Equifax Lobbied For Easier Regulation Before Data Breach (wsj.com) 104
WSJ reports: Equifax was lobbying lawmakers and federal agencies to ease up on regulation of credit-reporting companies in the months before its massive data breach. Equifax spent at least $500,000 on lobbying Congress and federal regulators in the first half of 2017, according to its congressional lobbying-disclosure reports. Among the issues on which it lobbied was limiting the legal liability of credit-reporting companies. That issue is the subject of a bill that a panel of the House Financial Services Committee, which oversees the industry, discussed the same day Equifax disclosed the cyberattack that exposed personal financial data of as many as 143 million Americans. Equifax has also lobbied Congress and regulatory agencies on issues around "data security and breach notification" and "cybersecurity threat information sharing," according to its lobbying disclosures. The amount Equifax spent in the first half of this year appears to be in line with previous spending. In 2016 and 2015, the company's reports show it spent $1.1 million and $1.02 million, respectively, on lobbying activities. While the company had broadly similar lobbying issues in those years, the liability matter was new in 2017.
They knew (Score:5, Insightful)
They knew about the breach when they started lobbying for that. LONG before the poor schmucks were allowed to know about it.
Re: (Score:1)
It sure looks that way. They need to be made an example of by Congress, regardless of who they have in their pocket already.
Re:They knew (Score:5, Insightful)
The corporate death penalty, i.e. the loss of charter, needs to be a thing. The possibility of all the stock becoming worthless would be a great tool in getting corporations to actually follow the law.
However since we have a congress that is OWNED by corporations there isn't a way for it to happen.
Re: (Score:3)
Re: (Score:2)
Or more likely, that they get a lot more careful where they stick their retirement funds, and perhaps start demanding contractual obligations on fund managers to steer clear of criminal corporations.
Re: (Score:2)
They need to be treated like a black man at a traffic stop.
What, smile at them and engage in light conversation about weather? That doesn't seem appropriate at all!
Re: (Score:2)
They need to be made an example of by Congress,
That's always the wrong approach. It makes the mob of people feel good, even if they get the wrong person, but it doesn't cause any long-term change. What we need is a change in laws so this thing doesn't happen in the future. For one thing, they could have done a better job on security.
Re: (Score:2)
Re: (Score:2)
The only thing people like this care about is money. If they can take an illegal action that nets them $1 billion and, if caught, pay a $1 million fine, they'll do it. If they can, they might even do it first and use some of the money to paying off... I mean lobbying politicians to make the action legal (or, at least, hard to prosecute).
Something along the lines of an Equifax breach should mean that the executives in charge of the company are fined 10 years' worth of their compensation package (including, b
Re: (Score:2)
I would disagree with that. Nothing is going to change unless the crooks who are running that company are made examples out of. In person. In public.
You're the kind of person who crucifies the innocent in public, then goes on with your day feeling good, while the real crooks continue what they are doing. But at least you did something, right?
There's a reason vigilante justice is bad, and it's because of people like you.
Re: (Score:2)
please elaborate how the equifax c-suite is innocent?
Maybe they are, maybe they aren't: we have courts and processes for dealing with that, specifically created to avoid the problems of vigilantism.
Re: (Score:3)
They knew about the breach when they started lobbying for that.
How do we even know if this was a "breach" at all . . . ? Maybe some folks at Equifax were just following the Facebook and Google business model, and were just selling "information services" on the side . . . ?
Hey, the old, time-tested methods work best: You want something? Bribe or blackmail someone. It works all the time.
Re: (Score:2)
Maybe. But what we can claim with certainty is that the existing regulations did not help prevent the breach...
Re: (Score:3)
No. We can claim that they did not prevent the breach, but they may well have delayed it or made it more difficult.
That said, they clearly don't suffice. The executives and management should be held personally responsible for the time, effort, and financial damages that this breach caused to every single individual affected, including only those who had to spend time figuring out how to try to deal with it. At a reasonable hourly rate, say the average hourly rate of the corporation management (figured fr
Re: (Score:1)
We have no idea...
