Despite occurring in 2017, the Equifax breach continues to make headline news. Earlier this month, the United States Senate House Subcommittee on Investigations published a report detailing Equifax’s cybersecurity shortcomings that ultimately led to the devastating breach that impacted nearly 150 million people — and let’s just say the report’s findings don’t hold Equifax in a favorable light.
In part one of this two-part series, we delved into the report’s findings and results of the investigation. Key findings demonstrated Equifax’s ineffective patch and configuration management significantly contributed to the breach. In this concluding second part, we will discuss the Senate’s recommendations while offering our feedback.
- “Congress should pass legislation that establishes a national uniform standard requiring private entities that collect and store PII to take reasonable and appropriate steps to prevent cyberattacks and data breaches.”
The report notes that while a number of well-known cybersecurity recommendations already exist, there isn’t a mandatory framework for cybersecurity, and “there is no federal law requiring private entities to take steps to protect (personally identifiable information) PII.” The National Institute of Standards and Technology (NIST)’s Cybersecurity Framework lays out standards, guidelines and best practices to manage cybersecurity-related risks, but it is voluntary, and without a strict obligation, cybersecurity can fall through the cracks — as Equifax exhibited.
While the NIST framework is not designed to replace existing processes, organizations can enhance their current standing by overlaying it onto the framework to determine gaps in their current approach to cybersecurity and develop a game plan for improving their posture.
A national standard would not have prevented Equifax’s breach, but it would effectively communicate the type of information subject to protection as well as the penalties for failing to do so. This clarity would allow companies and consumers to be on the same page when it comes to the handling of PII. In short, we need a data protection standard in place to help ensure the next breach is less damaging for consumers.
- “Congress should pass legislation requiring private entities that suffer a data breach to notify affected consumers, law enforcement, and the appropriate federal regulatory agency without unreasonable delay.”
While the Senate report notes “All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring data breach notification laws,” a uniform federal or national standard requiring private entities to notify individuals impacted by a data breach does not exist. Unfortunately, this approach has enabled states to take “significantly different approaches to notification standards with different triggers for notifications and different timelines for notifying individuals whose information has been stolen or improperly disclosed.”
While state laws are valuable and should be respected, basic federal guidelines would help to confirm that all Americans can expect a timely notification and sufficient data protection so that the impact of the next breach is mitigated. The key here is the term, “without unreasonable delay.” That allows companies and government agencies who experience data loss time to assess the extent of the breach and determine how it happened, collect and preserve evidence and discover information that will help prevent future incidents. It also allows individuals impacted to take any remediation steps to protect their identities. Consumers need actual notice of the organizations maintaining their sensitive personal information and the right to have it securely destroyed or otherwise rendered inaccessible.
- “Congress should explore the need for additional federal efforts to share information with private companies about cybersecurity threats and disseminate cybersecurity best practices that IT asset owners can adopt.”
Ah yes, the collaborative approach to cybersecurity. Because hackers and bad actors are constantly working to advance cyber threats, the report calls for the need of cybersecurity professionals to work together. Collaboration between government organizations and private companies only serves to raise the collective security of the nation, allowing everyone the opportunity to stay ahead of increasingly sophisticated attackers.
Unfortunately, the report noted that Information Sharing and Analysis Center (ISAC) participation is “voluntary, formal meetings are rare, and ISACs are funded by members.” To combat this complacency, the government should consider creating a classified network to share information on cyber threats with private companies critical to the nation’s economy.
- “Federal agencies with a role in ensuring private entities take steps to prevent cyberattacks and data breaches and protect PII should examine their authorities and report to Congress with any recommendations to improve the effectiveness of their efforts.”
Similar to the previous recommendation, this advice highlights the importance of information sharing, but recommends that federal agencies report their findings to Congress in order to improve defenses. As the report underscores, information sharing is essential to the protection of critical infrastructure and to furthering the nation’s cybersecurity.
As such, the government needs the ability to assess whether companies that hold sensitive consumer data are adequately protecting it as well as a transparent process to share the results of any improvements made with consumers. Congress also should know whether breached companies failed to follow best practices or, at least in the case of Equifax, “neglected cybersecurity,” and, as a result, if they should face liability.
- “Private entities should re-examine their data retention policies to ensure these policies properly preserve relevant documents in the event of a cyberattack.”
One of Equifax’s biggest mistakes, the company failed to preserve crucial internal chat records related to the data breach. Without these records, it was difficult for the Subcommittee to complete a comprehensive investigation. Consumers should no longer bear the burden of poor data security. Companies that collect and store sensitive consumer information need to be held accountable when they’re unable to protect it — and making sure key documents are preserved goes a long way toward ensuring that is the case.
Since the breach, Equifax has added four new directors and created an “audit framework” aimed at giving C-level executives understandable security benchmarks that can make it easier to record progress. And according to Computer Weekly, “The company has drawn up plans to spend $1.25b more between 2018 and 2020 on security and information technology as a result of the incident.”
While solid recommendations from Congress, those of us at Automox also recommend developing effective patch management programs that leverage automation and teaching your staff about the vital importance of cybersecurity. Whether a lack of preparedness or simple oversight on Equifax’s part, their poor handling of the 2017 incident was shocking when taking the highly sensitive consumer data involved into account.
The consumer credit reporting agency’s substandard cyber hygiene and delayed response further illustrates the need for a more sustainable approach to cybersecurity. More than federal standards, Congress should consider whether companies like Equifax are incentivized to adequately protect the sensitive consumer data they’re in charge of. And, of course, practicing simple cyber hygiene would have gone a long way in the case of Equifax.