former-equifax-executive-charged-with-insider-trading-ahead-of-data-breach.html “Hey team – can we hold off telling anybody about our potentially criminal ineptitude until I’ve sold a few shares?”
“I’m a Director and/or member of the executive leadership team of an organisation that holds PII, what concerns should I have?”
Directors and officers of any organisation are responsible for cyber incidents. Law firm Norton Rose Fulbright puts it like this:
“In Australia, the emerging view is that managing cyber risk falls under the risk management umbrella of boards of directors. All directors and officers have a key responsibility to ensure that companies adopt appropriate risk management strategies to protect the company and its shareholders.”
We would suggest boards and their advisors be pro-active about these risks. Organisations will always fare better with regulators and the law if they have taken measure or at the very least are acting on a remediation plan
“What has the US Federal Trade Commission (FTC) done about it?”
The FTC took issue with Equifax in many areas. Long story short at the end July 2019 they settled over the breach for USD 575 million and potentially up to $700 million (however that works.)
“I’ve heard that I can get USD 125 back from a settlement?”
Whilst impacted consumers may be owed a lot more and can actually claim more, the FTC estimated that the settlement would allow for a payout of USD 125 for claimants. Apparently the overwhelming response from people requesting compensation, and the structure of the FTC settlement means that people will be lucky to get $1:
Equifax is hoping to not see many more class actions. But less that $1 in compensation is a joke. If the FTC can’t find adequate compensation, then let’s hope we can see more coming from the courts.
As always, feel free to get in touch with one of our experts for a chat on how we can help with cyber incident response planning.
-Fergus Brooks, Chief – Cyber Risk at CTRL Group