Filling the Cybersecurity Void

This article originally appeared in Future Tense, a collaboration among Arizona State University, New America, and Slate.

When the Canadian Privacy Commissioner’s office released the results of its investigation into the Equifax breach last week, it only served to highlight how little the U.S. government has done to address the 2017 incident, which affected the data of 146 million people.

So far, the United States’ attempts to rectify the weak security at Equifax or compensate victims of the breach have been relatively local and lackluster. Eight state banking regulatory authorities issued a consent order that required Equifax to conduct more risk assessment and internal audit programs for consumers’ personal data. The Government Accountability Office released two reports, one on the response to the Equifax breach and another on the need for better oversight of consumer reporting agencies.

But at the federal level, neither the Federal Trade Commission nor the Consumer Financial Protection Bureau has taken any steps yet to fine Equifax or force it to ramp up its security moving forward. Equifax is apparently anticipating that both agencies may soon impose penalties, according to its SEC filings. But in February, the CFPB wound down its investigation of the breach. The U.S. government may yet take strong action against Equifax, but it’s been a year and a half since the breach. The current federal government has shown repeatedly that it cares little about this incident, in particular, and data security in general—creating a void that the courts may be stepping in to fill.

In Canada, meanwhile, the government has recommended in its recent report that Equifax Canada “identify Canadians’ personal information that should no longer be retained by Equifax Inc. according to its retention schedule and delete it” and provide a third-party security assessment and audit to the Canadian government every two years for the next six years. Data minimization and third-party audits are both important steps for strengthening security, and it’s significant that the recommendations came from a regulator, especially since individuals don’t choose to directly hand over their information to credit bureaus and therefore can’t vote with their feet by deciding not to do business with Equifax anymore. Those provisions only apply to Equifax Canada and personal information held by the company about Canadians, unfortunately. But another massive breach from the recent past suggests there may be a way forward for the U.S. to take similar steps, even without the federal government’s intervention.

Also last week, Yahoo reached a $117.5 million settlement in a class-action suit brought by victims of three data breaches that affected roughly 3 billion accounts between 2013 and 2016. The settlement has garnered a lot of attention for creating the “biggest common fund ever obtained in a data breach case,” according to the plaintiffs’ lawyer John Yanchunis, but the fund money allocated to the breach victims and their attorneys isn’t the most important thing here. Essentially, the settlement does the work of the Federal Trade Commission by requiring substantial changes to Verizon’s security practices and investment, all without the FTC actually having to lift a finger. (The FTC may yet take further action against Verizon for the Yahoo breaches, but so far the only government penalties in that case have been a $35 million fine issued by the Securities and Exchange Commission for keeping the breaches secret from investors.)

The settlement includes a section on “business practice changes” that will be implemented by Verizon, which acquired Yahoo in 2017. (Verizon decided to buy Yahoo before the full scope of the data breaches was revealed, though Verizon did end up getting a $350 million discountwhen more information came to light.) According to the settlement, Verizon has committed to investing $234.7 million in improving security from 2017 through 2019, as well as maintaining an annual information security budget of at least $66 million and an information security team totaling at least 200 full-time employees through 2022. According to the settlement, those investments are four times what Yahoo was previously spending on security.

The settlement also details that the company has aligned its security program with the widely used National Institute of Standards and Technology Cybersecurity Framework (NIST is the agency that sets technical standards for government cybersecurity that are often implemented in private industry as well). Beyond using the NIST framework, Verizon also agreed to third-party security assessments for four years beginning in 2019. It even includes references to the new intrusion and anomaly detection tools and penetration testing implemented since the breaches.

The Yahoo settlement should be a clear warning for Equifax, which still faces major class-action lawsuitsin the U.S. It’s a sign that even in the absence of serious regulatory intervention, there may still be ways for it to be held accountable for its actions and—much more importantly—be forced to strengthen its data security efforts moving forward. A class-action settlement can’t necessarily do all the things that a regulator can. For instance, the recent report from the Office of the Privacy Commissioner of Canada recommends that Equifax Canada report on its security to the Canadian government every two years—an analogous requirement in the U.S. would probably require the insistence of a government agency. Similarly, it’s not clear that a court could order Equifax to go through the data held on U.S. people and delete any unnecessary information.

I’m still hopeful that the FTC may choose to take meaningful regulatory action against Verizon for the Yahoo breaches, but the Yahoo settlement makes clear just how much by way of security investments and improvements it is possible to extract from a company in court. The $117.5 million figure may scare Equifax—it’s a large sum by data breach settlement standards and Equifax’s revenue in 2018 was $3.4 billion, so a comparable settlement would total roughly 3.5 percent of the company’s annual revenue (close to the max fine of 4 percent annual revenues allowable under Europe’s General Data Protection Regulation). But that figure pales in comparison to the investment that Verizon has agreed to make in security moving forward: It will put nearly twice as much money toward security as it will toward that settlement just by the end of 2019. And it’s committed to spend nearly another $200 million on security in the three years after that.

Those are the changes that have the potential to make a real difference for consumers’ security moving forward and they will be vastly more expensive and more meaningful than the settlement fund. They’re also the type of changes that, in the U.S., we have long relied on the FTC to drive, but that may be increasingly less necessary.