Equifax hack: Lax rules fail to aid pub­lic

Congress has been at im­passe over ways to pro­tect con­sumers.

The Atlanta Journal-Constitution - - FRONT PAGE - By Ta­mar Haller­man ta­mar.haller­man@ajc.com Brad Schrade brad.schrade@ajc.com and J. Scott Trubey strubey@ajc.com Equifax con­tin­ued on A14

The mas­sive data breach at the At­lanta-based credit re­port­ing firm Equifax has thrust into the spot­light the coun­try’s patch­work sys­tem of cy­ber­se­cu­rity rules and laws that of­ten al­low busi­nesses to es­cape sig­nif­i­cant penal­ties for leav­ing sen­si­tive con­sumer in­for­ma­tion at risk.

Congress has done lit­tle over the past two decades to put broad stan­dards in place for how com­pa­nies with reams of per­sonal

on­line data, in­clud­ing So­cial Se­cu­rity num­bers and credit records, should be pro­tect­ing it or how swiftly con­sumers should be no­ti­fied in the event of a breach.

Dis­putes among pri­vacy ex­perts, bankers, re­tail­ers and con­sumer pro­tec­tion groups have cre­ated an im­passe on Capi­tol Hill that’s left most com­pre­hen­sive leg­is­la­tion on the back burner. In the mean­time, rules for com­pa­nies such as Equifax that make a busi­ness out of han­dling per­sonal in­for­ma­tion have re­mained lax.

States have stepped in, but most in a fairly nar­row ca­pac­ity. Forty-eight of them, in­clud­ing Georgia, have laws gov­ern­ing how and when com­pa­nies should no­tify con­sumers and state gov­ern­ment of­fi­cials if sen­si­tive in­for­ma­tion has been hacked.

Con­sumer pro­tec­tion groups point out there is of­ten lit­tle,

though, to en­cour­age com­pa­nies to lock up their data in the

first place. Only about a dozen states have laws that gov­ern stan­dards for cy­ber­se­cu­rity at pri­vate com­pa­nies. Georgia is not one of them. And while some states have penal­ties as­so­ci­ated with their breach laws, Georgia does not.

“Com­pa­nies need to feel pain,” said Liz Coyle, the ex­ec­u­tive di­rec­tor of Georgia Watch, an ad­vo­cacy group for pro­tect­ing con­sumers. “You think about Equifax be­ing the vic­tims of the data breach. We were the vic­tims; half the coun­try were vic­tims. The con­se­quences need to be much greater.”

Mean­while, breaches seem to keep get­ting big­ger. In 2014 alone, credit card data for 40 mil­lion Tar­get cus­tomers, more than 50 mil­lion Home De­pot shop­pers and 76 mil­lion JPMor­gan Chase house­holds was com­pro­mised. In 2015, news emerged that the gov­ern­ment’s own servers were hacked, ex­pos­ing the records of 18 mil­lion peo­ple who had ap­plied for fed­eral jobs. And while most breaches are con­ducted by crim­i­nal or­ga­ni­za­tions, oth­ers have been tied to state-spon­sored groups, such as the 2016 breach at the Demo­cratic Na­tional Com­mit­tee viewed by the in­tel­li­gence com­mu­nity as a Rus­sian at­tempt to in­flu­ence the pres­i­den­tial elec­tion.

So far, elected of­fi­cials from Wash­ing­ton to At­lanta have yet to take sig­nif­i­cant ac­tion. But there is cau­tious op­ti­mism among back­ers of a fed­eral cy­ber­se­cu­rity law that the Equifax hack — among the largest ever, in­volv­ing some 143 mil­lion Amer­i­cans, in­clud­ing 5 mil­lion Ge­or­gians — could change that.

“I’d like to think the Equifax dis­as­ter gives that a push in the right di­rec­tion,” said U.S. Sen. Roy Blunt, R-Mo.

For years, he has pushed for bi­par­ti­san leg­is­la­tion that would set na­tional data se­cu­rity stan­dards for com­pa­nies and di­rect them on how to no­tify con­sumers if there’s a breach.

Equifax has not re­sponded to me­dia re­quests since the breach. How­ever, it has pub­lished a state­ment blam­ing a flaw in open-source soft­ware called Apache Struts for al­low­ing crim­i­nals to ac­cess the data. The Apache Foun­da­tion, which over­sees the soft­ware, said a patch for the flaw had been is­sued months be­fore the hack but Equifax hadn’t in­stalled it.

Few fed­eral rules

As more and more com­pa­nies col­lect per­sonal in­for­ma­tion on con­sumers and store them on com­put­ers linked to the in­ter­net, tar­gets avail­able for hack­ers have grown ex­po­nen­tially.

Since 2005, there have been 7,679 data breaches that are pub­licly known with more than 1 bil­lion records breached, ac­cord­ing to the Pri­vacy Rights Clear­ing­house, a Cal­i­for­nia-based non­profit that ad­vo­cates for con­sumer pri­vacy rights.

