Equifax and GDPR - What organizations need to know
Equifax – one of three major credit-reporting companies in the US – announced a breach last week affecting 143 million customers in the US, as well as customers in Canada and the UK. Compounding the damage, the press and security experts have universally panned the company’s response.
The fallout is, as expected, widespread. It includes calls for legislation, lawsuits, and a mountain of bad PR. Yet, this is just another example – albeit a major one – of poor stewardship of customer information and private data. Experian, another of the big three credit agencies, exposed the data of millions of customers in 2015. The same year, Chinese hackers breached the Office of Personal Management (OPM), and the FBI just announced an arrest in that case. A new breach makes headlines seemingly every week, if not every day.
Outside the US, and especially in Europe, Lawmakers are taking action to protect consumer data. The upcoming General Data Protection Regulation (GDPR) is a major piece of regulation affecting any organization doing business with EU Citizens. Effective May 25, 2018, GDPR includes huge penalties for non-compliance (up to 4 percent of annual revenues or 20 million Euros – whichever is more). Under GDPR – Equifax would face a potential fine of more than $60 million. With teeth like this, organizations must take GDPR seriously and prepare accordingly.
Per a Guidance Software survey from earlier this year, only 15.7 percent of companies reported reaching the advanced planning stages for GDPR. Twenty-four percent of organizations – a full one-in-four – already acknowledge that they will not be ready by the May 2018 deadline. GDPR includes many serious requirements. For example, it requires that organizations report a breach within 72 hours of discovery. Equifax waited well over a month. Organizations behind in planning and those taking a wait-and-see approach are taking a calculated risk, and a substantial one.
Survey data also shows that organizations are poorly equipped to understand – much less manage data. Of companies surveyed with $1 billion or more in revenues, just 43 percent have processes in place to identify data records of any EU citizen and determine where that data is processed. Moreover, it is significantly worse for organizations with less than $100 million in sales at just 26.8 percent.
Make no mistake about it: these breaches will continue to happen and make headlines. Our research found that a quarter of respondents suffered direct financial losses due to a cyberattack in the past year. The number organizations reporting “significant financial losses” tripled Y-o-Y, and almost two-thirds fell victim to malware-related breaches. We're in a new reality where it’s not a matter of if your company will be attacked, but when.
Some security officers are unsure of how best to proceed with a regulation that has such massive implications and administrative challenges. We recommend following these four steps to get started.
- Understand the law - You need to know where you stand and what is required of you. Take a look at the law and think about what applies to you, and what does not.
- Assess existing processes - Map out where your data currently is, audit your existing processes and security practices, and conduct a gap analysis. Knowing this will help you understand what you have done right and where you are lacking.
- Evaluate existing technology and identify new ways to fill the gaps - Figure out which departments have technologies that can be applied across the company to standardize your processes, keep data secure throughout the organization, and find inconsistencies within your security posture.
- Periodically test your system - Conduct analyses at regularly scheduled intervals to be sure your security is up to date, and improve your processes when possible.
The Equifax incident, when viewed through the lens of the upcoming GDPR regulation, serves as a stark reminder for organizations that they need to prepare for the inevitable breach. Preparing for GDPR is an opportunity for every organization to take the right steps to identify what sensitive data they have, determine how it should be secured, and create a process for how they will respond when an attack occurs.
Starting with the steps above, security professionals can be confident they have done everything in their power to keep customers’ data safe. Organizations that take GDPR seriously will also be better prepared to avoid heavy fines and reputational damage, and well positioned should the US and other countries look to expand their own regulations dealing with privacy and cybersecurity.