Axios published an article recently noting that a year after major credit reporting agency Equifax suffered a data breach, almost no changes have been made to cybersecurity regulation.
In an article titled “After Equifax’s Mega-Breach, Nothing Changed,” Axios notes that a year since the hack of credit reporting agency Equifax that was supposed to result in a number of changes to cybersecurity regulations, almost nothing has changed. Equifax announced last year that the personal data of approximately 145.5 million U.S. adults had been accessed, this included information such as social security numbers and a variety of other personal details.
It was expected that such a widespread data leak would result in massive changes to cybersecurity regulation — but it didn’t. Michelle Richardson, director of the Privacy and Data Project at the Center for Democracy and Technology (CDT), stated: “The initial interest that was implied by congressional actions didn’t pan out.”
Axios outlines what went wrong in their article stating:
What was supposed to happen: After the first of several hearings involving Equifax, Sen. Chuck Grassley (R-Iowa), chair of the Judiciary Committee, said it was “long past time” for federal standards for how companies like Equifax secure data.
- Data security wasn’t the only anticipated reform. Congress appeared poised to create a national breach notification law governing how and how quickly companies must notify anybody whose personal information is stolen in a breach. Currently, to the chagrin of national retailers, those laws vary state to state.
- Several investigations were supposed to penalize the credit bureau for lax cybersecurity, including failing to patch the vulnerability hackers exploited despite government warnings.
What actually happened: The bills petered out.
The article notes a number of issues that experts claim caused the bills to fail such as focus by politicians on social media firms and alleged Russian interference in elections.
Some state laws were, however, updated to deal with cybersecurity issues such as in New York, which added stricter controls around user data for credit bureaus operating in the state.
Other jurisdictions: While federal laws didn’t adapt to Equifax, state laws did. New York added strict cybersecurity controls for credit bureaus operating in the state.
- As the Equifax ordeal unfolded, the European Union had a massive data privacy law ready to go in its General Data Protection Regulation. California soon responded with its own.
- Ironically, pushback against California’s rules might have more impact on national policy than Equifax did.
Even without legislation, Equifax did cause a spike in financial firms investing in cybersecurity, at least at McAfee, said Gann.
Read the full article in Axios here.