Not "clear" at all. When a tank's hull is breached by an enemy's shell, is it because the armor was too weak, or because it was too heavy for the tank to move faster? Which of the aspects should be improved — at the expense of the other?
Though I agree in this case, th
Re:They knew (Score:5, Insightful)
The executives and management should be held personally responsible
Though I agree in this case, this is a dangerous line of thinking — not entirely unlike blaming a rape victim for wearing too short a skirt...
This is the worst simile I have EVER seen on Slashdot. That's saying a lot.
The corporate CxOs are NOT the victim in this scenario. The corporate worshipers on /. and the Internet love to tell us that the executives deserve huge pay packets because they are responsible. However in *every case* when something happens that hurts thousands of people they are always don't know what happened. Executives hold responsibility and deserve what they are paid or they don't know what is going on and they are overpaid. You can't have it both ways.
The CxOs were the benefactors of the malfeasance. Calling them rape victim is idiotic.
Re: (Score:2)
The point I fully agreed — and continue to agree — with. In this case.
You've prevailed over a strawman you yourself erected. Congratulations.
What malfeasance? The only indication we have of them having done anything wrong so far is the fact, their database was stolen. You may
Re: (Score:1, Insightful)
Though I agree in this case, this is a dangerous line of thinking — not entirely unlike blaming a rape victim for wearing too short a skirt...
I think your analogy is a bit flawed. Let me expand...
EquiFax isn't the one wearing the short skirt. EquiFax is the pimp that forced their entire involuntary stable (those who's credit is checked) to wear short skirts as to be more attractive to the johns (those doing credit checks). The rapists (hackers) are certainly in the wrong but rape or no rape of the stable, the pimp is still in the wrong. The pimp forced the short skirts specifically to entice johns not as a fashion choice. Remember - nobody i
Re: They knew (Score:1)
Re: (Score:2)
That may be reasonable ALSO. But many sysadmins don't have the right to control what they work on, so I can't be sure. It's definitely the case that the executives claimed responsibility while everything was (apparently) working well, and it appears that it was the executives who started selling their stock when the problem was detected. But even though the problem was detected, it wasn't fixed, so I suspect the sysadmins didn't have the right to fix it.
Of course, it might be quite reasonable to charge t
Re: (Score:1)
Re: (Score:2)
You are right that I should be less definite that they had advance knowledge and took criminal advantage of it. Possibly the trades were scheduled ahead of time. Possibly they can be shown to not have known. (Though I'd be dubious about that. Gossip spreads in ways that aren't officially recorded.)
However it was their *JOB* to know that things were being managed well. That's how they justify their fancy salaries. I'm not going to let them off the hook for this, unless I consider them criminally neglige
Re: (Score:2)
I didn't read the article - but was their request for deregulation regarding security standards or in something else.
If it's something else then the request is irrelevant,
Re: (Score:2)
Really? This sounds like stuff I'd expect vested interests to be lobbying for all the time regardless of the breach.
Is there any reason to think a firm like this wouldn't want to be deregulated regardless of whether the breach happened or not?
I'm not sure these two things are related, I think they were lobbying because they lobby for this sort of stuff all the time anyway. Is there any reason to think that lobbying for reduced regulation isn't the norm in this particular area of financial services as oppose
Re: (Score:2)
The Summary wrote:
While the company had broadly similar lobbying issues in those years, the liability matter was new in 2017.
Re: (Score:2)
I doubt they knew about that specific breach that long ago (or that it happened that long ago), otherwise why announce it now?
It is more likely that they knew their security was a joke, and that they were very vulnerable and it was only a matter of time before something really bad happened.
The worst part is that they spend millions lobbying government to limit their breach liability when they could have been spending that money on some security folks to do an audit of their systems and fix their actual prob
Re: (Score:3, Insightful)
Actually, the cost of doing business it is always cheaper for lawyers than just about anything else. Lawyers keep you out of Legal Danger (or at least are supposed to).
And until the Corporate board and the CxOs and the Shareholders are held accountable, nothing will actually change.