But few com­pa­nies are as tar­get-rich as Equifax. The com­pany and its sub­sidiaries know prac­ti­cally every­thing about you. And data it has amassed and sells to banks, lenders and the gov­ern­ment in­flu­ence your abil­ity to take out a loan, get a job, re­ceive fed­eral ben­e­fits such as Med­i­caid — even to win na­tional se­cu­rity clear­ances.

Since the web’s in­fancy in the 1990s, Wash­ing­ton has gen­er­ally avoided reg­u­lat­ing the col­lec­tion of per­sonal data out of fear of sti­fling growth, said James Lewis, a cy­ber­se­cu­rity ex­pert at the Wash­ing­ton think tank the Cen­ter for Strate­gic and In­ter­na­tional Stud­ies.

“You have this his­tory of no rules on the in­ter­net, and that’s part of why it’s the Wild West,” Lewis said.

Count­less leg­isla­tive ef­forts in re­cent years have also sput­tered due to op­po­si­tion from com­pa­nies and a thicket of di­verse and pow­er­ful in­ter­est groups all de­mand­ing dif­fer­ent things.

Pres­i­dent Barack Obama pushed sev­eral bills, only to watch them crash and burn. Even­tu­ally he signed an ex­ec­u­tive or­der aim­ing to pro­tect data through vol­un­tary ef­forts in­volv­ing fed­eral agen­cies and the own­ers of pri­vately owned com­pa­nies such as util­i­ties des­ig­nated as crit­i­cal in­fra­struc­ture.

He also di­rected all fed­eral agen­cies to use the full ex­tent of their ex­ist­ing author­i­ties and ap­ply them to cy­ber­se­cu­rity.

FTC steps in

The Fed­eral Trade Com­mis­sion be­came one of the prime fed­eral en­forcers of data se­cu­rity through its au­thor­ity to pro­tect con­sumers against un­fair and de­cep­tive prac­tices. En­force­ment ac­tions largely tar­geted busi­nesses where sys­temic and re­peated per­sonal data se­cu­rity breaches oc­curred.

“We did an enor­mous amount. We brought over 60 im­por­tant cases,” said Jes­sica Rich, the for­mer di­rec­tor of the FTC’s Bureau of Con­sumer Pro­tec­tion dur­ing the se­cond half of the Obama ad­min­is­tra­tion, who re­cently joined Con­sumer Re­ports as vice pres­i­dent of con­sumer pol­icy and mo­bi­liza­tion.

Some of the most high-pro­file FTC cases have been against Georgia com­pa­nies. ChoicePoint, an Al­pharetta-based con­sumer data bro­ker com­pany, set­tled a 2006 case with the FTC levy­ing penal­ties and con­sumer re­dress pay­ments to­tal­ing $15 mil­lion for a case in­volv­ing iden­tity theft of at least 800 peo­ple in a data breach of 163,000 con­sumers.

Still, Rich said the FTC could do more with stronger tools, such as civil penal­ties au­thor­ity.

While the FTC has power to is­sue penal­ties in cer­tain cir­cum­stances, Rich said there needs to be a sin­gle, com­pre­hen­sive law re­lated to cy­ber­se­cu­rity. Cur­rently, she said, “each law that exists has gaps.” And in some si­t­u­a­tions, such as with non­prof­its and some telecom­mu­ni­ca­tions com­pa­nies, the FTC has no ju­ris­dic­tion in cy­ber­se­cu­rity cases.

The Trump ad­min­is­tra­tion for now has picked up where Obama left off, Lewis said, de­spite a broader push to cut back on fed­eral red tape. Pres­i­dent Don­ald Trump has kept Obama’s gov­ern­men­twide ac­tions in place and is­sued an ex­ec­u­tive or­der in May seek­ing to bol­ster the gov­ern­ment’s own cy­berde­fenses.

Last week, Trump’s press sec­re­tary, Sarah Huck­abee San­ders, in­di­cated the huge scale of the Equifax hack could mean new rules may be needed. “I think this is some­thing we have to look into ex­ten­sively,” she said.

Georgia’s rules

In the ab­sence of con­gres­sional ac­tion, most states have adopted se­cu­rity breach no­ti­fi­ca­tion laws. In most states, the laws re­quire com­pa­nies to no­tify con­sumers. Some also re­quire re­ports to state of­fi­cials.

Georgia’s law, first adopted in 2005, re­quires com­pa­nies to no­tify con­sumers who’ve had their per­sonal in­for­ma­tion breached. The law does not state a spe­cific dead­line for notice, does not re­quire the com­pany to no­tify state reg­u­la­tors, and does not pro­vide for fi­nan­cial penal­ties for com­pa­nies that fail to prop­erly no­tify.

Coyle, with Georgia Watch, thinks the state needs to do more. “We know this is a big prob­lem for Georgia con­sumers,” she said.

But even when states have laws that re­quire com­pa­nies to im­ple­ment rea­son­able se­cu­rity mea­sures and prac­tices, there’s not much ev­i­dence those laws lead com­pa­nies to act dif­fer­ently.

