By Christopher Mims
There are two things we can count on in the wake of the Equifax
breach, already credited with exposing a majority of American
adults to the possibility of identity theft. The first is that more
and potentially worse breaches are in our future. The second is
that companies will need to be prodded toward smarter cybersecurity
practices and faster reporting of breaches.
Details of the breach -- which Equifax said it discovered in
late July -- have only recently been revealed by the
credit-reporting company and by Mandiant, the cyber forensics firm
it hired. However, the enormous loss of data appears to have been
the result of an unpatched vulnerability, which allowed hackers to
roam freely inside Equifax's computer network for more than four
months. (In a report, Equifax said it "took efforts" to fix the
compromised system.)
The Federal Trade Commission and the Federal Bureau of
Investigation are investigating, and the first of what's expected
to be a wave of lawsuits by state attorneys general has already
been filed. But punishing Equifax isn't the same as minimizing the
impact of similar disasters. For that, we're going to need
something anathema to the tech industry and especially companies
that have been hacked: transparency.
It isn't coming voluntarily. There's already a patchwork of
data-breach disclosure laws passed by 48 different states, yet none
have been strong enough to get companies -- wary of increased costs
and hits to their reputations -- in line. Newly proposed federal
regulations could be, if they can get bipartisan support.
"Equifax has had a very poor response and I'm disappointed in
them," says Rep. Jim Langevin (D-R.I.), one of the members of
Congress behind the new regulatory push. "As good corporate
citizens I believe Equifax owes much more transparency to
consumers."
Equifax didn't respond to requests for comment.
Many firms share information with each other through
cybersecurity back-channels, but participation is entirely
voluntary. That's one reason the European Union passed the General
Data Protection Regulation, going into effect May 2018, which will
force companies that do business in the EU and the United Kingdom
to promptly disclose when personal data is breached.
Lawmakers in the U.S. are urging Congress to follow suit. Rep.
Langevin reintroduced the Personal Data Notification and Protection
Act, first proposed by President Obama in 2015. Co-sponsors include
Rep. Ted Lieu (D., Calif.) and Rep. Carol Shea-Porter (D., N.H.).
All three are members of the bipartisan Congressional Cybersecurity
Caucus.
Meanwhile, Republican lawmakers are gearing up for hearings that
will surely include grilling Equifax executives, but have yet to
call for regulations. House Energy and Commerce Committee Chairman
Greg Walden (R., Ore.) has said that until those fact-finding
hearings are complete, he doesn't want to pre-emptively put forward
legislation.
Many companies and analysts object to proposed legislation, in
part because they believe that should it come to pass, companies
would prioritize compliance -- following the letter of the law and
appearing to do the right thing -- rather than actually dealing
with the fast-moving problem of cybersecurity, says Andrea
O'Sullivan, program manager of the technology policy program for
the pro-market Mercatus Center at George Mason University.
Companies don't want to be embarrassed or face the increased
costs of having to disclose when people's data is leaked, and there
is also a concern that should companies be forced to report every
breach, it could lead to "data breach fatigue," where regulators
are overwhelmed and the public throws up its hands at a problem
that feels too pervasive to fix. (One could argue we're already
past that point.)
Transparency could actually give companies herd immunity.
Existing voluntary breach reporting systems allow companies to
share data on the nature of cyberattacks as soon as they occur. If
reporting were mandatory, more companies could be quicker to defend
against new attack vectors and new bad actors.
And, needless to say, strong cybersecurity is quickly becoming a
selling point for savvy financial businesses.
Even regulation-averse politicians have cause to support a
data-breach disclosure law at the federal level, says Rep.
Langevin. It would simplify the issue for businesses by pre-empting
the patchwork of 48 state laws, dating back to 2003, that currently
govern what companies have to do in the event of a breach of
personal data.
Rep. Langevin argues that, had it been in place already, the
Personal Data Notification and Protection Act would have had a
direct impact in the case of the Equifax hack, and in previous
hacks that inspired the bill.
Under this proposed legislation, Equifax would have had to
disclose its breach within 30 days -- not the six weeks it took --
to the FTC and the Department of Homeland Security, which would
become central clearinghouses for breach information.
Companies that fail to meet the requirements would face a raft
of penalties, including fines of up to $1 million per violation.
They'd be liable for civil penalties in lawsuits from states
attorneys general, with no limit on the damages that could be
recovered if the company is found to have acted willfully or
intentionally.
Even absent such efforts at the federal level, the coming EU
regulations will force many large U.S. companies to get better at
cybersecurity and, more important, improve their data collection
and storage policies, says Charlie Wedin, a partner at
international law firm Osborne Clarke. His firm is helping
companies prepare for the EU rules. "What compulsory breach
notification is doing is putting this on the board agenda, and
they're focusing on this like never before," he says.
What we really need to do is start treating data safety with the
same seriousness we apply to airplane and automobile safety.
This could happen with a one-two punch of regulatory and
market-based solutions. Forced to buy car insurance, we make
certain economic decisions about how, what and when we drive.
Meanwhile, seatbelt laws have saved millions of lives. Along these
same lines, mandatory disclosure would force companies to think
more about their security in the first place -- and even consider
buying cyber insurance. And damage done by irresponsible companies
could be minimized.
When Equifax was breached, hackers got birthdates, Social
Security numbers and other hard facts about most of us. This data
has the power to ruin our financial lives, so it's time we all took
interest in its protection.
Write to Christopher Mims at christopher.mims@wsj.com
(END) Dow Jones Newswires
September 24, 2017 08:14 ET (12:14 GMT)
Copyright (c) 2017 Dow Jones & Company, Inc.
Equifax (NYSE:EFX)
Historical Stock Chart
From Apr 2024 to May 2024
Equifax (NYSE:EFX)
Historical Stock Chart
From May 2023 to May 2024