Consumer credit reporting agency Equifax agreed to pay at least $650 million and possibly hundreds of millions more in fines and other costs as part of a global settlement with the FTC, the CFPB, and 50 state and local attorneys general for failing to prevent the 2017 hack that left the personal information of 147 million people vulnerable to cyber criminals. The settlement, by far the largest of its kind, consists of $275 million in civil money penalties to the various federal and state agencies, and roughly $300 million to be placed in a fund to provide credit monitoring and cash compensation to affected individuals. The cost of the fund could balloon even further depending on how many individuals ultimately take advantage of it. In addition, Equifax will be required to spend $1 billion to improve its data security.
Under the Gramm-Leach-Bliley Act's Safeguards Rule, financial institutions are required to protect the security, confidentiality and integrity of customer information by developing a comprehensive written information security program that contains reasonable administrative, technical and physical safeguards. Section 5(a) of the FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce, invoked in the cyber context when companies describe their data security policies and systems as adequate to protect customer data. According to the FTC, Equifax failed these standards by, among other things:
- Failing for four months to adequately install a software patch intended to address the "Apache Struts" vulnerability about which it had been notified by the United States Computer Emergency Readiness Team ("US-CERT");
- Relying on automated system vulnerability scans that were improperly configured to detect remaining instances of Apache Struts on its network;
- Storing personal information and administrative credentials in plain (unencrypted) text, and failing to properly limit network administrative access rights;
- Providing inadequate security training for its employees; and
- Not remediating its sub-standard system security practices and failures despite being aware of them since at least 2014.
Commentary / Joseph V. Moreno
If compliance professionals in the FCPA, AML/CFT and OFAC sanctions contexts see a trend here, they are correct. The tenets of rolling out and maintaining a successful cybersecurity compliance program are much the same as in other regulatory fields - including diligently developing and implementing your internal controls, making sure your compliance team is sufficiently resourced and trained, and monitoring and auditing your systems to ensure they are working properly. Equifax fell short in many ways, chief of all, that they were on notice their cybersecurity program was deficient but failed to make remedying it a priority. It was an expensive mistake and one that, at least in the U.S. government's view, was entirely avoidable.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
