The recent data breach suffered by Equifax Inc in the US demonstrates a range of issues that are relevant to Australian entities in the context of the upcoming mandatory data breach notification regime to apply in Australia from February 2018.
Equifax in the US is a major credit reporting agency and as such holds significant information about individuals including their social security numbers, personal details and credit histories. It was reported in early September 2017 that between May and July 2017 hackers gained continuing unauthorised access to personal information held by Equifax. While the breach was discovered by Equifax in July it was not publicly reported until September 2017.
The breach is estimated to have related to the personal information of up to 143 million individuals. Many of those individuals whose details were exposed had all of the identifiers that would potentially lead to identity theft. Equifax announced that it is conducting an investigation in conjunction with public authorities and has offered free identity theft protection and credit file monitoring packages to affected individuals.
However, there has been a significant public outcry in relation to the conduct of Equifax in the context of this breach.
Firstly, US media reports suggest there is general public outrage because while the breach was discovered in July, it was not publicly reported until September.
Under the mandatory data breach notification regime to commence in February next year, the time limit is 30 days unless an exemption has been obtained. While most people would agree that it is necessary to allow time for an organisation to investigate a breach such that the announcement can be appropriate and informed, there is an issue with the timing of this delay.
To further add to this there is evidence that with Equifax being a publicly traded company, executives in the period between the discovery of the breach and the public reporting sold $1.8 million of shares in the company. Equifax denies that the executives involved in the sale knew of the breach but there is an investigation occurring in relation to the conduct of those individuals.
It has also been reported that the company’s chief information officer and chief security officer are both “retiring” immediately. Given the timing the voluntary nature of those retirements might be questioned.
While many of the consequences go beyond the scope of compliance with privacy law it is a significant issue for executives of entities suffering the breach to know that their personal conduct and integrity may come under scrutiny. In a number of previous US breaches where the board cannot identify a specific individual to blame it is often the entire executive team that has been replaced over a short period.
A number of class action law suits have been proposed and third party investigators have indicated that non US residents may have been impacted which means that not only American regulators but others may be involved.
Various state attorneys general in the US have indicated that they will be looking to take legal action against Equifax over the data breach on the basis that it failed to have appropriate safeguards in place to protect consumer data. It is noted that in Australia there are two specific obligations in relation to security. The first under the Privacy Act, is that an APP entity take all reasonable steps to keep information secure and secondly under the Australian Consumer Law that entities do not engage in misleading and deceptive conduct. If an entity which collects information from individuals assures them that it keeps their information secure but it does not take reasonable steps then it is likely to be in breach of both provisions.
In addition to these substantive issues relating to the breach there are also claims that Equifax’s response to dealing with the breach has not been undertaken in the best way possible. For example, while the company indicated that it would provide affected individuals with free identity theft and credit monitoring packages the way individuals access this is to sign up and they must give their credit card details. Consumer groups have complained that this approach means that if an individual forgets to cancel the package when the free period ends they will be locked in for at least one to possibly two months of monthly fees. A bill to change the law to prevent credit reporting companies from charging for services in the event of a breach has now been put before the US Senate.
Further, while Equifax established a microsite to notify individuals and to allow them to enter their details to determine whether they have been affected by the breach, security experts have reported that the site that had been put up had standard security and not the type of security that would be necessary for keeping personal details such as social security numbers safe. This is definitely a further embarrassment for Equifax.
Also, a number of hackers have looked at Equifax’s international sites to determine whether the problem is more widespread. In relation to Argentina hackers have found that using the password ‘admin’ they were able to gain access to Equifax’s site.
This breach raises the issue for Australian entities who collect any information that would give rise to potential identity theft which would include date of birth, address, drivers licence number or any other key identifier having in place appropriate security and also having in place a breach notification plan which could stand up to scrutiny of a type that the Equifax breach has caused.
While it has not taken up a lot of news space in Australian media, in the US media and also in the international technology media it is an ongoing source of discussion and concern.