News that Equifax has had to spend US$87.5 million and counting on its recent data breach should serve as a warning to Australian companies as the era of mandatory data breach disclosure approaches.
There are encouraging signs that consumers and business are taking the incoming laws seriously. But we need to look towards the healthcare sector to understand that fundamental cultural shift that’s needed for true progress.
Last week, Equifax reported that the cost of its efforts to clean up the mess from its massive data breach has reached US$87.5 million.
The escalating bill comes on the back of a cybersecurity breach that saw the names, social security numbers, birth dates, home addresses, and in some cases, driving license information of up to 145 million people exposed.
Of that US$87.5 million was a bill of US$14.9 million for customer support.
“As a result of the cybersecurity incident, we are offering free credit file monitoring and identity theft protection to all US consumers,” said Equifax in its quarterly earnings report last week.
This kind of expense is going to become standard practice, which will act as a further deterrent against businesses underinvesting in cybersecurity.
As reported by CSO.com.au, consumers and businesses are already showing they’re taking the issue more seriously. The expansion of laws currently requiring healthcare providers to declare personal identifiable information to apply to most organisations and companies will boost this sentiment.
As institutions that already work with these laws, healthcare providers are already an authority on this issue. But as bodies that are historically custodians of our most personal and private information, they are models for how to structure safe systems from the ground up.
Before mandatory PII disclosure laws came into effect, the internal systems of hospitals, for example, were mostly offline and electronic health records were encrypted. To compromise a system like that, a hacker would have to install a piece of malware directly, which would probably require a third party.
Even if they got control of the system and decrypted a patient’s records, the ability to leverage a financial reward was slim.
This is the result of an industry culturally attuned to the value of sensitive information getting into the wrong hands. Organisations of all industries need to start thinking this way to make sure these laws don’t catch them out.
Large companies often have as many as 50 systems facing their clients, many of which could be compromised leaving lasting damage to the business’s reputation with customers.
A chief information security officer with genuine C-level authority is needed to minimise the avenues to compromise those systems, identify where vulnerabilities remain, limit the damage that can be done and resume control as quickly as possible.
When a data breach occurs, the company has to communicate to the Privacy Commissions and its affected customers a description of the breach, the kind of information involved and recommended actions for individuals to protect themselves.
In many cases, compromised companies won’t be in a position to do this without the help of a forensic cybersecurity consultant to identify exactly what happened, to whom and, ideally, who did it.
Only then will the company’s customers be realistically assured that they’ve done everything in their power to minimise the damage, with one addition.
Providing personal identity insurance, like the kind Equifax is offering, to affected customers should become standard practice for a year. It’s my belief that it will.
It’s broadly understood the new regime will not be applied strictly in the beginning as the government doesn’t want to come down too hard on companies struggling to get their act together. But consumers might not be so forgiving.
Those leaders interested in developing the kind of capabilities seen in our healthcare system and avoiding the rising bills of Equifax should start getting ready now, or else risk losing customers to a competitor that will.
Itay Glick is chief executive of global cybersecurity firm Votiro, an Israeli-based cybersecurity firm that’s moving to Australia.