Make CEOs and Boards Accountable for Breaches
Nearly two months after Equifax revealed perhaps the worst breach of consumer data to date, more revelations of incompetence emerge, and yet the only ones who pay the price are the customers.
Nearly two months after Equifax revealed perhaps the worst breach of consumer data to date, more revelations of incompetence emerge, and yet the only ones who pay the price are the customers. Unfortunately, in the case of Equifax, almost everyone could be a customer by virtue of having a Social Security number, a driver's license or a credit report.
In addition to the potential that records of up to 143 million Americans were exposed, it was recently reported that intruders accessed 15 million U.K. records, impacting nearly 700,000 consumers in that country. Anyone sustaining losses stemming from this breach could find it difficult to seek compensation from Equifax, given the fine print that indemnifies the company from such liability, which is why several states attorneys general and the U.S. Department of Justice and FBI are investigating if any laws were broken.
While CIO Dave Webb and CSO Susan Maudlin were gone from the company within a week of the Equifax disclosure (bit.ly/2yEjB2D), perhaps the most galling consequence was that CEO Richard Smith "retired" two weeks after the tech execs fell on their swords with a $90 million golden parachute.
Signs of trouble trace back to March 8 when Cisco warned of a security flaw in Apache Struts that was already "being actively exploited." Equifax discovered the intrusion on July 29, which had been ongoing inside May, yet waited more than a month to publicly disclose it.
As Equifax continues to face criticism from its public response to the attack, those responsible are willfully negligent. Perhaps if such negligence became a criminal offense, IT organizations would get the support they need to keep their systems secure. Maybe even routine patching would become universal.
Jeffrey Schwartz is editor of Redmond magazine and also covers cloud computing for Virtualization Review's Cloud Report. In addition, he writes the Channeling the Cloud column for Redmond Channel Partner. Follow him on Twitter @JeffreySchwartz.