There has been a recent spate of news relating to Information Security breaches at various organisations. This has led to Customer Perception of the organisations brand being severely tarnished, frequently given rise to breach in Consumer Laws and adversely affected share prices. This is most recently illustrated by the Equifax Data Breach. This data breach exposed the sensitive financial information of at least 143 million American consumers, that’s more than half of the entire US Adult population! Equifax shares have lost nearly a third of their value since the hack.
Indeed, Equifax has been slated for many of its actions following the breach. Primarily, The Consumer Communications Management aspect of the Disaster response was woefully lacking, succeeding mostly to raise more questions than provide answers. The Equifax Disaster Communication Plan with its Consumers consisted of a phoneline which was often unanswered as well as a website which did not provide any real answers instead sought to sell Equifax’s product TRUSTID, designed to protect Customers from digital theft, where conveniently signing up to the service waived the Customers right to any class action.
Review of Equifax’s actions following the breach, have found that Equifax breach disclosure would have failed Europe’s tough new rules. At the post mortem analysis of the breach it was found that it took as much as 40 days for Equifax to inform the public of the said breach. Whilst there is no standard in the US, (indeed Yahoo may have well sat on their breach of 500million Yahoo accounts for years), the European Union has a single breach notification standard for personal data that was agreed at the end of 2015 — and is set to come into force in May 2018, under the incoming GDPR (General Data Protection Regulation).
This will set a data breach notification bar across the bloc of “not later than 72 hours” after a data controller has become aware of an intrusion.
There are some caveats to this portion (Article 33) of the regulation (phrases like “without undue delay and, where feasible”, and some potential for exclusion based on the type of data being breached (“unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”). It is unlikely any of the above exemptions would apply to the Equifax Scenario, which should have been disclosed in a period of much less than 40 days. Failure to upload these standards would result in hefty fines of up to 2% of GLOBAL revenue…so on Equifax’s forecasted revenue of $3.4B, that would amount to the sizeable, punitive sum of $68.5M!
Equifax have operations in the EU, indeed Equifax is fortunate that the breach occurred before May 2018! All companies should take the time before then to ensure any Information Security Management Systems in place are fit for purpose, appropriately staffed and best practice processes are adhered to.