September’s news centered on hurricanes Harvey and Irma until word of a massive cybersecurity failure at credit bureau Equifax pushed those storms below the fold.
We learned that a breach of personal financial information of 143 million Americans occurred between May and July 2017. Making matters worse, the breach exploited a known vulnerability in a widely used web application for which a patch had been released nearly two months before the breach; Equifax had not updated its vulnerable systems.
Given the scale of this breach— more than 200,000 credit card numbers were stolen—it’s not surprising that Equifax was sued in numerous states, and various state and federal regulators pledged investigations. In the aftermath, Equifax Chairman and CEO Richard F. Smith abruptly retired.
Days later, auditing and cybersecurity consulting firm Deloitte LLP revealed it was successfully targeted by a cyberattack that let criminals access data from an internal email platform.
These disasters are a reminder to all U.S. businesses to consider the personal information of others you maintain that criminals would like to steal. If you collect personal information, you must consider your legal obligations to protect it.
Laws and Regulations Apply
Applicable laws depend on who you are and the type of data you collect. To some extent, all companies have protected information, such as employee personal information, protected health information, customer information and credit card information.
If a breach compromises personal information of employees or customers, states require that notice be given and steps taken to deal with the breach. Additional obligations apply under federal laws, such as HIPAA relating to protected health information.
The Federal Trade Commission regulates business websites to ensure there is proper disclosure about information being collected and used, and what protections are in place.
Laws of other countries may apply to the collection and storage of information about their residents.
Minimize Your Risks
Your business can reduce risks and comply with regulations by following these guidelines:
- Identify: Understand how your company collects and stores data and confidential information.
- Protect: Implement safeguards to limit the impact of an event. Require security and standards in contracts with vendors and implement policies for employees.
- Detect: Implement procedures to identify an event. Require vendors to detect and expeditiously provide notice of an event.
- Respond: Prepare an action plan and procedures should an event occur, whether internal or external.
- Recover: Have a plan to restore capabilities impaired by an event to reduce the impact and losses.