As some of the initial dust settles on the Equifax breach the legal, regulatory and insurance worlds can step back and take some stock of the situation and assess the issues which it raises across all industry segments, not just the financial services arena. First of all, it is important to note that the actual, specific mechanism of the hack is not fully known, external to the company (and the hackers). However, it has been revealed that the hack involved exploiting a weakness in a free, open-source software known as Apache Struts, which is used to create Java Web Applications. According to reports, a patch had been released that would have plugged this security gap, but it has not been applied to the servers which were hacked. These same reports state that at least 143 million consumers’ personally identifying information (PII) was downloaded from the Equifax servers through this breach over a period of several months. The company, a consumer credit reporting agency, whose very existence depends on being a source of PII for third parties, has now been struck with more than 23 class action complaints, is the subject of congressional inquiries, and is experiencing what could, very well, be a company ending liability event. So, what is the take away here? What have we learned? The question might be better asked: what haven’t we learned? The answer? Quite a lot. The first unheeded lesson was one of ensuring vigilance, supervision and controls across the company’s platforms. According to reports, the records and information of 143 million people were accessed and PII data in reference thereto was transferred from Equifax’s servers to third party hackers from May to July of this year. We don’t know how the bad actors accomplished their crime or what safeguards Equifax actually had in place to detect malicious activity, but it stands to reason that the off-loading of this much data and the broad access they had the databases which contain that data should have led to, at the very least, a detectable increase in server activity and further access to that many records should have tripped secondary alarms. Organizations with a risk profile like Equifax should have had proper controls, sweeps, active threat monitoring and other company vigilance to detect this breach much earlier in the process. Further, from a technical standpoint, particularly with “off the shelf” business applications, your IT team should be regularly interfacing the manufacturer’s site, updating the software, checking industry sources and, generally, ensuring that any flaws in systems are immediately identified and patched. In this instance, flaws in the Apache Struts software were known to the industry on March 6th and industry sites had already identified a patch. The Equifax breach commenced in May, almost two months later. For any company that depends on software, this type of technical lag time can be lethal. For Equifax, it may just prove so. A standard control, found in cybersecurity standards such as ISO or NIST, is to apply patches upon their release. As discovery progresses in the litigation and the government investigations, it will be interesting to see if the company had this control and ever audited it in the past. If past audits showed a delay in applying patches, than this will show that Equifax failed to learn from its audits and security events, as the failure to apply patches should be treated as a cyber event. If they did not perform these sorts of audits, that, too, would be a cause for concern, since the only way to ensure something occurs is to measure for that event. The failure to measure for the application of patches would be another potential source of liability for Equifax. The next lesson “not learned” was one of design. For an incredibly PII dependent business Equifax does not seem to have taken the simple step of segmentation of its PII within its systems. In other words, having Social Security numbers in one system, names in another, drivers’ licenses and bank account information in another, etc., would seem a self-evident preventative measure. However, it appears the hackers were able to gain access, to “all of the above” information. If this is due to lack of segmentation it could exacerbate matters for Equifax. The next lesson is: “know thy vendor” or, in this instance, perhaps “we didn’t know our vendor well enough” might be more accurate. Equifax specializes in providing credit information to third party financial institutions and retailers. Most of the time these third parties are the ones who have a direct interface with a customer and supply their customer’s information to a vendor such as Equifax so a credit search can be completed. Hence, the customer-facing, third party company may be open to suit if the vendor it uses to provide this credit check (Equifax) does not do an adequate job of protecting customer information, from a cyber perspective. So, did the customer-facing entity take proper precautions to ensure that its vendor was properly protected, or had proper policies and procedures, adequate cyber insurance and a robust breach response plan? If the answer is: “no,” then the customer-facing company may have some exposure. The next lesson “not learned”? The need to have a robust breach response plan that includes, amongst all of your internal notification processes, required notification of an outside breach management firm, or