The Equifax breach comes with so many potential lessons, yet most of us have so little time.
So we cut it down to three key lessons about the credit agency breach after a discussion with cybersecurity and data privacy lawyer Shawn Tuma.
Tuma is an attorney at Scheef & Stone, L.L.P., and often works with clients after a breach, so he knows all about breach response. You can see him giving the keynote at SecureWorld Dallas on October 18.
Equifax breach: Lesson #1Tuma says the Equifax breach proves (yet again) that we need a national standard for breach notification. Right now there are 48 states that each have their own requirements with some sort of breach response rules. "A uniform policy would be good for consumers and good for companies," he said. "It creates a level playing field so everyone knows what to expect when this happens."
Georgia law—Equifax is headquarterd in Atlanta—calls for notification to be made "in the most expedient time possible and without unreasonable delay...," and some members of Congress instantly displayed their anger that Equifax waited 40 days after the breach to notify consumers. It was part of the initial social media firestorm.
But Tuma, having been on the inside of many breaches, says the delay in notification may have met "the most expedient time possible" clause in Georgia law.
"Moving to have people respond too quickly, you'll have more breach fatigue out there. All we know at first is you've been breached; you may not know how significant it is. And you don't want to misrepresent something because then you'll get in trouble for that."
Missteps after a breach are really damaging.
"It's not about what you do right, as much as what you do not do wrong," Tuma says.
You've probably heard about Equifax offering free credit monitoring to those possibly impacted. It's an in-house service, and to sign up, you had to agree to arbitration as the path for any remedy. At least that is what was communicated. And the message reached all the way to Attorney Generals in states like Oregon, who warned consumers to watch out for Equifax:
Because of the backlash, Equifax took the arbitration clause out of the credit monitoring service agreement and posted this update a short time ago on September 11, 2017:
"This was a huge PR nightmare for them," Tuma says. "Because the breach response is all about perception and making the public see
you did the best you possibly could. Unfortunately, this shot them in the foot."
A mega breach keeps going, and going, and going.
This story will likely take years to write itself until the last chapter is closed. Between now and then, there will likely be congressional hearings, investigations, more class action lawsuits, and numerous updates from Equifax itself.
And perhaps we'll find out who has the information of 143 million Americans and what they plan to do with it or how they use it.
We know one thing for sure: the plot line in this breach story is a one-of-a-kind right now. According to Tuma, "It's a paradox when you think about it, that the company many will turn to for help is also a victim itself."