[BreachExchange] Senate Report Highlights Equifax ‘Neglect’ Before Data Breach (1)

[Destry Winant]

https://news.bloomberglaw.com/privacy-and-data-security/senate-report-highlights-equifax-neglect-before-data-breach-1

Equifax Inc.’s years-long failure to prioritize cybersecurity left the
company vulnerable to a data breach that exposed more than 145 million
Americans’ personal information, a Senate subcommittee said in a
bipartisan staff report.

The report comes amid a series of high-profile data breaches involving
Equifax and other companies that the Senate Homeland Security and
Governmental Affairs Permanent Subcommittee on Investigations will
probe in a March 7 hearing. Equifax CEO Mark Begor is scheduled to
testify.

Congress should enact legislation to establish “a national uniform
standard requiring private entities that collect and store PII to take
reasonable and appropriate steps to prevent cyberattacks and data
breaches,” the report said, referring to personally identifiable
information.

“Companies and government agencies, alike, must take steps to protect
the data consumers entrust to them,” subcommittee chairman Rob Portman
(R-Ohio) said in a statement. “And when that data is compromised, we
deserve to know as soon as possible so we can make sure criminals are
not taking advantage of us.”

According to the staff report, Equifax’s response to a cybersecurity
vulnerability was “inadequate” and affected by the company’s
inattention to cybersecurity.

“Equifax’s shortcomings are long-standing and reflect a broader
culture of complacency toward cybersecurity preparedness,” the staff
report said.

The company said it has made progress since the breach to strengthen
its operations by hiring new technology officers and IT security
professionals and increasing its technology and security spending by
$1.25 billion between 2018 and 2020.

“Equifax has cooperated with the Subcommittee in its investigation
and, while we do not agree with a number of findings and
characterizations in the report, we remain committed to being
transparent and cooperative, while sharing important learnings from
the 2017 incident with the cybersecurity community,” Equifax spokesman
Jacob Hawkins said in an email to Bloomberg Law.

Marriott International CEO Arne Sorenson will also face lawmakers at
the hearing, in his first Capitol Hill appearance since the company
disclosed a massive data breach involving its Starwood reservations
database system in November 2018.

“Both private and public entities should feel a sense of urgency to
bolster their cyber defenses, and these findings should finally
galvanize Congress, along with the Administration, to formalize best
practices for companies across this country and put in place
nationwide standards in order to adequately protect consumers,”
subcommittee ranking member Senator Tom Carper (D-Del.) said in a
statement.

Equifax didn’t have a written policy on patching known vulnerabilities
until 2015, according to the report. An internal audit that year found
a backlog of vulnerabilities that hadn’t been patched and a lack of a
complete inventory of the company’s IT assets, which limited its
ability to know about network vulnerabilities, the report said. The
patching issues remained before the 2017 breach, the report said.

“The Subcommittee also lacks a full understanding of the breach, as
the company failed to preserve relevant messages sent over an internal
messaging platform,” the report said.

Equifax’s two largest competitors, TransUnion LLC and Experian plc,
took different actions to respond to the known Apache Struts
vulnerability that led to the Equifax breach.

TransUnion and Experian “received the same information as the public
and Equifax regarding the Apache Struts vulnerability, but the
approach that each company took to cybersecurity was different from
Equifax’s,” according to the report. The scope of subcommittee
investigation included a review of the TransUnion and Experian steps.

Representatives from the Federal Trade Commission, the Government
Accountability Office, and the nonprofit Center for Internet Security
are scheduled to discuss how Congress could help prevent future
cyberattacks on a second panel.

The report also uses the Equifax case to suggest that Congress enact a
breach notification law and consider the need for more cybersecurity
threat information sharing between companies and the government.

Lawmakers should pass legislation “requiring private entities that
suffer a data breach to notify affected consumers, law enforcement,
and the appropriate federal regulatory agency without unreasonable
delay,” according to the report. All 50 states and District of
Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted data
breach notification laws that take various approaches to notification
standards.