firms, that can handle the assessment of your notification duties from regulatory, liability and contractual perspectives and that can also handle the crisis response (if notification is required) and customer/claims response once notice is given. Your organization should already have one – and if it doesn’t you should ensure it gets one. This is because companies that take aggressive steps to minimize damage from a breach, i.e. who timely notify customers or vendors where required to do so and who get out in front of the issue, end up with less costs in litigation and lower customer payments overall. Those who try and delay, or obfuscate, end up with more costs in the long run. Think of it as “the Watergate phenomenon” where the cover up ends up making things much worse than the original issue. Lastly, on the top of lessons not learned? Encryption, encryption, encryption. And, like the rule of “location, location, location,” in real estate, there is no substitute. It is possible to encrypt on a large scale and, at the very least, storage files with PII should, where possible, be encrypted. Depending upon the technology employed this may not solve all hacking situations (such as where a user voluntarily gives up security access in response to phishing or similar situation), but in a situation where a true “hack” through a system weakness has allowed unauthorized users to download files, it very well could. In such instances the stolen files would be valueless without the key to the encryption. There are technologies available that encrypt information and the key to unlock the files is not just a user’s credentials. The inconvenience of use may ultimately outweigh the risk assigned to a breach by the organization, but these options should be considered and the decision documented as part of a formal risk assessment process. So what does this mean for business as a whole? Well, it means that businesses must take note of the following things, and address them immediately:
- Ensure that your systems and technical defenses are as properly designed and up-to-date as they can be by performing a full technical audit and red team testing of your defenses.
- Review and update your breach response plan preferably with the assistance of objective outside consultants and/or counsel. Without an up-to-date and properly designed response plan your staff and employees will waste valuable breach response time in trying to figure out what to do and whom to call.
- Ensure that you have a properly equipped, external, consultative firm and legal counsel (or firms/counsels) that can handle risk assessment, breach planning and coaching, crisis response, public relations, claims notification and handling services, as well as your litigation.
- Ensure that your internal policies and procedures, as well as monitoring and controls, are up-to-date and regulation and contractually compliant. Conduct an audit of your current policies, procedures, monitoring and controls. With this Equifax breach, regulators and legislative bodies across the globe will increase the rate of promulgation of new regulations requiring heightened defenses and awareness. Will your company be ready?
- Review your cyber insurance from a coverage perspective as well as in reference to limits. In light of the Equifax issue – do you think you have enough coverage? Is it the right coverage?
- Change your corporate culture – make sure everyone is invested in being vigilant, as well as proactive, in ensuring the security of sensitive information and systems. If people at your company are still clicking on links in emails from deposed princes from Eastern Europe, then this may be the first thing you should do. Most companies have a brief training session and then follow up with emails. This is simply not enough. The “people” component of cyber security is just as important as the technical and legal aspects – and often the most overlooked.
Certainly this is a lengthy “to-do” list. However, it is doable. The consulting firm of HB Solutions, LLC, along with the law firm of Harris Beach PLLC, can assist with all of these issues through our HB Access® practice. HB Access® specializes in cybersecurity risk protection and can address all of these issues. We provide technical, legal, regulatory compliance, insurance risk management, internal management, breach coaching, claims handling and notification as well as legal representation (where admitted to do so) to meet all of your cyber needs. In sum, the takeaway from the Equifax breach is: Learn your lessons. Don’t leave your cyber issues until tomorrow. If necessary consider engaging knowledgeable outside counsel and consultative services, today, to look at your technical and personnel based defenses, update your policies, procedures and controls, adopt an aggressive and detailed breach plan and, above all, align your employees, management and staff to one goal: vigilance and active assistance in protecting your valuable information and the PII of your valued customers. Alexander D. Rosati, Senior Counsel, is an attorney practicing from our Harris Beach offices in White Plains and New York City. His primary area of practice is Mass Torts and Industry-wide Litigation. He is the leader of our Insurance Practice Group and is also a member of our Cybersecurity and e-Info Practice Groups. Alex is also a member of our Unmanned Aircraft Systems-Drones Industry Team.
