If anyone ever doubted the importance of data security incident response, the Equifax breach should put those doubts to rest. On top of the widespread concern about a breach affecting 143 million consumer records, there are all the hard questions about why it took Equifax more than six weeks to make the breach public. Since the announcement, the Senate Finance Committee, the Justice Department, the Federal Trade Commission, the Securities and Exchange Commission, and multiple state attorneys general have launched investigations into the breach; over 50 class action suits have been filed; three executives, including CEO Richard Smith, have been retired; the stock value has dropped over 30%; and many experts predict the breach will result in new regulatory reporting standards for the financial industry.
So why did Equifax take so long to go public? With ongoing investigations, we may not know the details for some time. But experts have speculated that the organization needed time to determine the scope and risks of the data exposure and to determine how to respond. As a global company, Equifax has to comply with data breach laws in all U.S. states and territories and, depending on the consumers affected, 23 other countries worldwide. They also must have contractual requirements to notify business partners, especially with a company like Equifax, which works with more than 91 million businesses worldwide.
Complexity is Not an Excuse
Timely response to a data privacy/security incident is critical to business: not only can slow response result in fines for noncompliance, delay also creates a negative impression with regulators, lawmakers, and the public. Breach response can be complex, and that is an explanation for notification delay but not an excuse.
The fact is there are tools and processes available that not only accelerate and simplify breach response but also help ensure compliance with the intersecting maze of breach notification laws and contractual obligations. For example, the RADAR incident response management platform gives response teams instant access to 100% up-to-date information on state, federal, and international breach notification requirements. It leads users through a workflow to capture the incident’s risk profile and risk factors then generates incident risk scores for each jurisdiction and provides breach notification guidance for each applicable jurisdiction as well as contractual agreements. It also stores that incident information to prove compliance and easily respond to any internal or regulatory audit. With good monitoring, a strong organizational process for incident detection and reporting, and consistent use of a platform like RADAR, organizations have been known to reduce their time to decision and overall response time window from weeks to literally minutes and days respectively.
Readiness vs Reckoning
As cyber security risks have mounted in recent years, too many organizations have made incident readiness a low organizational and budget priority, hoping it won't happen to them. But the statistics are inescapable. According to the Identity Theft Resource Center, data breaches jumped 40% in 2016 over 2015. Gemalto reported a 13% increase in the first half of 2017 over the last half of 2016. Over 4 billion records were exposed in 2016, and according to the Breach Level Index, almost 2 billion records have been exposed just in the first half of 2017—122 records every second. Sadly, less than 5% of those records were encrypted to protect them from misuse.
The time has come for organizations to step up and prepare for the inevitable. An ounce of readiness can avoid a ton of reckoning after an incident. At a minimum, organizations need to have in place:
- A regular risk assessment process to identify vulnerabilities and guide spending on encryption, segmentation, monitoring, incident response readiness, and other mitigation measures.
- Security awareness and training programs that teach staff how to spot problems plus a clear, simple and timely incident escalation mechanism. (Timely escalation is important: two Equifax executives, purportedly unaware of the breach, sold stock before it was reported publicly, prompting an SEC investigation.)
- Tools and processes to quickly and consistently assess the risk of harm around an incident and determine if the incident requires notification.
- Tools and processes to ensure regulatory compliance. Regulatory breach notification windows can vary from a few weeks in some states to only 72 hours under the EU General Data Protection Regulation (GDPR), and fines for non-compliance can run to hundreds of millions of dollars. If an organization has to start from scratch, just determining notification requirements in multiple jurisdictions can take weeks and cost hundreds of thousands of dollars for outside counsel. There are also reputational costs to over reporting, so it's important to quickly determine whether an incident is one of the 90% that don't require notification.
You Can't Afford to be Unprepared
The Equifax breach is huge but it is not an isolated incident. The Breach Level Index already lists over 900 breaches in 2017—more than one per day. And a single incident can bring any company low. A few months ago, Equifax was a success story, tripling its stock value in the last 5 years by finding new ways to monetize consumer data and even selling products to help companies hit by cyber attacks to protect their customers. Now this breach may tarnish its reputation and earnings for years to come.
Cyber security and privacy incidents have become a daily occurrence. Given the presumption of breach standard, every incident requires multi-factor risk assessment, consistent decision making, and documentation to mitigate risk of non-compliance. It's time for business leaders to treat data privacy and security and incident response as core business processes and invest accordingly.
We'll never know how much of Equifax's troubles might have been mitigated had they been better prepared for incident response. But if you consider the costs of lost reputation, fines for non-compliance, litigation – not to mention career impact on individual officers of the company – it seems clear that any investment in streamlined incident response could have paid for itself in spades.