Equifax is in hot water following a data breach that left the personal data of 143 million people vulnerable. The cyber attack has tarnished the organization’s reputation as a trusted credit bureau, raising concern from major regulating agencies. Nearly 40 states plus the US Congress are probing the company. The NYDFS is the latest to investigate the breach, following the FBI and Federal Trade Commission (FTC).
Equifax cyber attack a national privacy issue
A few days after Equifax’s announcement of the cyber attack on September 7, 12 members of the US Senate issued a letter complaining that Equifax executives violated insider-trading laws. The senators requested that the Securities and Exchange Commission, US Department of Justice, and FTC investigate.
When Equifax detected signs of a cyber attack on July 29, three executives sold $1.8 million worth of company stocks. Chief Financial Officer John Gamble, US Information Solutions President Joseph Loughran, and Workforce Solutions President Rodolfo Ploder completed the transactions on August 1 and 2.
The filings were not listed as part of 10b5-1 scheduled trading plans, yet Equifax stated the executives had no knowledge of the breach. The week after Equifax’s public acknowledgement, share prices went down 35%. The US Department of Justice is on the case.
New York State actively enforcing its Cybersecurity Requirements
New York State Attorney General Eric Schneiderman launched a formal investigation, resulting in Equifax changing its website to explicitly state that consumers have the right to a class action lawsuit even after enrolling in its services.
On September 14 the NYDFS launched a review of Equifax (its HQ is in Atlanta) for any violations of state laws or regulations. On September 18, Governor Cuomo issued a directive enforcing any credit reporting agency operating in New York to register with the NYDFS. “The scope and scale of this cyberattack is unprecedented and DFS is prepared to take all actions necessary to protect New York’s consumers and financial markets,” said Financial Services Superintendent Maria T. Vullo in a press release.
The NYDFS has also issued guidelines for depository, non-depository, and insurance institutions to take precautionary measures to protect consumers. Schneiderman and Cuomo’s actions are aligned with the NYDFS Cybersecurity Requirements, which came into effect in 2017.
Information security a major concern
Equifax was also hit by hackers earlier this year, in March. Although the organization said that this breach and the later one are unrelated, one of the three sources cited by Bloomberg Technology reported that the same cyber criminals were responsible for both attacks. Two data breaches in one year within a major credit reporting organization raises serious concerns about how US companies handle consumer data.
To protect every individual’s privacy, it is important to comply with the NYDFS Cybersecurity Requirements. ISO 27001 can help because it details the requirements for implementing an all-encompassing information security management system (ISMS).