Equifax, Data Security, & a Compliance Carol – #SCW10

Jeff Man and Scott Lyons talk about current events in information security and compliance.

Recorded 12.10.2019

STATS: Jeff% | Scott %

PCI Counter: 0

Jeff Man 0:06
Welcome back to Security and Compliance Weekly. I’m your host, Mr. Jeff Man joined with Mr. Scott Lyons, we’re both coming to you from beautiful, the state of Maryland today. A couple of announcements before we jump into the news, RSA conference, 2020 is coming up February 24th – 28th. If you register early, that is by January 24, you get $900 off a full conference pass. But you can also get $150 extra discount if you go to securityweekly.com/RSAC2020. To find our code to use to register for that discount. We hope to see you there. Also, we are currently running at security weekly, our annual listener feedback survey. So go to our website securityweekly.com Look for the survey tab, click on that and then select 2019 listener survey to submit your responses. We look forward to hearing what you have to think about our shows. All right. News of the Week since we’re a Maryland-only hosts host crew today, I thought we should start with the Maryland article, where Maryland again amends its data breach notification law. Now I was looking at this article, Scott. And basically, it seems like the big change and I guess I would commend Maryland for like they change and update this thing. Every couple years, it seems the biggest change it looks like is if I can find it again. I guess there was two changes, one was sort of qualifying that you’re not only in possession of personal information, but you also quote-unquote, maintain personal information. And I guess they call that out and then define what maintaining personal information is. And then there was some stipulations about, you know, what you’re allowed to do or not do in terms of breach notification, with the information that you have about it. And we live in Maryland, what do you think, Scott?

Scott Lyons 2:22
We do and Maryland’s maintaining the tried and true tradition of the last couple of years of saying, Hey, you know, we care about digital privacy, we care about online rights, and especially about Maryland residents. You know, the maintain is the big part in this article. But let me point this out. It says in here. If the business that incurs the breach is not the owner or license of the personal information, the business may not charge the owner or licensee a fee for providing information that the owner or licensee needs to make a notification. Right. Businesses these days. They like to do everything they can to make a buck. So hey, you know we got breached, pay us a fee will tell you whether or not you’re part of it. Right that Maryland is taking an extra step here that I don’t think we’ve seen with other states to say that, you know, it’s not a pay-to-play, you can’t put this information behind a paywall. You know?

Jeff Man 3:29
Yep. Yeah, it’s it’s I was slightly confused about what that segment of the article meant. So I thank you for clarifying, at least what we think it means. I think that’s what it means. It’s it sounds pleasant.

Scott Lyons 3:45
I mean.. that’s the way that I would interpret it. But hey, I’m not a lawyer, you know?

Jeff Man 3:49
Right. And neither am I. Speaking of lawyers, you know, sort of the I guess the premier article or news story for our segment anyway, is that and it hasn’t happened yet. But there was an article that came out that talks, talking about the Equifax settlement that’s being negotiated. And it seems like they’re getting close to, you know, sort of settling on the terms, but they’re projecting that the settlement for the Equifax breach could cost up to $3.5 billion. And, you know, without getting into the details and carving up the number has, you know, some of that number is in terms of, you know, fines and fees and replacement costs. And there’s lots of civil suits that have been filed, filed against Equifax. But I think this is I’m curious is what your interpretation or impressions are but, you know, we talk long and hard about when we’re talking to our customers about how much they should spend. What’s the appropriate amount of investment, this thing that we call risk-based determinations of security or compliance. How do you fold that into? Okay? This is real world. This is a company that rolled the dice it however way shape or form and they lost, and they’re going to end up spending $3.5 billion, which is a huge number. How do you take that and translate it back into your customers, my customers and try to explain to them not in a Fudd kind of way, but in a, well this could happen to you. And this is what you need to think about in terms of dollars and cents.

Scott Lyons 5:38
Let’s have a sanguine thought about what happened with Equifax. Right. We have not only the breach, but we also have insider trading. Prior to the breach notification going on. We have the notification, high jinks that went on themselves and then wasn’t there a something that Equifax put out about checking whether or not you’re part of the breach, but in accepting the terms of checking, then you release all liability for future lawsuits against Equifax?

Jeff Man 6:09
Yep. Yep.

Scott Lyons 6:09
So 3.5 billion. Okay, great. How is the paid out? What are the terms? Right? who’s eligible to take that? And is it actually going to happen immediately? Right? Could this be deleted another year? another two years, right? Could it be held up in courts? You know, we have yet to see a major, a major ramification due to a breach of this nature. Now, we have had company shut down from breaches, right? And there’s maybe maybe one or two but usually, unfortunately, right, unfortunately, and usually, companies look at any press as good press right. Whether it’s bad or it’s good, it doesn’t matter presses press right. Look at what happened. Ashley Madison, right now. Unfortunately, Ashley Madison and Equifax are two separate companies, right? Whereas Ashley Madison cares about, you know, what Ashley Madison does, and Equifax cares about holding credit reports for every single person in the country and being one of the trusted sources along with TransUnion for you know, a creditworthiness how well you are to pay your bills as a determining mark for for people in the country. But..

