Equifax’s egregious response to a hacking breach–it’s past time to take precautions
Well, it’s happened again. We should be used to it by now, but it’s still shocking. Here’s yet another massive cybersecurity breach by criminals who made off with social security numbers, birthdays, addresses, and in some instances, driver’s license numbers and credit card numbers. (See this NBC News report for more details.) This time the responsible company, Equifax–one of the largest credit reporting agencies in the US– really doesn’t seem to give a damn. And is it any wonder? The stolen data didn’t necessarily come from Equifax customers; most of the company’s customers are businesses that use Equifax for credit reports. The data is mined from credit card companies, banks, lenders, and retailers to help determine a consumer’s credit score. Even though an estimated 143 million people had their confidential, financial information stolen by criminal hackers, they may not have been an Equifax customer to begin with. The limited number of consumer customers who were damaged by Equifax’s breach is probably one reason why the firm’s response has been so inappropriate, lackadaisical, and frankly, shocking. It’s inexcusable.
Here’s what happened:
- the breach was discovered on July 29, but not reported publicly until six weeks later. This long delay occurred despite the number of people impacted and the severity of the impact to consumers.
- three top executives sold Equifax shares a few days after the breach was discovered. These executives include the chief financial officer; the president of U.S. information security; and the president of workforce solutions. Bloomberg estimates the total value of shares sold at $1.8 million.
- Chairman and CEO, Richard Smith, finally apologized to “consumers and our business customers for the concern and frustration this causes.” Talk about an understatement. How about too little, too late? (Notice the lack of mention of consumer customers.)
- changes occurred in senior executive ranks (sacrificial lambs, perhaps?) The company announced that its Chief Information Officer, and Chief Security Officer, would be leaving the company immediately. They were replaced by internal staff.
Here’s what they’ve done to mitigate consumer risks since disclosing the breach:
- consumers can check a website to see if they were affected.
- consumers can also call to get questions answered.
- U.S. customers can sign up for TrustedID Premier for identity theft insurance and alerts whenever their Social Security number is posted online.
- Equifax will mail notices to people who may have had their information stolen, including credit card numbers or information exposed on dispute documents.
- Equifax recommends that consumers pay attention to their credit card statements.
- the company recommends that consumers call the three major credit reporting agencies to ask for a freeze in opening new lines of credit under the consumer’s name.
Business and IT leaders: it’s past time to take heed
If you hold a senior position in a business or government agency, it is time to take action now, ahead of any breach that may or not happen sometime in the future. If you haven’t started already, it is past time to take cybercrimes seriously and prepare in advance of any threat or breach.
Wow, where to start? We’ve published extensively on this topic, providing recommendations for customer experience and marketing executives before and after breaches. Highlights from those research publications and blog posts are provided below. Here are three absolute takeaways to remember:
- address cybersecurity, physical security and hacking counter-measures IMMEDIATELY. Every single online organization on the planet is a potential target. Don’t wait until a cybercrime happens; get strong security and cybersecurity measures in place now and stay on top of it.
- develop a business contingency plan NOW for how you will address a hypothetical security breach. Get it all planned out–from countermeasures, customer communications, regulatory compliance–everything. Make sure the entire C-Suite is involved. Customers do not want to receive cryptic 2-line letters saying their accounts have been breached. You need to treat them as customers, and believe it or not, this is where the customer experience “rubber meets the road.”
- view the threat from security breaches as a Category 5 disaster (taking a page from hurricane categories). These breaches can destroy your customer base in a few hours and literally crush your ability to stay in business. No executives think it could happen to them (just like those folks who never bought flood insurance because it couldn’t happen to them.)
Handle with care: customer trust can be fragile
The potential threat to customer intimacy, privacy and trust is the urgent reason why CMOs and customer experience leaders must pay attention to cybersecurity measures before they happen–even if this seems pretty far afield for their expertise. The solutions for avoiding security breaches are not simple and easy to implement but the precautionary steps to take are straightforward and should be done in advance just in case those trusted customer relationships could be at risk:
- start a conversation and then, a collaboration, between the CMO, CIO, chief risk officer and chief security officer identifying actions and responsibilities before a breach ever happens.
- develop customer communication plans prior to any potential breach for how to approach customers and allay their fears.
- create proactive processes and programs to educate and assist customers with safeguarding their information at all times.
- view and follow DoD as the thought leader in cybersecurity measures, using its practices and guidelines as best practice.
- implement security precautions throughout the organization, with the goal of changing security risk behavior with every single employee.
- consider next-gen cybersecurity measures, such as software defined perimeters, to thwart threats, keeping in mind that tighter security = harder to do business with.
These steps must be done because the customer relationship stakes are too high to endanger. The amount of private, personal, confidential data about customers–gathered painstakingly through years of website interactions–must be protected. Remember to handle those trusted relationships and confidential customer information with care–it can be fragile.
CMOs, cybersecurity and the criticality of customer trust–it’s all tied together
Here are some steps the executive team can make prior to and after a security breach:
- collaborate. In the event of a breach, immediately work with the security and risk office to jointly issue all correspondence to customers.
