Equifax announced on Monday that it has agreed to a record-breaking settlement related to its massive 2017 data breach, which exposed the personal and financial records of more than 148 million people. The settlement requires the beleaguered credit ratings agency to spend at least $1.38 billion to resolve consumer claims against it. It creates a non-reversionary fund of $380.5 million to pay benefits to the class of consumers harmed by the breach, including cash compensation, credit monitoring, and help with identity restoration.
Finally, Equifax must also spend $1 billion over the next five years to improve its data security. That’s on top of the $1.25 billion in security and tech investments Equifax said it has made since the breach occurred.
Damage from Equifax breach runs deep
These hefty penalties follow a string of stinging developments Equifax has labored under for nearly two years. In the immediate aftermath of the breach, and Equifax’s own botched effort to deal with the fallout, CEO Richard Smith left the company shortly after the abrupt retirements of CIO David Webb and CSO Susan Mauldin.
In late June, Jun Ying, former Equifax vice president and international CIO, was sentenced to four months in prison and ordered to pay around $117,000 in restitution and $55,000 in fines for insider trades of the company’s stock he undertook during the period between the data breach’s discovery and the public announcement of it. Last October, former Equifax engineer Sudhakar Reddy Bonthu was likewise sentenced for insider trading and ordered to pay financial restitution for insider trading, although Bonthu was sentenced to eight months home confinement rather than serve a prison term.
In late May, investor ratings giant Moody’s slashed the outlook on Equifax from stable to negative in the first such downgrade attributable to a cyberattack. At the time of the downgrade, Moody’s said it didn’t see a brighter future for Equifax due to its breach-related expenses, which, at the time, Moody’s judged to be around $400 million for 2019 and 2020.
U.S. authorities aren’t alone in sanctioning Equifax for what the House Oversight and Government Reform Committee called an “entirely preventable” breach. Last September, the UK’s data regulator, the Information Commissioner's Office (ICO), fined Equifax £500,000 ($664,000) for failing to protect the personal data of around 15 million Brits affected by the breach.
Equifax did get something of a break with the timing of the ICO’s fine because its breach happened too soon to get caught by the much more financially punitive regime of the EU’s General Data Protection Regulation (GDPR), which went into effect in May 2018. The GDPR’s rules could have cost Equifax 4% of its global revenue or around $136,000,000, an amount more or less on par with two recent fines levied by the ICO against other corporations for their data breaches.
In early July, the ICO announced it plans to fine British Airways more than £183 million (around $230 million) after hackers stole the personal data of half a million of the airline’s customers, including their payment card data, in a breach that began in June 2018. In early July, the ICO said that it plans to fine U.S. hotel group Marriott International £99.2 million or around $123 million related to a data breach discovered in 2018, but possibly dating back far as 2014. That breach, which affected Marriott’s Starwood group of hotels, exposed the private data of around 339 million guests.
Fines don't add up to better security
Yet amid these and other recent high-profile and costly data breaches it’s still axiomatic among information security professionals that many if not most C-suite executives at companies like Equifax, British Airways and Marriott shy away from placing the necessary emphasis on cybersecurity needed to avoid these kinds of financial reckonings. Whether the increased visibility and pressure of these highly public repercussions of lax security will propel corporations to pursue stricter security measures and invest in better digital safeguards remains an open question.
In a declaration by one expert witness in the Equifax consumer class-action litigation, Mary T. Franz, founder of the technology, e-discovery, cybersecurity and forensics firm Enterprise Knowledge Partners, the power of major, damaging data breaches to spur corporations’ cybersecurity spending spikes right after the breaches but then peters out over time. “I have observed a pattern across many industries in which corporations provide ample funding to information security departments in the aftermath of a data breach. After a year or two, however, the companies drastically scale back information security funding, often before all of the planned security improvements have been completed,” she wrote in her declaration attached to the settlement agreement.
Franz lays out ambitious plans that Equifax should pursue as it starts spending the $1 billion it has agreed to invest in security improvements over the next five years. Noting that that “Equifax’s pre-breach cybersecurity controls fell short of industry standards,” Franz offers a number of suggestions for rectifying the company’s deficiencies starting with a NIST-based comprehensive security plan.
Taking the Equifax breach to heart
Norm Siegel, one of the co-lead counsels on behalf of consumers in the Equifax settlement, thinks that security professionals and executives should take the Equifax breach to heart. “We were able to secure meaningful data security improvements, including a major capital commitment backed by a court order, which is another important feature of this settlement that perhaps will be a deterrent to” executive neglect of cybersecurity, he tells CSO.
Failure to heed the lesson of Equifax’s security flame-out will likely lead even more companies down the disastrous path Equifax followed, with more high-profile lawsuits to follow. “Consumer protection attorneys continue to play a key role in holding companies responsible,” Amy Keller, another co-lead counsel in the Equifax settlement tells CSO Online.
The settlement “demonstrates that consumers refuse to accept that data breaches are the ‘new norm’” and “not only [compensates] consumers for the time and money they spent as a result of the breach, but also [ensures] that consumers have the tools necessary to protect themselves in the future,” she says.
The message is clear, according to Keller. “If companies profit off of your data, then they owe you a duty to protect that data.”