The financial regulator in New York state has reportedly subpoenaed credit-reporting agency Equifax in the wake of it disclosing a massive breach that affected 143 million U.S. consumers.
The subpoena, which New York's Department of Financial Services sent to Equifax on Sept. 14, demands additional details about the breach, including when the company discovered the intrusion and how it responded, among other information, according to Reuters, which first reported the news of the subpoena.
Officials at the state agency and Equifax could not be immediately reached for comment.
Data exposed in the Equifax breach, which affected 8 million New Yorkers, included names, Social Security numbers, birthdates, addresses, and in some cases drivers' license numbers.
Following Equifax's Sept. 7 public breach notification, on Sept. 18, DFS outlined recommendations for all chartered and licensed financial institutions in New York state, especially for organizations that work with Equifax data.
Recommendations included ensuring that all firms' software is running the latest patches, laying on additional call center staff to handle increased queries from consumers whose accounts or identities might have been stolen using information exposed in the Equifax breach, as well as including extra checks to ensure that information contained in Equifax credit reports is accurate, because the integrity of the data could have been compromised by attackers.
"Given the seriousness of this breach, the potential harm to consumers and our financial institutions, and in light of the fact that a number of financial institutions have arrangements with Equifax under which financial institutions provide consumer account and debt information to Equifax and receive similar information from Equifax, DFS is issuing this guidance to ensure that this incident receives the highest level of attention and vigilance at New York's regulated institutions," Maria T. Vullo, the state's financial services superintendent, said in a statement.
This year, New York became the first state to pass its own cybersecurity regulation covering the financial services sector, much of which took effect March 1 (see Gauging the Impact of New York's New Cyber Rules).
Since Aug. 28, "banks, insurance companies, and other financial services institutions regulated by DFS are required to have a cybersecurity program designed to protect consumers' private data; a written policy or policies that are approved by the board or a senior officer; a chief information security officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York's financial services industry," according to DFS.
In addition, all covered entities must report "cybersecurity events" to DFS via an online cybersecurity portal, or else file a notice of exemption in the few cases in which this might apply.
Any organization that violates the DFS cybersecurity rules can be prohibited from doing any business in New York or with the state's consumers.
New York Governor Andrew M. Cuomo has proposed that all credit-reporting bureaus - including Equifax, Experian and TransUnion - be made to comply with the DFS cybersecurity regulations.
If Equifax had been covered by those regulations, it would have been forced to notify state regulators within 72 hours of having discovered its breach, rather than waiting 40 days to issue a public breach notification (see Data Breach Notifications: What's Optimal Timing?).
Equifax says it was breached after it failed to patch a known vulnerability in its Apache Struts web platform in March, which attackers subsequently exploited.
The breach is now the focus of a criminal investigation by the FBI.
In addition, Equifax is facing investigations by at least 40 state attorneys general, probes by the Federal Trade Commission and the U.S. Securities and Exchange Commission, hearings on Capitol Hill and inquiries and investigations from regulators in Britain and Canada, where some consumers were affected by the breach. The company is also facing consumer lawsuits in the United States and Canada, and legal actions by financial services firms whose customers' payment card details were exposed (see Credit Union Sues Equifax Over Breach-Related Fraud Costs).
Following the "retirement" of the company's CIO and CSO, on Tuesday Equifax CEO Richard Smith likewise "retired" and was succeeded by Paulino do Rego Barros, Jr. - who most recently served as president of Asia Pacific for Equifax - as interim CEO. Equifax says Smith will forego his severance package and 2017 bonus, and assist the company for up to 90 days.
Smith, who in 2016 received a pay package of nearly $15 million, and who holds stock in the company currently valued at $29 million, although not all of it has vested, has deferred any additional payments and compensation that he's due until after the Equifax board concludes its cybersecurity investigation, a spokeswoman told Information Security Media Group (see After Mega-Breach at Equifax, CEO Richard Smith Is Out).
If the board doesn't find fault with Smith - as the board of Wells Fargo did over its accounting scandal, reclaiming tens of millions of dollars in compensation from former CEO John Stumpf and Carrie Tolstedt, former head of its community banking division - he could ultimately walk away with $90 million, Fortune reports.
Information security experts say it will take more than Smith's resignation to fix endemic data security and privacy problems in the credit-reporting sector.
"Smith is taking the fall for the whole broken industry," says William Hugh Murray, an executive consultant and trainer in information assurance.
"He is rightfully criticized for the poor response, but he was limited by what he could do without breaking the business model of the industry," Murray adds. "Imagine granting the damaged subjects free access to their own data when the industry has an entire line of business that relies on the right to make money off of people whose identity has been put at risk."
Chris Pierson, chief security officer and general counsel for payment services firm Viewpost, says that the Equifax breach is a reminder that for all organizations, the board of directors is ultimately responsible for all information security matters and for creating and fostering a strong cybersecurity culture.
"Cybersecurity is a board-level matter; it must be about enabling the business and understanding and mitigating risk, and about trust and goodwill," he tells ISMG. "If the current technology professionals are unable to have a seat at the business table, then companies must find the business and risk person who is a cybersecurity expert and give them the seat at the table.
Big Breach Trifecta
Equifax is just one of a trifecta of big breaches that have come to light in recent weeks.
Deloitte this week revealed that its Microsoft Azure cloud service had been hacked, apparently in March, and that 5 million internal emails may have been exposed. Some of the exposed emails stored by the "big four" accounting firm may have also contained attachments with sensitive or security-related details.
Another organization that recently issued a data breach notification was none other than the U.S. Securities and Exchange Commission, which oversees how public companies issue their own breach notifications. The SEC says its EDGAR document-filing system got hacked in May 2016. But the agency only disclosed the breach last week, noting that stolen, non-public data obtained by attackers "may have provided the basis for illicit gain through trading."
On Tuesday, SEC Chairman Jay Clayton, who took office in May, appeared before the Senate banking committee, where he issued a mea culpa, vowing that the agency would sharpen its own information security practices.
At the hearing, Clayton was asked directly about the Equifax breach, but he declined to address it. He did, however, call on public firms to better disclose any and all cyber risks they face (see SEC Chair Wants More Cyber Risk Disclosure From Public Firms).
"We expect people to constantly assess," Clayton testified. "When they have notice of a cyber breach, we expect people to constantly assess whether that breach is material to investors, and when they determine that it is, make appropriate disclosure promptly."
Current SEC rules require companies to report cyber risks and breaches, but only if they pose material risks to investors. Individual companies get to determine what constitutes a material risk. And as Sen. Mark Warner, D-Virginia, noted during the hearing, many businesses appeared to be reaching nonsensical conclusions, such as Yahoo, which had not disclosed to the SEC a breach that exposed 500 million users' records.
Warner also cited a study showing that since the year 2000, fewer than 100 out of 9,000 companies studied had ever had a breach that they believed was material.
"I find that absolutely unacceptable," Warner said.