The time frame for the Equifax hack is astonishing to me. I would say response times should be measured in minutes or hours, not months! Here’s a brief time line:
- May 2017: Criminals first gain access.
- July 2017: Equifax discovers criminals have gained access.
- September 2017: Equifax reports to its customers and constituents that criminals have stolen their names, birth dates, and social security numbers, information Equifax collected without their permission.
Can you believe anything like that could happen? Theft occurs. No security system is hack-proof. But how many banks can you rob, without officials discovering the crime when they open their doors the next morning? Have network security experts put all their effort into preventing access, and no effort at all into monitoring intrusion attempts, both successful or unsuccessful? I don’t think the latter possibility is too likely. I think network security systems have sufficient tools to detect intrusions, if human monitors don’t neglect their responsibilities.
Remember that CYA culture extends all the way up the chain of authority. Every single person in a large company like Equifax has an incentive to downplay the discovery of theft, because all employees want to protect their jobs.
Remember that CYA culture extends all the way up the chain of authority. Every single person in a large company like Equifax has an incentive to downplay the discovery of theft, because all employees want to protect their jobs. They will try to protect their employment first. If they perceive that theft of data from a company repository threatens their job, they will find a way to delay and divert. No one at the top of Equifax’s chain of command decided, we want to screw our customers, as well as everyone else whose private data resides in our computers. Equifax has nearly 10,000 people on the job. People inside a company like that do not move quickly when they see their own jobs at stake. That includes the CEO.
In the second half of our timeline, we have another two-month gap between detection and notification. Let’s look past CYA culture to ask, how can that be? Does Equifax think it has no responsibility at all to the victims of its own negligence? Every warning about identity theft starts with the first rule: act fast. When you discover a problem, do something about it right away. Don’t wait until thieves have a chance to do major damage. Yet Equifax placed all of its victims in exactly that position. It gave thieves plenty of time to use current, private data as they like.
One wants to ask, if Equifax waited two months to notify victims, why did they not wait longer? Did they think they might never have to notify anyone? Did they notify a few people, to comply with the law, and hope news would not dribble out to everyone else? What forced them into a major announcement during the week after Labor Day, two months after they knew about the crime? We will never learn that information.
I am not going to argue that we should have the Consumer Financial Protection Bureau issue rules that force companies to act in a certain way. Companies can always game and circumvent whatever system bureaus put in place.
I am not going to argue that we should have the Consumer Financial Protection Bureau issue rules that force companies to act in a certain way. Companies can always game and circumvent whatever system bureaus put in place. I do want to argue that we cannot account for self-protective dishonesty and gross negligence at Equifax, other than to say we find these characteristics everywhere. Universities, church parishes, and schools harbor sexual predators who prey on children. Governments conduct secret wars and kidnap prisoners overseas, then deny they have done anything wrong. Medical professionals practice fraud on a huge scale, mostly with government money. In that kind of environment, what is a little delay in detecting and reporting a computer hack? How much can a few extra months matter?
Equifax suffers a hit to its reputation, and must endure a few news cycles where people write articles like this one. Come Christmas, they’ll be back to business as usual, except they will try to have more safeguards in place. They will hope the next group of criminals is not so clever. Believe me, the hope is vain. From what we have already seen during the last several years, criminals are always more clever than people at the firms they hack. Criminals care more about what they do. If business firms did care about their responsibilities, every firm in the world with private data to protect would hire someone of Edward Snowden’s caliber to supervise network security.
This article focuses in legal requirements for disclosure, which vary from state to state. As you can tell from this post, basic business ethics govern here, not legal requirements. You cannot force people to do the right thing. They just have to do the right thing because it is right. In essence, Equifax practiced fraud on its customers, and on people whose private information was stolen. When you commit fraud on that scale, no one will touch you. As the article indicates, law enforcement agencies sometimes even request that business firms delay disclosure.