From Mark Sangster, VP and Industry Security Strategist, eSentire/ Hedge Fund Insight staff
You’re likely already aware of the Equifax breach, which is said to have possibly affected the personal information of as many as 143 million people. Many are talking about the delay in the disclosure of the security breach, and more importantly, whether or not Equifax actually broke the law.
Cyber security company eSentire says that one thing being overlooked in many cases is that the breach notices would have required Equifax to report the incident to their clients in 24 hours, not weeks. And, because Equifax retains bigger clients in New York, they are governed by DFS NYCRR rules, which dictate 72 hours for breach reports – again, not weeks. Did their clients receive notification within this timeframe?
Mark Sangster, VP and Industry Security Strategist at eSentire says, “Given the nature of Equifax data and the magnitude of the breach make this a watershed moment in breach detection and response. Many difficult questions will be asked and become the crux of numerous legal actions that will likely stem from this event. The most obvious, is why it took so long to disclose the breach. The risk to consumers begins to drop exponentially as soon as the breach becomes public, and affected companies and consumers can take defensive measures to protect their financial identity and funds.
Yet, Equifax waited over a month to respond and provide breach notice. Headquartered in Atlanta, Equifax is bound by the state breach notification laws of Georgia, which require a firm to report a breach, stating, ‘The notice shall be made in the most expedient time possible and without unreasonable delay.’ In some circumstances, notification is to be made within 24 hours. Did Equifax meet this requirement and do everything in its power to protect those affected by the breach?
Moreover, other state laws might come into play. Major banks based in New York no doubt rely on Equifax for credit information may have clients affected during this breach. New York has very stringent and proactive cyber regulations through the state Department of Financial Services. As such, these banks would have 72 hours from the determination of a cybersecurity event to provide notification. Did Equifax clients receive notification within this timeframe?
Many financial companies have much to lose, and numerous protection laws will be tested. And of course, through all the inevitable finger pointing, will be the consumers who have been affected by this breach and will struggle to find reasonable resolution through this highly complex, highly charged, game changing event.
For every action, there is an equal and opposite reaction. In this case, state and federal government will exploit the magnitude of this breach to tighten breach notification rules, or introduce new laws. Regulatory authorities are all watching this event, and will no doubt review their cybersecurity recommendations and obligations, and tighten industry scrutiny when it comes to breach notification time frames, and rigid definitions around security events and what constitutes a breach.
Hedge Fund implications
Alternative asset firms, already under SEC cyber scrutiny, will no doubt face further regulatory examination in the wake of such a breach of financial information, with a focus on investor notification of security events. Investor protection is not the same as widespread consumer protection, but hedge fund company management should be ready to respond to breaches of security by informing their clients. And, the shadow of the Department of Financial Services in New York may extend to cover hedge funds under the NYCRR cybersecurity rules and regulations.
Moreover, the resulting law suits, court findings, and potential fines will also feed actuarial data, making cyber insurance coverage more expensive, and stipulated on contractual security requirements. For smaller firms, this increases the cost and complexity of offsetting risk through insurance.”
DFS NYCRR Section 500.17 Notices to Superintendent – http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
17 (a) Notice of Cybersecurity Event. Each Covered Entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred that is either of the following…
Georgia State Breach Notification Laws – http://law.justia.com/codes/georgia/2010/title-10/chapter-1/article-34/10-1-912
O.C.G.A. 10-1-912 (2010) 10-1-912. Notification required upon breach of security regarding personal information:
(a) Any information broker or data collector that maintains computerized data that includes personal information of individuals shall give notice of any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c) of this Code section, or with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
(b) Any person or business that maintains computerized data on behalf of an information broker or data collector that includes personal information of individuals that the person or business does not own shall notify the information broker or data collector of any breach of the security of the system within 24 hours following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Contact: Mark Sangster, VP and Industry Security Strategist – firstname.lastname@example.org