As Equifax scrambles to address the massive damage the recent data breach caused, affecting 143 million U.S. consumers and leaving them vulnerable to identity theft for their entire lives, one cannot help but think about why it was allowed to happen in the first place. Why Equifax did not face the constant monitoring and auditing that the banks do? Why Equifax can and most possibly will fall through the regulatory cracks and likely get away with no major penalties?
Because there are no national data privacy standards, no uniform data breach notification standards or strong penalties for not applying the necessary technologies, checks, and balances.
Let’s examine a couple of things.
First, did Equifax have basic security in place? Answer is a glaring NO. Their application had vulnerability that they did not bother to update and patch. Even worse, they kept highly sensitive identity data in files without encryption; this should have been an easy control to implement and in fact required by most regulations such as PCI, HIPAA, GLBA, GDPR. Equifax is a repository of the most sensitive financial data and they have been known to be a prime target for hackers globally, so it’s highly surprising that their security level was so weak. But again, if there are no regulations and penalties for a data breach, why would they invest enough in securing our sensitive information?
Second, just a few hours before Equifax Inc. announced its data breach, congress was actively discussing on a bill to reduce penalties for credit-reporting companies accused of providing consumers with inaccurate credit reports. This is one of many examples where the current administration is supporting pushback against increased regulatory scrutiny of an industry. What is the current administration up to? Rather than implementing data privacy and security regulations to benefit consumers, they are moving backwards and rolling back privacy regulations!
For instance, they nullified the US Consumer Privacy Act last April, in spite of a major uproar from consumer privacy groups. Less regulations in data privacy equates to less IT security controls, which in turn would cause many more breaches like Equifax in the future. Removing regulatory requirements on IT security would also exacerbate identity theft, frauds, and cyberterrorism.
“Oversight of data privacy and security needs to become a high priority issue for regulators and policy makers,” said CipherCloud founder and CEO Pravin Kothari. “US lawmakers must take action to enact data protection regulations similar to GDPR if they want to minimize such economic threats and cyber terrorism to Americans.”
While European Union (EU) continues to strive making progress in data privacy regulations, U.S. continues to lag behind, and as a matter of fact, is going backward. EU’s general data protection regulation (GDPR) would require Equifax to pay a severe penalty based on their global revenues. GDPR and such regulations have news disclosure window within 72 hours, but Equifax took over 6 weeks to disclose the news, while the sensitive information was in dangerous hands. That’s ample time for hackers to do some real damage! When will the government wake up and smell the coffee?