Security News Survey – July 26, 2019

This week, we look at the “historic” Equifax data breach settlement and new research on the state of U.S. government cybersecurity.

One of the most painful realities of data breaches is that consequences are rarely a one-and-done event. Data breach fallout can be a long, drawn-out process that often leaves organizations entangled in a web of investigations and lawsuits for years. 

Equifax reaches largest-ever data breach settlement

The time is coming for Equifax to pay the piper for its disastrous data breach of 2017, which exposed sensitive information—including Social Security and driver’s license numbers—of least 145 million people. Early this week, a settlement for the data breach was given preliminary approval by a federal judge, with parties agreeing to a payout of up to $700 million to put an end to federal and state investigations. Investigators and attorneys pursuing damages have criticized Equifax for insufficient security measures to protect consumer data and poor handling of the breach response. 

The $700 million figure represents the biggest data breach settlement to date and, hopefully, serves as a sobering reminder to organizations for the potential ramifications of a data breach. Of course, to the millions of American consumers whose data was exposed, the payment may come as too little too late. Letitia James, New York attorney general, argued that “Equifax put profits over privacy and greed over people,” claiming that accountability is critical. 

Many lawmakers in the U.S. seem to agree with James’ sentiment, and some have even gone as far as to suggest that the $700 million settlement—despite its historic price tag—isn’t punishment enough. The conversation has yet again circled back to the issue of federal legislation—or lack thereof, rather—to hold companies responsible for consumer data. While European lawmakers have implemented regulations like the GDPR, Congress has been unable to reach an agreement on federal standards for consumer data protection. Vocal privacy advocate Senator Ron Wyden scoffed at the settlement agreement, arguing that “in a just world, [Equifax] executives would be going to jail” for what he deems a “predictable, easily avoidable hack.” 

Data privacy and protection is becoming an increasingly prominent topic of debate among federal and state lawmakers in the U.S., and it’s only a matter of time before more legislation starts appearing. California was the first state to pursue and pass legislation to this effect, with the California Consumer Privacy Act (CCPA) timed to go into effect on January 1, 2020, and aimed at giving residents basic data privacy and protection rights. 

Federal and state government representatives themselves should be particularly concerned by the rise in data breaches, not just in terms of protecting their constituents but also ensuring that their own respective agencies aren’t contributing to the problem at hand. 

Millions of government records exposed since 2014

New data reveals that government agencies themselves have suffered massive data breaches in recent years. Technology research company Comparitech has found that more than 160 million government records have been exposed in 443 data breaches in the last five years. According to the research, the U.S. Postal Service and the Office of Personnel Management appear to the at the top of the list in terms of most vulnerable agencies. The USPS suffered the exposure of 60 million records, while the Office of Personnel Management suffered at least 21.5 million exposed records. The research also revealed that the Department of Health and Veteran Affairs (VA) were most frequently hit by breaches, with 29 breaches and 33 breaches, respectively. 

Hawaii, Nebraska, and West Virginia are the only states to boast no breaches on record during the time period, and, unsurprisingly, California suffered the most. If that trend continues, the CCPA will be put to the test quickly and frequently next year.