By now most everyone in the United States has heard something about the Equifax data breach. It's natural to feel a bit on edge about what happened, but did we learn anything substantial as a result of the events that took place?
When someone's information is exposed in a data breach, it can cause panic and concern. The good news is that many of the most effective preventative measures were already within reach and the breach has brought light to their importance and continued diligence. Anyone's credit information—paired with the right credit protection tools—can help defend against fraud and identity theft after a data breach event.
For years already industry experts have suggested that consumers check their credit reports, consider placing credit freezes or fraud alerts, and contact the major credit bureaus. The breach has provided new focus and if anything, should have taught all of us as consumers that monitoring our credit is not a one-time thing and should be part of an ongoing process to ensure our creditworthiness. Just like implementing information security it is a journey, not a destination, it is ongoing and requires continuous attention. You wouldn't drive a car without brakes; you won't do business without proper security controls in place.
There are important lessons that any institution can take away from the events that resulted in the breach at Equifax.
Security is often incorrectly framed as a choice, usually a decision between security and privacy. Size and complexity don't matter if you want to be in business and process confidential information; you must protect it. Improving an institution's security is a necessity and can lead to greater privacy. With an even greater emphasis on privacy, institutions will create a corporate culture that values security. I've been calling it Ken's Golden Rule for years: "If you treat all data you work with like it’s data about you or your family, you will typically handle it securely and ensure its privacy." Security isn't an end in and of itself. It is a mechanism to protect important values, one of which is privacy.
Being prepared for the eventuality of a breach with a robust Incident Response Plan is critical, as outlined by the NIST Cybersecurity Framework. Being prepared can assist with appropriate notifications after a breach and reduce the reputational impact. When a breach does occur, evidence should be preserved and it will likely be useful to employ outside counsel and outside digital forensics experts to investigate the breach. If such an investigation is conducted by internal resources, the results of that investigation might not be protected by attorney privileges. Spoliation of evidence poses a significant danger in responding to a data breach. A finding of spoliation can result in substantial court sanctions.
Note: The spoliation of evidence is the intentional, reckless, or negligent withholding, hiding, altering, fabricating, or destroying of evidence relevant to a legal proceeding.
Shaurette is FIPCO director – IT Services and can be reached at 608/441-1251 or firstname.lastname@example.org.