An investigation into the Equifax data breach has condemned the company’s poor security standards and urged politicians in the States to look to the GDPR’s example to minimise chances of a similar breach taking place in future.
The 67-page report, which was put together by the US Senate, proposes that organisational mismanagement of personally identifiable data should be punished by law, as happens under the GDPR.
The document also says that Equifax knew about its cyber-security inadequacy in 2015 – up to two years before the breach took place.
The report said:
“Equifax was unable to detect attackers entering its networks because it failed to take the steps necessary to see incoming malicious traffic online.”
Now, Senators are saying that the case proves America’s need for a formal, unified legal framework dedicated to the protection of personally identifiable information of residents across the whole of the country.
The proposal read:
“Congress should pass legislation that establishes a national uniform standard requiring private entities that collect and store PII to take reasonable and appropriate steps to prevent cyber attacks and data breaches.
“Several cybersecurity recommendations, including a widely known framework from NIST, already exist. However, the framework is not mandatory, and there is no federal law requiring private entities to take steps to protect PII.
Congress has been encouraged to pass legislation that would force companies to notify victims, regulators and all other relevant authorities of a data breach “without reasonable delay”.
Currently, there is no law applicable to all 50 States that obliges private organisations to inform data breach victims that an intrusion has occurred at all. This is in contrast to laws binding organisations that process the personal details of EU residents, which must inform regulatory bodies of a data breach within 72 hours of it being discovered.
“All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring data breach notification laws. In the absence of a national standard, states have taken significantly different approaches to notification standards with different triggers for notifications and different timelines for notifying individuals whose information has been stolen or improperly disclosed,” the report continues.
US politician, Elizabeth Warren also recently advocated a legal amendment which would establish criminal liability for executive officers of major corporations found guilty of negligence.
The Corporate Executive Accountability Act works to impose financial penalties and even prison sentences on C-suite members in the States who work for firms that suffer data breaches.
Since news of the breach broke, Equifax’s data security troubles have been a constant source of inspiration for legislators and organisations around the world seeking to bolster data privacy practices.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/