A data breach is *expensive*

Equifax has dominated the news with the recent data breach. Equifax is after all, one of the three credit bureaus in the United States.

The data of 143 million consumers has been compromised (first found on July 29th, announced 6 weeks later) - and the fallout is going to be staggering with the exposure of Social Security numbers, Driver's License number etc.

“This unprecedented data breach could impact tens of millions of Americans and raises serious questions about the security of our personal information online" Rep.  Greg Walden (R-Ore.), chairman of the House Energy and Commerce Committee.

What is the fallout for Equifax looking like?

• Equifax’s stock has fallen more than 20 percent, and the shareholders have lost a colossal $4 billion in market cap (as of 9/13/2017).
• About 20 class action law suits have been filed.
• Equifax is now in the cross-hairs of congress and the attorney general
• The Consumer Financial Protection Bureau is investigating
• Watch this space .....

Immediate Impact to Corporate America

• They will need to have security protocols and best practice in place. They will need to have a Security Breach Readiness Plan book in place
• They will need to plan, have a security playbook to ensure their security practices include regular maintenance updates are applied. (The breach occurred due to an unpatched version of the open-source Struts web application framework)
• Read time monitoring of data, with critical alerts need to be in place. How can millions of records being accessed, moved gone unnoticed?
• Experian and TransUnion are likely scampering and hiring the best data security experts that exist on planet earth. So will many others
• Fair Credit Reporting Act, is 40+ years old and updating it is imperative and imminent. That will help bolster policies via mandates that are imminent.

Ramifications in Europe ...much more severe

But this news is creating a huge sense of urgency for European companies with the looming GDPR. What is GDPR? May 25, 2018 is the date when General Data Protection Regulation (GDPR) proposed by the European Commission will strengthen and unify data protection for individuals within the European Union (EU), whilst addressing the export of personal data outside the EU. Essentially , in simple terms, GDPR will give control back to citizens and residents over their personal data. Companies that are in the business of storing/processing/transmitting personal data of EU citizens of the protocols will need to have protocols and processes in place for potential breaches to be in compliance with GDPR requirements. Non compliance could lead to an administrative fine of up to 10 million Euros or up to two percent of the total worldwide annual turnover.

How about the United States?

• The United States has no federal law that provides a notification mandate.
• The United States government or any agency is NOT authorized to assess the data protection policies and protocols in place with the 3 credit bureaus.
• There are some state laws but vary state to state. California has tough notification laws in place.

Yes, policies are imminent in America

Given the size of this particular breach, it is just a matter of time that the US will have a GDPR type laws in place. Which congressman is going to initiate this one? Will the national law be less stringent than ones that exist in California? If a federal policy is implemented, it should allow stronger state laws to prevail.

Equifax has promised credit freeze and a free one year credit monitoring. That may be OK for now? But once the policies are in place - it may not be good enough.

The Consumer will have to stay vigilant for identity theft - the potential for data breach is real and the impact even more so. No American wants to impact their quality of life dealing with an identity theft. More consumers will lock up their credit files

Corporate America needs to act now

Corporate America, this is the time to roll up your sleeve, protect your data, shut down old archaic systems that are no longer in use, move your data to data platforms that have a robust governance model, and more importantly establish security, protocols and Data Breach Readiness plans in place.

The time to act is *now* ..not tomorrow

Old Jungle Saying: Who owns the Data will rule the world

New Jungle Saying : Who protects the data will rock and rule!