- take safeguards. Prior to any breach, or risk of a breach or any thought of a breach, take safeguards that protect customers, starting with never requiring or requesting the customer’s Social Security Number. This is not just a Chief Security Officer responsibility; CMOs have co-equal responsibility. (However, this is easier said than done because some government agencies require SSNs, even though some states have made it illegal to ask for SSNs. For example, Medicare card numbers are the holders’ SSNs, which means that doctors’ offices throughout the country have all their patients’ SSN data. Honestly, this is really stupid.)
- encrypt customer data. Safeguard all customer data that is stored in digitally by encrypting it and then enforcing limited access to this customer data using strict controls.
- be proactive. Proactively provide guidance to customers about how they can best protect their information, including encrypting their devices. And issue regular information to customer about privacy policies and safeguards.
- enforce passwords. Regularly force password changes, including requirements for an 8-12 digit combination of special characters, numbers, and text. Use the same rigor that financial services companies apply, even if you are in a different industry.
- safeguard hard copy information. Make sure your organization doesn’t require customers to write down highly sensitive information on paper forms, which can be copied or stolen.
An interview with a cybersecurity expert: what customer experience leaders need to know about cybersecurity
This report is based on an interview with Juanita Koilpillai, a cybersecurity expert who is the CEO of Waverley Labs (a cybersecurity software and services firm) and co-founder of the Digital Risk Management (DRM) Institute (a nonprofit seeking to expand knowledge about cybersecurity risks.) Two important, nascent trends for 2017 she identified are:
• cybersecurity collaboration. In forward-looking companies, the lines of business execs (LOBs), the chief risk officers (CROs), chief security officers (CSOs), and chief information officers (CIOs) will begin in 2017 to collaborate with each other, and also with chief marketing officers (CMOs) regarding how to mitigate cybersecurity risks that could seriously deteriorate customer trust.
• software defined perimeter (SDP). A small but important number of large firms will begin shifting from fixed cybersecurity architectures to a safer and more flexible approach known as the software defined perimeter. This approach is more secure because it is more closed to intruders than architectures currently in use, but it needs to be considered carefully. Tighter security measures that safeguard customer information could also make it more difficult for customers to engage and interact with those firms. Finding the balance will be important.
Recommendations from the interview include:
- start a conversation and collaboration among CROs, CSOs, and CIOs about cybersecurity topic.
- take safeguards that protect customers, starting with never requiring or requesting the customer’s Social Security Number (SSN). (This can be difficult in some industries, such as health care.)
- encrypt customer data and enforcing limited access to this customer data using strict controls.
- proactively provide guidance to customers about how they can best protect their information, including encrypting their devices.
- regularly force password changes, and require an 8-12 digit combination of special characters, numbers, and text. Another precaution is having all teleworkers change their router passwords daily or weekly if the device is used for work purposes.
- apply the same rigor that financial services companies apply, even if you are in a different industry.
- safeguard hard copy information and minimizing or eliminating the amount of sensitive customer information collected and sent through the mail.
Get ready for the GDPR: talk to colleagues and vendors
The GDPR is the most sweeping revision to European privacy and data protection legislation ever. It replaces a directive that was passed in 1995 –before the commercial World Wide Web, before email, before Google search, and before the digitization and monetization of personal data on a massive scale. And it isn’t limited to the EU. The legal reach of the GDPR isn’t defined by geography but by the use of the personal data of European residents. It applies to any organization, located anywhere in the world that either offers goods and services to European residents or monitors their behavior. For affected firms, every single business process that touches personal data must be very carefully reviewed and, likely, redesigned to comply with the GDPR – or be scrapped. Failure to meet the requirements will invite fines of up to €20 million or 4% of the company’s global turnover, whichever is greater.
An effective response to the GDPR begins with building internal awareness of the challenges and opportunities it poses. Consider how this process should proceed from the affected lines of business (LOBs), including marketing or customer experience, sales, HR, and IT:
- get educated about GDPR. Look for online resources, or bring in a consultant for an advisory.
- find out who has been assigned to investigate the impact of the GDPR. In most organizations, this will be someone from compliance, legal, or IT.
- volunteer to help them understand how it will affect marketing. By offering assistance, you can draw some organizational attention to your department, and lengthen the time available for an effective response.
- analyze the current use of personal data in your line of business. For example, marketers know better than anyone how they use personal data.
- map the data flows in web content personalization or email marketing. If possible, find out what consents and stated purposes were attached to the data when collected.
- look at the extent and amount of personal data in a given marketing process and the business value it produces.
- identify and prioritize high-value, data-dependent processes for later comprehensive review and redesign.
- conduct a knowledge audit.
- network with other departments or teams and conduct a triage for organizational education about the GDPR.
- identify who needs to know about the requirements and opportunities– from HR to the board of directors, and how much.
Hopefully, all these precautions and preparations will be totally unnecessary and your organization will never undergo the financial impact, embarrassment, loss of customers and regulatory fines from a security breach.
But just in case . . . work to stop it from happening and be prepared for the worst.