Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

9/13/2017
12:30 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Solving the Problems of an Equifax

The Equifax breach has brought problems to businesses and consumers. Here are steps each can take to make it past the emergency.

The mushroom cloud from the Equifax hack fallout is causing a nuclear winter for consumers. Some of them don't know if they were hit, and are dreading the consequences. Others are no doubt angry that more could have been done to avoid the situation. Meanwhile, no one knows when the cloud will disperse.

In the meantime, I talked to Paige Schaffer, president and COO of identity protection services global unit with Generali Global Assistance, to find out about the nation's data protection health. Generali provides travel assistance, risk management and insurance, and global identity theft services.

SM: What more do you think the government can do to help consumers avoid data theft?
PS: Government entities should put in place regulations to protect personally identifiable information (PII) and other sensitive data that is collected, stored and transmitted. Payment card industry data security standard (PCI-DSS) protection has been implemented in the credit card industry since 2004, and we should have a similar strict regulation for PII, established as a requirement for everyone.

Could the government be doing more? What about an overarching federal standard?
Yes. Despite the wide-reaching effects of data breaches, there are currently no uniform federal data breach laws in place to which organizations must adhere. This creates confusion and frustration for both companies and consumers, each seeking to define and interpret requirements and expectations. Businesses that experience data breaches must rely on their individual state's laws to determine which type of information triggers a consumer notice, as well as the content and timing and any restitution measures.

Companies with customers in multiple jurisdictions are left with the difficult task of interpreting inconsistencies between state laws. Most states have unique laws regarding when customers must be notified that their data was part of a breach. A federal standard would protect consumers much more effectively. What complicates matters is the fact that nationwide breach notification legislation that has been proposed in the past has sought to nullify existing state laws, thereby preventing states from passing consumer data protection laws in the future.

What does this breach say about the general health of the nation's consumer security, and how easily hackers are able to breach it?
Even in a vacuum, the Equifax breach would have been troubling given that it is reported to have affected hundreds of millions of consumers. In a larger context, it is even more alarming when considering identity theft and cybersecurity statistics that have been recently reported. Identity fraud cost consumers nearly $16 billion last year, up $1 billion from 2015, according to Javelin Strategy & Research.

According to the Identity Theft Resource Center [ITRC], in 2016 nearly 30 million records were exposed from over 700 data breaches, affecting companies across many industries in the US. In fact, the ITRC recently reported that nearly 800 breaches have been logged in 2017 year-to-date, with 63% of incidents resulting from hacking attacks. Clearly, data breaches do not discriminate by industry sector, and companies of all types -- and their customers -- are at risk.

Those stats make for depressing reading.
Loss of consumer confidence is a major issue, as nine out of ten adults agree that consumers have lost control over how their personal information is collected and used by companies, according to Pew Research. With 2017 on pace to reach an all-time high of approximately 1,500 reported data breaches, businesses and consumers alike need to be more prepared than ever to mitigate associated risks.


Want to learn more about how LTE-A Pro and Gigabit LTE will impact the 5G market? Join us in San Francisco for LTE Advanced Pro and Gigabit LTE: The Path to 5G event – a free breakfast colocated at Mobile World Congress Americas with a keynote address by Sprint's COO Günther Ottendorfer.

What legal recourse might consumers have if it's found that their stolen data results in loss of money, privacy or reputation?
Given the lack of federal data breach legislation, it is somewhat difficult to determine what courses of action are available. When a nationwide organization like Equifax experiences a breach, nearly 50 laws -- all different -- may apply. In the case of this particular breach, consumers must be especially cautious with respect to legal recourse.

Equifax may restrict consumers' legal rights, according to the terms of service on their website. Language within the terms of service prevents those who enroll in the Equifax breach assistance program from participating in any class-action lawsuits, one of which has already been filed by ClassAction.com.

The Consumer Financial Protection Bureau recently put in place a rule to ban arbitration clauses, as they were understood to do more harm than good to consumers. In the case of Equifax, this is absolutely the case as the legal language in the service terms restricts individuals impacted by the breach from attempting to -- justifiably -- recoup their financial losses. New York Attorney General Eric Schneiderman has already publicly denounced Equifax's attempt to limit consumers' rights, and others are sure to follow.

Beyond legal recourse, consumers should also be wary of using Equifax's help website as it requires entry of an individual's last name and the final six digits of their Social Security number. This is highly unusual.

What can consumers be doing right now?
In terms of immediate action, consumers should place a 90-day fraud alert with all three credit bureaus. This will prevent any creditors from opening a new line of credit in your name for the next 90 days without first contacting you for approval. Individuals impacted by the breach may also want to consider taking the more stringent approach of placing a freeze on their credit reports with all three bureaus. Unlike fraud alerts, credit freezes stay in place indefinitely, until the customer requests it to be removed.

And what about enterprises? They all profess to some level of security, how can they do better?
More advanced solutions include behavior-based technologies that detect and prevent breaches. For example, if a user or system manipulates an unusual number of files, that behavior will trigger an alert or remove the access rights associated with those files -- automatically protecting the information system and limiting the impact. Behavior-based solutions are currently available for several security tranches, including firewall, email management and file storage management. The most advanced of these utilize cloud-powered solutions that dynamically learn new patterns and apply them.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...