On 7 September the The Washington Post reported that a security breach at Equifax, a US credit rating bureau, resulted in hackers gaining access to personal data belonging to an estimated 143 million individuals. Apparently, the breach was due to an 11-year-old website application flaw that compromised the personal information of not only Americans, but British and Canadian consumers.
Amongst the stolen personal data are names, driver’s license details, credit card numbers, social security numbers and birth dates – basically the key ingredients for identity fraud.
This cybercrime shocker has rightly caused people to question the safety of their personal data. I mean, if it’s possible to hack Equifax, one of the biggest US-based credit reporting agencies, then how safe is the personal data held by smaller companies with less resources?
Had this event occurred under the EU’s General Data Protection Regulation (GDPR), which is due to come into effect in late May 2018, the implications would be significant. Equifax would most likely be facing sanctions in addition to the class action lawsuits it will have to deal with.
Remember, this data loss at Equifax is not an outlier – Experian in 2015, Yahoo in 2013 and 2014. All huge organisations holding tonnes of personal information. So how prepared are US companies? World-leading research and advisory company Gartner reports that only 50 percent of US companies affected by the GDPR will be fully compliant with it by end 2018.
The Equifax data security breach is a siren call that the time is ripe for increased awareness of data protection security and underscores the need for stronger data protection laws, so roll on the GDPR.
Under the GDPR any company that has a data breach where personal data of EU data subjects is affected, needs to report the breach to their supervisory authority within 72 hours of becoming aware of it. When Equifax informed individuals of the data breach they acknowledged that they’d learned of it on July 29. They only reported it on September 7. That’s more than three days.
Does your company have a data breach incident response program in place so that you’ll be able to meet the 72-hour notice requirement under the GDPR? GDPR365 includes a data breach incident management service to facilitate your logging, assessment and reporting of data breaches to ensure your compliance.
Becoming compliant with the GDPR may seem like an onerous task, but the Equifax hack illustrates that it’s actually a big opportunity. By introducing the practices required by the GDPR companies will improve data security and develop a culture of data protection in their organisations. Not to mention that it’s a requirement if they want to continue doing business in Europe.
image credit: https://www.cbsnews.com