The Equifax Breach Communications - Good or Bad?

I published a post for Trend Micro earlier today and so far it's generated a lively discussion. A lot of that feedback can be summed as “What the $@:# are you talking about?". I'm guessing a lot of the security community doesn't share my high opinion of the way Equifax has communicated the breach and rightfully so.

More information has come to light that dims the strong message initially communicated by Equifax. I'm not completely backing away from my initial post. I'll own the fact that this is not a good overall example of breach communications but there are some strong points that are important to call out.

Unfortunately they are now far, far outweighed by the bad.

I'm working on another post for Trend Micro (should be out early next week) that tackles the requirement for communications of the breach under GDPR and the new Canadian regulations but I wanted to address some of today's feedback directly here.

You can read the feedback for yourself via this Twitter moment. Other great posts to read are this one from Brian Krebs, this one by Joseph Steinberg for Inc., this one from Michale Hiltzik at the Los Angeles Times, and finally this one from Dan Goodin for Ars Technica.

There are a few key issues here that have been raised:

• The six week wait between breach discovery and public communication
• Self-discovery and protection for affected consumers
• The sale of stock by executives between breach discovery and publication

I won't tackle the last issue since there isn't enough information publicly available to take a position beyond the fact that the timing looks very, very bad. It definitely doesn't help the already tense situation and should serve as a reminder that when a breach occurs the entire company falls under the microscope.

Six Weeks?

The breach was discovered 29-July-2017. Equifax publicly disclosed it 7-Sep-2017. We don't have any information that they approached law enforcement or privately notified consumers ahead of 7-Sep-2017.

So why the wait? Why 40 days with no word to consumers?

It appears to be motivated by protecting the company’s interests. Most data breach regulations call for immediate or quick disclosure of a breach with regular updates as more information comes to light. However a lot of states put a limit of no later than 45 days so there is room for Equifax to argue here.

The challenge in any breach is trying to confirm facts as they are discovered. In this case, Equifax brought in an outside firm to conduct a complete forensic investigation. Given the scale of the company’s operations, it could have taken several weeks in order to conclude the investigation.

Does that mean it's the right move to wait? Doesn't the consumer have a right to know their data has been exposed?

GDPR in the EU and the new regulations in Canada definitely say "yes" to that question. In the US and it’s territories there are 52 separate data breach notification laws that contain a range of difference requirements.

The good news is that most of these requirements call for the same timeline for disclosure: as quickly as possible without unreasonable delays.

The challenge here is what constitutes an "unreasonable delay”? The argument can be made that waiting until a forensic investigation is complete and the extent of the breach is known is a reasonable delay.

In an ideal world, the public would be prepared for multiple notifications about the same breach. One initial notification letting everyone know a breach happened and additional follow ups as more information comes to light.

In reality, this is a major challenge for most companies.

For my initial post, I asked myself what could have been done earlier if the notification was released. In this case, if consumers knew earlier the strongest step they could take would be to implement a security freeze on their credit data. They can do that with...um...Equifax and their competitors: Experian, Innovis, and Trans Union.

Would it have been better for Equifax to make a public statement on July 29th? Absolutely. Would that statement have created a lot of problems for the company and impacted their stock price? Absolutely. 

Given the mandate of the Boards and senior management, does making that first statement line up with their fiduciary duty? Or does waiting until the investigation wraps up and they have consumer support in place better align with that duty?

Learn More, Just Not Yet

The original notification from Equifax is still--despite the criticism--well phrased. I've long complained about the formulaic structure of breach notifications. That's understandable given the legal climate but still frustrating.

As I called out in the original post, the Equifax statement is clear about the situation. It focuses on the impact to consumers instead of Equifax and having the Chairman and CEO speak directly to the public does show ownership of the issue...no matter how stiff the delivery.

The problem—which came to light today as people tried to take the steps laid out in the notification—is that it simply did not hold water. This is was at the centre of a lot of the feedback I heard today.

Dan Goodwin at Ars Technica and Brian Krebs did a great job of detailing the specific issues with the website. The most troubling being that after you provide more information (most of your Social Security Number) to discover if you've been affected the site almost always returns a "check back later" type of message.

Brian Krebs used the term "sham" to describe this and I'm inclined to agree. Full disclosure here, I'm Canadian and can't test out the tool. I'm sure there will be a Canadian specific (and UK) version soon. Fingers crossed it works.

Essentially Equifax said all the right things but hasn't followed through.

Given the scale announced, it seems that it would have been simpler for Equifax to make a statement along the lines of, "Most consumers in the US are impacted by this breach. We're therefore offering these protection services to all US consumers with a credit history."

Costly? Yes. But probably not that much more than making the offer to 143 millions US consumers...especially when you own the protection services.

Equifax Updates

Equifax is listening to the feedback from consumers, media, and the security community (also an oft ignored part of breach communications). They updated their site with the following statement today:

That's a very positive step for them. It's an acknowledgment that they got some things wrong (much like this post is doing for me) and are adjusting on the fly.

Good for them.

Mea Culpa

I'll take full ownership that I got the initial post wrong. The initial overall response to this breach from Equifax was poor. The lack of immediate disclosure, technical setup of the site, legal waiver, stock sales, and other issues didn't back up their notification

The notification itself—and just the notification—was good. I stand by that.

A lot of companies don't focus on the affected users. In this case, Equifax holds a massive amount of data not on it's users but private citizens or "consumers.” That's a completely different discussion around data brokers and data consent that needs to happen in a public forum. We’ll tackle that one for another day.

As this situation has evolved, what has been your reaction? Give that you're probably affected by the breach, do you feel Equifax is responding well? Let me know on Twitter where I’m @marknca or here on LinkedIn.