“What has be­come clear over the past few years is that com­pa­nies have yet to in­ter­nal­ize risk that does af­fect con­sumers,” said David Forscey, a pol­icy an­a­lyst with the Na­tional Gov­er­nors As­so­ci­a­tion who has stud­ied cy­ber­se­cu­rity reg­u­la­tion. “There have not been many strict en­force­ment ac­tions against com­pa­nies.”

Some say a na­tional fix is needed.

“One of the chal­lenges for com­pa­nies is how do they keep up with all the myr­iad state laws,” said Megan Stifel, a cy­ber­se­cu­rity ex­pert at the think tank the At­lantic Coun­cil. “It could be the stan­dard dif­fers based on the num­ber or doc­u­ments or vic­tims’ records — the stan­dards are all over the map.”

The lack of clearly spelled­out fed­eral law around pro­tect­ing per­sonal in­for­ma­tion and cy­ber­se­cu­rity leaves com­pa­nies guess­ing about stan­dards, said Michael Vatis, a Wash­ing­ton-based at­tor­ney with the firm Step­toe & John­son who spe­cial­izes in help­ing com­pa­nies nav­i­gate cy­ber­se­cu­rity is­sues.

“The fed­eral gov­ern­ment and state gov­ern­ments have taken a largely hands-off ap­proach,” he said. “Then they come down hard on the com­pany, and they are vic­tim­ized twice, first by the hack­ers and then they’re made a show­case for the gov­ern­ment.”

The road ahead

De­spite swift and wide­spread con­dem­na­tion of Equifax fol­low­ing the hack, it’s still un­clear whether the mam­moth breach will lead to any pol­icy changes.

Con­gres­sional com­mit­tees — as well as the FTC — have an­nounced in­quiries. A bi­par­ti­san coali­tion of at­tor­neys gen­eral from 36 states, in­clud­ing Georgia, have formed a joint in­ves­ti­ga­tion.

Se­na­tors who have long been ad­vo­cat­ing for their own cy­ber­se­cu­rity bills have be­gun dust­ing off their old drafts and re­new­ing dis­cus­sions about a broad plan that could win the sup­port of enough col­leagues.

“We’ve talked a good game for years now about pro­tect­ing sen­si­tive data, about in­ves­ti­ga­tions when there’s a breach, about no­ti­fi­ca­tion,” said U.S. Sen. Tom Carper, D-Del., who has worked with Mis­souri’s Blunt for years on a cy­ber­se­cu­rity bill.

More tai­lored bills have also emerged since the hack be­came pub­lic. U.S. Sen. Ron Wy­den, D-Ore., for ex­am­ple, in­tro­duced a mea­sure that would guar­an­tee all Amer­i­cans the use of per­sonal iden­ti­fi­ca­tion num­bers to freeze and un­freeze their credit.

Fault lines have also emerged.

Some lib­er­tar­ian-lean­ing Repub­li­cans, such as U.S. Sen. Rand Paul, R-Ky., say the gov­ern­ment should not be telling pri­vate com­pa­nies such as Equifax what they can and can­not do. Athens-area Repub­li­can Con­gress­man Jody Hice said he wanted to hear more about what hap­pened with Equifax be­fore rec­om­mend­ing pol­icy, but that “as a gen­eral rule, com­pa­nies like that have got to po­lice them­selves or they’re go­ing to lose busi­ness.”

Many other Georgia con­gress­men have tread care­fully after the hack, urg­ing their col­leagues to hear from Equifax’s top ex­ec­u­tives be­fore con­sid­er­ing next steps.

“If you make those de­ci­sions be­fore you in­ves­ti­gate, you’re go­ing to do the wrong thing,” said U.S. Sen. Johnny Isak­son, R-Ga.

Some con­sumer ad­vo­cates want to see uni­form pro­tec­tions across the coun­try, which would re­quire strong en­force­ment at the fed­eral level. Henry Turner, a De­catur at­tor­ney who has fought for con­sumers, said the FTC and the Con­sumer Fi­nance Pro­tec­tion Bureau should be prop­erly em­pow­ered to rein in credit re­port­ing agen­cies.

Other con­sumer ad­vo­cates fear that spe­cial-in­ter­est groups will end up weak­en­ing the cur­rent law.

“In­dus­try lob­by­ists are al­ready cir­cling the Hill ... to pass a ver­sion of their long-fes­ter­ing, in­dus­try-backed ef­forts to pass weak fed­eral data breach rules that take away stronger state pro­tec­tions,” said Ed Mierzwin­ski, the con­sumer pro­gram di­rec­tor with the U.S. Pub­lic In­ter­est Re­search Group.

Mean­while, busi­ness ad­vo­cates say that im­pos­ing stiff penal­ties for breaches wouldn’t be fair. Hacks are now com­mon, and even com­pa­nies that do every­thing right can be vic­tim­ized, said Gil­bert Schwartz, a Wash­ing­ton-based at­tor­ney who rep­re­sents fi­nan­cial ser­vices clients.

“It’s some­thing we’re all go­ing to be deal­ing with for the fore­see­able fu­ture,” he said. “Folks are go­ing to have to get used to their in­for­ma­tion is at risk.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.