It happened. One of the largest collectors of private information, Equifax, has had a breach. Just like so many other companies have before it, Equifax is now facing the firing squad of questions – What exactly happened? Why did it happen? When did it happen? How did it happen? Followed by, What did you do to prevent this from happening? This particular break however is quite unique. Let’s look at the facts as we know of them today carefully.
- Equifax’s former CEO publicly admitted that Equifax did not meet its corporate obligation to safeguard the private, personal information of consumer credit data.
- The Apache Software foundation issued a patch in March to protect against a vulnerability in the software. As of May 13, Equifax had not installed the patch. The failure to update its patch technology is alleged to be the cause of the breach. The ex-CEO has apologized to the public for this failure.
• To compound matters, Equifax leaders are also alleged to have sold their stock before they disclosed the breach to the public. Although they seem to have acted in accordance with corporate policy and the action may not be connected to the breach based on the emails and texts discovered so far, the public perception is still quite negative.
• The ex-CEO knew on July 31 that there was a vulnerability but didn’t (he claims) know the full extent until August 15.
• The reaction to the hack was also problematic. The company contracted outside counsel and informed the FBI on August 2, convened a board meeting to talk about the breach on September 1, mismanaged the website so consumers had trouble accessing it to lock or freeze their personal information, and couldn’t manage the influx of calls into its call center.
• To add to this timeline of complications, consumers whose data had been stolen did not even have a contract with Equifax and did not consent to data collection or storage by the company.
It will take a long time before the Equifax case is fully understood and fully litigated. In the end, the company as we know it today may not continue to exist – at least not in its current form. There are important lessons to be learned from this case as we move forward.
1) Always be prepared to document and defend your decisions.
2) Understand that what might seem like a small violation today, may cost you the business tomorrow.
3) Transparency and integrity in business operations is paramount to success.
4) Closing your eyes or minimizing problems such as lack of patching, shadow IT, unsanctioned applications, lack of records etc. is like playing Russian Roulette.
As the dust settles around Equifax we will continue to learn new facts and new lessons about how not to manage our business and our content. This case will be another one for the books that shows us that the consequences of our decisions are great.
Contributor: Galina Datskovsky