Equifax fine punches a hole in data security culture
As with many breach settlements over the years, the Equifax settlement is large enough to make headlines but small enough that there is no long-term risk to Equifax. But the timing of the settlement serves as a warning to other companies of the risks they face in an increasingly data-focused economy.
The credit bureau will set aside $300 million to compensate breach victims, though that total could be as high as $425 million, according to court settlement documents. Consumers can also receive 10 years of free credit monitoring service, and Equifax will make it easier for consumers to dispute information in their credit reports. Equifax will also pay a $100 million fine to the Consumer Financial Protection Bureau and $175 million to the states, and will submit to regular third-party assessments of its security.
Banks and payment companies are already facing uphill battles to comply with regulations such as GDPR and PSD2, and are confronting a data breach epidemic. It’s been an unsuccessful battle thus far: Marriott and Google have already been fined millions of dollars over failure to adhere to GDPR’s data protection laws, and payment processors are all but begging for more time to meet PSD2’s stronger authentication guidance because of the complexity of the rules.
The Equifax settlement, which comes against this backdrop, puts an even more famous face on the issue of data security. The credit bureau was criticized at the time for how it responded to the breach — which affected nearly half of the American population — including suggesting consumers provide personal data to one Equifax’s own products to determine if they were victims. Equifax did not return a request for comment Monday morning.
There has been some concern the Equifax fines (the company was also fined less than $1 million in Europe over its data breach), given the company's size and the severity of the breach, were not enough to be a deterrent.
"While the amount of [the Equifax] settlement should sound a clear warning for other financial services firms, we have yet to see retailers, restaurants, hotels, airlines, social media websites or other types of organizations face similar fines," said Shirley Inscoe, a senior analyst at Aite Group. "Until fines are more in line with the resulting harm from data breaches for all industries, entities will not focus on improving security controls and consumers'' data will never be properly secured."
In the two years since the breach, financial institutions, merchants and payment processors have moved forward with innovations such as digital ID, tokenization and artificial intelligence to move beyond static identifiers such as usernames and passwords in favor of security that is more flexible, transportable and amenable to digital commerce. At the same time, the encryption keys that product payment technology are also improving.
Gartner estimates global security IT spending will reach $124 billion in 2019, up from $114 billion in 2018, with security professionals ranking privacy as the top concern, and ID management and data loss prevention among the top areas of focus for projects.
But these investments and fines may not be enough, or properly focused, as the breaches continue, impacting a variety of financial services with attacks proliferating and coming from different sources.
Recent incidents at Quest Diagnostics and LabCorp have simultaneously exposed health care and payments data, and a breach at Instagram showed the way in which faster overall technology development cycles heighten breach risk. And part of the pressure Facebook faces over its Libra cryptocurrency stems from a recent data breach.
The recent fines, coming in Europe and the U.S., set a precedent, according to Deepak Patel, a security evangelist with PerimeterX, adding that health care breach penalty models could be transferable to payments and financial services. Regulations under the Health Insurance Portability and Accountability Act determine fines based on the number of records breached, a practice the Federal Trade Commission could also adopt.
“The massive Equifax fine sets the baseline for future data breaches of sensitive data,” Patel said. “Make no mistake: All businesses dealing with personal data online are on notice.”
Payment companies and financial institutions may face pressure to execute a broader cultural change that reimagines how identity and payment card data are protected and the chain of responsibility inside the organization.
“Chief security officers tend to focus on fencing in the back office, but don’t have the business knowledge base or experience to see that breaches have to be addressed across the board,” said Madeline Aufseeser, a payments analyst and executive.
The growth of mobile and other digital payments, and of e-commerce, has overwhelmed institutions, Aufseeser said, resulting in a lingering culture in which securing account opening, payments, debit issuance and other tasks is not scaled up inside and organization or become caught in ROI calculations.
“It’s under risk management sometimes, or under the P&L ‘owners,’ but is not a comprehensive strategy,” Aufseeser said. She added that the role of the chief security officer needs to be recast in a manner that is comprehensive and considers breach prevention and data protection across disciplines and business lines.