×

Three big lessons to learn from the Equifax data breach

  • There are straightforward lessons to be drawn from the Equifax cyberattack
  • Those takeaways deal with prevention, dealing with a problem, and how government involvement should work
  • The status quo is not sustainable, Daniel Dobrygowski and Walter Bohmayr write
Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia.
Tami Chappell | Reuters
Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia.

We've all seen the news reports, again and again:

A massive breach has occurred. Many millions of customer records have been obtained by hackers. The company in question has flubbed the response to the incident. Wall Street is punishing the company, and the stock has plummeted since the breach was reported.

That opening to articles on almost-daily cyber crises has become all too familiar. The recent incident involving Equifax, the U.S. credit-reporting company, is particularly egregious and may make it seem as if every attempt to secure our data and personal information is doomed to failure.

However, our failures do not come solely from technology and its misuse, but rather from a mindset that, unless we change it, will force us into the same mistakes time and again. These breaches are a failure of leadership and culture as much as they are failures of network security.

In order to secure our personal information and networks, we need to recognize that privacy and security are not opposites, but rather they support each other and our economy and society. We need to understand that notifying customers about breaches is a vital part of ensuring security and privacy. And, finally, we must recognize the role that government representatives, and the policy choices they make, should play in this entire system.

First, security is often incorrectly framed as a choice between security and privacy. In recent years, whether it is the debate on government's collection of metadata or law enforcement's increasing insistence on access to encrypted data, we are asked to choose sides between privacy versus security.

"A recent survey found that nearly 40 percent of U.S.-based, in-house attorneys and general counsel fail to disclose security issues to their board."

The Equifax incident unambiguously refutes that way of looking at things: privacy depends on security, and vice versa. In the Equifax case, the privacy of 143 million customers was clearly violated — and that breach of privacy introduced the potential for further, cascading breaches, where security is based on those exposed details, such as social security numbers and other sensitive personal information.

Better security undoubtedly leads to greater privacy protection for consumers whose data is aggregated by companies. And a greater emphasis on privacy helps create a culture that values security and is willing to put forth the effort to ensure it. We should learn that security isn't an end in itself, but rather a mechanism to protect important values, one of which is privacy.

Second, timing is key when notifying stakeholders after a breach. To the consternation of many observers, Equifax discovered that its systems had been breached on July 29 and reported it more than a month later, on September 7. By way of comparison, proposed European regulations mandate breach notification within 72 hours, while allowing explanation by the notifying party in case of any delays.

Notification shouldn't be arbitrary or an afterthought. The key question that should determine the length of time a company has to report a breach is the following: Would cyber incident damages be reduced more by allowing a company time to provide an organized response, or by allowing affected individuals to act earlier in a decentralized fashion? In the Equifax case, the extended period of time seems to have been unwarranted. After all, the company website established to ostensibly assist affected individuals has been plagued by accusations of inaccuracy and insecurity.

"Regardless of timing, pre-set processes by which companies notify customers of a breach should be part of their post-breach responsibilities."

It's important to note that this is not just a problem between companies and customers or citizens. Notification is no better within many enterprises generally. A recent survey found that nearly 40 percent of U.S.-based, in-house attorneys and general counsel fail to disclose security issues to their board. In such cases, failure of clear governance makes companies — and everyone who connects to them through a network — far less secure.

Regardless of timing, pre-set processes by which companies notify customers of a breach should be part of their post-breach responsibilities. If companies are expected to provide guidance on how to deal with the aftermath, then they should prepare guidance beforehand or within a reasonable period post-breach (and held to account for their inability to provide guidance). At the same time, in order for an enterprise to ensure that its cyber-resilience strategy is effective, there need to be clear rules and timelines for managers to share information with company leaders.

Third, the government's role in the wake of a breach needs to be more clearly defined. The immediate aftermath of a breach usually centers (generally unhelpfully) on assigning culpability rather than focusing on the victims or on creating policies that would prevent breaches.

The U.S. (like other governments) made a policy choice to give organizations principal responsibility for responding to cyber attacks. Governments, as in other national security matters, could assume principal responsibility themselves or could develop a policy to share responsibility among key stakeholders.

But even as organizations are held responsible, the government's duty to assist these organizations remains ambiguous. Governments have technical expertise as well as emergency response capabilities that do not have a clear trigger in the current policy environment. At the very least, clear rules and lines of responsibility would help to create reasonable expectations around cyber defense for the private sector.

As cyberattacks continue to increase, the Equifax breach will soon be seen as unexceptional. What will remain exceptional is a culture and policy posture that labors under a dangerous black-and-white assumption where privacy is pitted against security.

Over the past 20 years, there have been ever greater "calls to arms" to tackle cyber security. And yet billions of dollars of market value have evaporated owing to cyber incidents in the last year, not to mention the consumer impact.

That status quo is not sustainable.

Commentary by Daniel Dobrygowski and Walter Bohmayr.

Daniel Dobrygowski, lead for Trust and Resilience, World Economic Forum, is an attorney based in the U.S. whose practice and research includes privacy, security, intellectual property, and regulatory and competition law. He leads the World Economic Forum's efforts on trust and resilience, focusing on cyber resilience and digital identity, in its system initiative on Shaping the Future of the Digital Economy and Society.

Dr. Walter Bohmayr is a senior partner in the Vienna office of The Boston Consulting Group. He is the global leader for cybersecurity and IT risk, and a member of BCG's internal Risk and Audit Committee.