IS THE U.S. GOVERNMENT GETTING ANY BETTER AT PROTECTING CONSUMER DATA?

When the Canadian Privacy Commissioner’s office released the results of its investigation into the Equifax breach, it only served to highlight how little the United States government has done to address the 2017 incident, which affected the data of 146 million people.

So far, the United States’ attempts to rectify the weak security at Equifax or compensate victims of the breach have been relatively local and lackluster. Eight state banking regulatory authorities issued a consent order that required Equifax to conduct more risk assessment and internal audit programs for consumers’ personal data. The Government Accountability Office released two reports, one on the response to the Equifax breach and another on the need for better oversight of consumer reporting agencies.

But at the federal level, neither the Federal Trade Commission nor the Consumer Financial Protection Bureau has taken any steps yet to fine Equifax or force it to ramp up its security moving forward. Equifax is apparently anticipating that both agencies may soon impose penalties, according to its Securities and Exchange Commission filings. But in February, the CFPB wound down its investigation of the breach. The U.S. government may yet take strong action against Equifax, but it’s been a year and a half since the breach. The current federal government has shown repeatedly that it cares little about this incident, in particular, and data security in general—creating a void that the courts may be stepping in to fill.

In Canada, meanwhile, the government has recommended in its recent report that Equifax Canada “identify Canadians’ personal information that should no longer be retained by Equifax Inc. according to its retention schedule and delete it” and provide a third-party security assessment and audit to the Canadian government every two years for the next six years. Data minimization and third-party audits are both important steps for strengthening security, and it’s significant that the recommendations came from a regulator, especially since individuals don’t choose to directly hand over their information to credit bureaus and therefore can’t vote with their feet by deciding not to do business with Equifax anymore. Those provisions only apply to Equifax Canada and personal information held by the company about Canadians, unfortunately. But another massive breach from the recent past suggests there may be a way forward for the U.S. to take similar steps, even without the federal government’s intervention.

Also earlier this month, Yahoo reached a $117.5 million settlement in a class-action suit brought by victims of three data breaches that affected roughly three billion accounts between 2013 and 2016. The settlement has garnered a lot of attention for creating the “biggest common fund ever obtained in a data breach case,” according to the plaintiffs’ lawyer John Yanchunis, but the fund money allocated to the breach victims and their attorneys isn’t the most important thing here. Essentially, the settlement does the work of the FTC by requiring substantial changes to Verizon’s security practices and investment, all without the FTC actually having to lift a finger. (The FTC may yet take further action against Verizon for the Yahoo breaches, but so far the only government penalties in that case have been a $35 million fine issued by the SEC for keeping the breaches secret from investors.)

The settlement includes a section on “business practice changes” that will be implemented by Verizon, which acquired Yahoo in 2017. (Verizon decided to buy Yahoo before the full scope of the data breaches was revealed, though Verizon did end up getting a $350 million discount when more information came to light.) According to the settlement, Verizon has committed to investing $234.7 million in improving security from 2017 through 2019, as well as maintaining an annual information security budget of at least $66 million and an information security team totaling at least 200 full-time employees through 2022. According to the settlement, those investments are four times what Yahoo was previously spending on security.

The settlement also details that the company has aligned its security program with the widely used National Institute of Standards and Technology Cybersecurity Framework (NIST is the agency that sets technical standards for government cybersecurity that are often implemented in private industry as well). Beyond using the NIST framework, Verizon also agreed to third-party security assessments for four years beginning in 2019. It even includes references to the new intrusion and anomaly detection tools and penetration testing implemented since the breaches.

The Yahoo settlement should be a clear warning for…

Read The Full Article