What Hurricane Irma And The Equifax Hack Have In Common… And What To Learn From It

You cannot predict when (or where) the next data breach will occur, but you can prepare for it.

A swimming pool turned into a pond by Hurricane Irma (screencap via Weather.com)

Watching the development and track of largest Atlantic hurricane to make landfall in the United States since 2004 has been eye-opening, to say the least. As Hurricane Irma developed into a Category 5 storm outside of the Caribbean Sea, it became clear that this major hurricane would bring devastation to areas of the Caribbean and likely make landfall in the Florida Keys and southern Florida.

With eyes on Hurricane Irma’s impending approach, however, news broke that Equifax suffered a massive data breach that exposed upwards of 143 million records. At first glance, a major hurricane and a massive data breach of a credit bureau are two very different events… but in reality, they exhibit a commonality that should give every company pause to evaluate the scope and impact of its data-protection policies.

Similar to Hurricane Irma, the Equifax breach is a major event. In addition to the breach of 143 million records (which would be substantial on its own), the fact that Equifax suffered the breach should make everyone shudder. Along with TransUnion and Experian, Equifax is one of the big three credit bureaus in the United States that capture and store the credit histories of most Americans. As such, Equifax regularly deals with highly personal information as part of its core function. It is axiomatic to think that Experian would employ some of the most stringent safeguards in the industry to protect such information in its possession. Although the mechanism for the breach is not yet completely clear, what is clear is that whatever processes were in place were not enough to stem either the breach or the scope of the breach. Moreover, the content of the records is equally troubling – Social Security numbers, birthdates, drivers’ license numbers as well as credit card numbers were exposed. This is not trivial – it is a treasure trove of information that can facilitate the identity theft of millions of people. Without question, this is a major hurricane of the data sort.

Furthermore, the impacts of both Hurricane Irma and the Equifax breach are (and will continue to be) far-reaching. After causing devastation on Barbuda, St. Martin and other islands the Caribbean, Hurricane Irma hit the Florida Keys and, as of the time of this writing, is moving northward along the west cost of Florida, bringing 125+ mile per hour winds and devastating storm surge. Many people have already died in its wake, and unfortunately, more may die as the storm continues to travel up the west coast of Florida. The impact from the Equifax breach will not be unlike the devastation wrought by Hurricane Irma – the data taken is what cyber professionals would deem high value data with a “long shelf life.” Credit card data has a term limit on its value due to the fraud prevention policies in place at credit card companies; however, many data elements of the Equifax data breach (like Social Security numbers) do not expire or otherwise cannot be easily changed. Such data has a much higher value on the dark web as a result. Just like Hurricane Irma, the cleanup will take time, and the impact on the data subjects from the Experian breach will be felt for years to come.

Arguably the most important takeaway from these similarities is also the most troubling – just like Hurricane Irma, we can see the storm brewing and growing regarding data security… but we can’t prevent the storm from ever hitting us. This is a sobering fact. As quickly as software exploits are patched, new ones always seem to pop up. What’s worse, the social engineering component of cybersecurity (such as phishing emails and errant thumb drives being plugged into computers by curious finders) will always be a risk and a major weak link in any data security program.

That said, there is reason for hope. Just like with Hurricane Irma, we have fair warning of the risks presented by computer hackers and can take measures to prepare. In anticipation of the hurricane’s landfall, the State of Florida put its disaster preparedness plan into place – from organizing shelters to executing evacuation orders and coordinating with power companies to ready deployment teams to restore power, the State of Florida (along with counties, local communities and federal and state disaster officials, to name a few) executed a plan developed over years of effort designed to save lives. This plan works at many levels to not only respond to such storms, but help minimize potential damage long before a storm ever hits, such as revised building codes to handle additional wind loads and coastal zoning restrictions. A data security plan is no different – it requires planning, preparation and testing to ensure that the inevitable data breach can be minimized and contained, using many layers of protection and revising those elements to adjust to the threat.

Sponsored

With today’s technology, we are getting advance warning of major hurricanes and their tracks that are no less than amazing. Having days of warning for communities in the path of hurricanes is making an incredible difference…and data security professionals need to take note. You cannot predict when (or where) the next data breach will occur, but you can prepare for the inevitable breach to stem the impact and minimize the damage. Knowing that a data “hurricane” will hit someday should be enough to get anyone’s attention to plan accordingly. Don’t get caught in the storm surge by ignoring the warning signs… sometimes, a plan can make all the difference.


Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at tom.kulik@solidcounsel.com.

Sponsored

CRM Banner