Jeff Man 7:21
So, so Equifax, Ashley Madison getting screwed being screwed screwing yourself by screwing others, where did where does that all fall?

Scott Lyons 7:31
Well, it is it is the holidays. And we could say you’ve been “Scrooged”. You know?

Jeff Man 7:33
Yep. You could say that.

Scott Lyons 7:36
Um, you know, it’s just, it’s, it’s gonna be really interesting to watch how all of this unfolds, right? But at the end of the day, Equifax could have mitigated all of this by doing the basics, they weren’t doing the basics, you know?

Jeff Man 7:58
Well, and this is where it’s, you know, maybe we should have a topic one time where we just sort of do a case study of Equifax because there’s the not doing the basics. And I’m going to go out on a limb and say, from a security perspective, versus whether they were covering the basics from a compliance perspective. And where that intersects, I guess, you’re trying to be more sort of analytical, I would love this to start with taking a look at 3.5 billion, what’s the percentage of that of Equifax is let’s say annual revenue? Or, you know, their, their value? And, and try to extrapolate that let you know, and I’m making this up? I don’t know the answer to that. But let’s say it’s 3.5 billion is 10% of Equifax is value. Is that a valid talking point to go forward to your customers, my customers that are probably somewhat smaller than Equifax, and say, hey, look, here’s the big guy that got popped in here’s all the reasons why they got popped and here’s how they made it worse for themselves here, here’s what they could have done better, could have done worse, but as as a lesson learned for you are on what not to do or how to avoid this, you know, be prepared for you could lose 10% of your value in terms of fines if you don’t do something – to me that’s a pragmatic approach. What do you…

Scott Lyons 9:35
not just that but there should also be golden handcuffs for C-level execs, right? If in the golden handcuffs looks like this, if your company is part of a breach, and it’s you know, your C level exec either had knowledge, right?, of the breach, you know, was keyed in some way, shape or form is really what I’m trying to say anywhere from two weeks, prior to the notification. right, that the C level exact should be, should be hit, you know because that’s what insider trading happened. You know?

Jeff Man 10:11
Right.

Scott Lyons 10:11
Now, if in doing that, are we saying that all breach notifications are going to have at least a two week, two week? runway? Right? There needs to be a penalty for that as well, to keep those golden handcuffs in place, you know?

Jeff Man 10:30
Right.

Scott Lyons 10:31
So, and that that’s towards the selling of stock, the trying to profit on the front side of a breach notification, right, before you know that the PE is going to is going to drop for shareholders. So how do you not only mitigate the breach, but also how do you keep the sea levels in line when they know about it?

Jeff Man 10:53
Right. Yeah, it’s not as much insider trading as it is insider selling.

Scott Lyons 11:00
Yeah.

Jeff Man 11:00
And, and, and, you know, you know, me you, Joe citizen think, yeah, there ought to be some punishment. And there rarely is.

Hey, real quickly, because I know that you’ve got to wrap soon, the article that you posted “Corporate compliance efforts count, but with limits.” Any thoughts or comments on this article?

Scott Lyons 11:21
Um, well, the article is, is built around increasing consideration a company’s efforts to prevent legal infractions before they happen. Right. In, in. In speaking about the Foreign Corrupt Practices Act, that’s really where this is aimed at, right. The principles known as flip factors on how to decide whether to criminally charge a corporation. Right?

Jeff Man 11:51
gotcha.

Scott Lyons 11:54
So if you, I mean, it’s sort of like, it’s sort of like having various things in your car to prevent an accident, like a seatbelt. And what the article is trying to do is to point out that corporate compliance efforts are akin to having that seatbelt. So having a mitigative way of being able to deal with something before it’s a problem.

Jeff Man 12:19
Well, that’s a potentially an interesting analogy, because you know, if you use the car, car safety is an analogy. You’ve got safety belts, which requires user intervention for them to actually work versus something like an airbag, which, arguably, you still need to have the safety belt in place to make get the full, you know, full value or usefulness out of an airbag. But airbags you don’t necessarily have to do anything to extend it. Interesting perspectives, and we should take this up against some time but I know we need to wrap. Appreciate you jumping on today Scott. I hope things go well with Josh and Matt, wherever they are, and let’s get together again next week.

Scott Lyons 13:07
We will.

Jeff Man 13:08
All right, so everybody out there, stay secure, stay compliant. Hopefully, they’re the same. Hopefully, they’re interrelated. Till next time.

Translate »