Compliance Doesn’t Equal Security

The Federal Trade Commission has opened a probe into Equifax’s historic data breach in which hackers compromised sensitive data on nearly half of all U.S. consumers. Investigators want to know whether or not the breach could have potentially been avoided had the firm been more proactive in employing the latest security patches to their systems.

The Consumer Financial Protection Bureau, the independent consumer watchdog agency created by the Dodd–Frank Wall Street Reform and Consumer Protection Act in 2010, also said it’s investigating Equifax amid massive criticism that it dragged its feet on alerting consumers to the breach for months.

Is Data Anywhere Safe? 

If a big enterprise like Equifax can be breached, is data anywhere safe? The question is an important one because of the massive impact data breaches bring about in terms of both human and financial impact. In the case of Equifax, the data breach exposed the personal and financial information of an estimated 143 million U.S. consumers. The hackers also gained access to credit card numbers for roughly 209,000 accounts, as well as certain dispute documents with personal identifying information for about 182,000 consumers.

According to the Ponemon Institute’s “2017 Cost of Data Breach Study: Global Overview,” the average total cost of a single data breach is $3.62 million. For Equifax, the cost will certainly be much higher in terms of legal expense, information discovery, fines and penalties, not to mention the loss of goodwill in the market. According to a U.S. Department of Justice survey, identity theft costs the average victim $1,343 in stolen assets and expenses like legal fees.

What Happened at Equifax? 

While there is still a lot we don’t know, the Equifax breach seems to be a result of the firm letting their security patches fall behind. It came down to a flaw in a tool called Apache Struts designed to build web applications that is used by many large businesses and government organizations. Equifax used it to support its online dispute portal, where Equifax customers go to log issues with their credit reports. The flaw, while identified weeks before the attack, allowed hackers to take control of the unpatched systems.

To be fair, patching software at big corporations with many machines takes time. You’ve got to first identify the vulnerability, then implement and test the patch to make sure it doesn’t break anything before making it public. Trouble is, security experts say Equifax could and should have moved faster. Either way, they’re going to pay the price — as will consumers. The message here is that organizations should take heed of Equifax’s troubles and work to ensure that their data security processes and protocols are up to date and are being implemented completely without delay.

Could It Happen To Us? 

Experts tell us that when it comes to experiencing a data breach, the question is not if it will happen, but when. Should you be worried? Consider that the chances of being struck by lightning this year are about one in a million. Data security experts put the odds of your organization getting hacked this year as high as one in four. And even the most tech-savvy organizations fall victim: Target, JPMorgan Chase, eBay, Yahoo, Sony Pictures – these are just a few of the national brands that join the ranks of large, international organizations that have suffered massive data breaches.

Changing Regulations 

Hackers aren’t the only thing to worry about these days. In addition to fighting cybertheft, organizations must also battle to remain compliant with increasingly strict data privacy regulations. This can be especially challenging in an increasingly global business environment where legislation and best practices applied to one country or region have implications across international borders.

One such regulation is the General Data Protection Regulation being implemented in the European Union. The GDPR outlines data protection requirements for all individuals within the EU as well as the export of personal data outside the EU. The GDPR takes effect May 25, 2018, and will have implications in the U.S. and around the world because the proposed data protection extends to all foreign companies processing data of EU residents. The aim is to make it easier for non-European companies to comply with privacy regulations; however, it will come at the cost of a strict compliance regime with severe penalties. Any U.S. business with a presence in the EU should understand how the GDPR will apply to its operations.

U.S. Privacy Regulations 

It is more difficult to nail down the exact regulations and expectations regarding data security in the United States since there is no single, comprehensive national law regulating the collection and use of personal data. The U.S. follows what is referred to as a “sectoral” approach to data protection that relies on a combination of legislation, regulation and self-regulation rather than governmental oversight alone. This patchwork system of federal and state laws and regulations can sometimes overlap, dovetail and contradict one another. In addition, there are many guidelines, developed by governmental agencies and industry groups that do not have the force of law, but are part of self-regulatory guidelines and frameworks that are considered “best practices.”

What should you look for? Some of the most prominent federal privacy laws include the United States Privacy Act, the Safe Harbor Act and the Health Insurance Portability and Accountability Act. But standards can change. Most recently, in April 2017, President Donald Trump signed into law a bill that repealed a set of privacy and data security regulations for broadband internet service providers. This repeal was, and continues to be, met with a great deal of debate and uncertainty, and is just one current example of the ever-evolving and greatly fluctuating data security environment today.

Moving Forward 

What should you do today to ensure your organization is following best practices in data security? Here are five action items you may not have considered, but definitely should.

1  Implement a formal information security governance approach. It is important to establish and maintain a framework that provides assurance that your information security strategies are up to date, being followed, and are not allowed to get behind schedule.

2  Monitor for threats. While well-trained users can be your security front line, you still need technology as your last line of defense. Monitoring user activity allows you to detect unauthorized behavior and verify user actions are not violating security policy.

3  Back up your data. Backing up your files may seem like common sense, but any organization that has been hit with ransomware – such as Petya or Wannacry – will tell you how important it is to ensure this best practice.

4  Beware of social engineering. The security policies you implement don’t replace the need for common sense. Be sure everyone is wary of social engineering tactics like password “phishing” used to gain access to encrypted files.

5  Update your systems. The Equifax hack could have been avoided with more prompt software patches and system updates. Cybercriminals are constantly inventing new techniques and looking for new vulnerabilities — an optimized security network is only optimized for so long.

This article originally appeared in the November 2017 issue of Workflow.

Kevin Craine is the managing director of Craine Communications Group. He is writer, podcaster and technology analyst, as well as the author of the book Designing a Document Strategy and a respected authority on document management and process improvement. He was named the No. 1 ECM Influencer to follow on Twitter.