The only way to solve this problem is start charging the bigwigs at the top for criminal negligence of the corporate culture they foster. Followed by Corporate Death Penalty where the corporate charter is revoked. When shareholde
Re:Investment (Score:5, Insightful)
The constant whine about regulations when as a country we pretty much allow our large corporations to get away with anything is rather tiresome.
Re: (Score:1)
I was under the impression that a company (at least in the U.S.) had 90 days from the point where they learned of the data breach to notify affected persons. It may vary from state to state though, as I know several states have laws about this. Apparently, the breach started in late May, but Equifax didn't discover it until July.
So they are technically within that 90 days. (Assuming that I'm not pulling that impression from some poorly remembered article.) Some of the execs are still shady as hell for selli
Re: (Score:3)
cyberattack? (Score:4, Insightful)
Equifax disclosed the cyberattack
Welcome to the age of "cyber war", where every crap system connected to the internet can hide under the umbrella of an "attack" rather than face the consequences of a complete disregard for properly designed information security.
This will be proof that fewer regs are needed (Score:5, Insightful)
If only they could have been freed from the yoke of these onerous, confusing regulations, this never would have happened!
Re: (Score:3)
Re: (Score:2)
It's possible. What are their retention requirements? Do they have to be able to interface that data with other companies / government / people in a regulated determined time-frame?
Adding more laws is not always the best way and it's just a knee-jerk reaction. Did they already break any laws or regulation? It needs to be determined if the existing rules don't work because of how it's enforced before adding on top of those. There are already so many regulations regarding this industry that no newcomer w
Re: (Score:2)
Re: (Score:2)
No - just an example of adding laws on top of laws rather than juts enforcing already existing ones.
Re: (Score:1)
>or to store it in a way that was predictable and insecure.
You're saying there was a piece of law or regulation that demands insecurity? I'd love to see you point to it.
Just think... (Score:5, Insightful)
Your data wouldn't have been given to criminals if they had invested that $500K in security.
how dumb can you get? (Score:1)
Your data wouldn't have been given to criminals if they had invested that $500K in security.
you are beyond-redemption-stupid if you think they would have spent money on security
Re: (Score:2)
Sorry, but they are the criminals. What they call a "breach", I would call a sale. Why should we believe this was an accident?
Re:Just think... (Score:5, Insightful)
>"Your data wouldn't have been given to criminals if they had invested that $500K in security."
Actually, according to the summary, they spent at least $2.6 MILLION dollars in just the last 2.75 years, alone. Imagine how much that money COULD have done if they had used it to hire a few good security engineers and made meaningful changes.
Re:Just think... (Score:5, Interesting)
You guys are looking at it the wrong way. You're looking at it as a victim, you should look at it as what it brought them.
With this one breach, that $2.6M is now completely wasted - in fact, it's even worse since it's now achieving the opposite effect - instead of trying to buy reduced scrutiny, their failure to spend on security is working against their campaigning. Even worse, it's brought government scrutiny on all the credit reporting agencies, with increased regulation likely the result.
By failing to spend on security, Equifax has basically made life in their industry much harder for everyone. Ezperian and TransUnion should be applying peer pressure for making it much more expensive to do business now.because any law that comes down, any scrutiny that happens will apply equally to all three of them.
And financial institutions HATE government oversight.; When "too big to fail" banks started having government oversight as required by their bailout packages, they couldn't get rid of them fast enough.
That's how you're supposed to frame it. Protecting your data? You're not worth that much to them. But ensuring their future is free of government oversight and extra regulation? That's something that does affect them directly and the cost of doing business
Re: (Score:2)
Awww you're so optimistic. Considering the stupidly short attention span of the average American, this will be long forgotten before any kind of law or regulation can even be written let alone brought up for a vote.
Re: (Score:2)
I think it's reasonable to assume that Equifax spend significantly more than that on security professional employees, more than that on security consultants and service providers, substantially more than that on security infrastructure and probably around that much on audit for all of the above.
Re: (Score:3)
Well said.
Security will not be historical subject until after serious litigation.
Sounds familiar (Score:5, Insightful)
I clearly remember the banks and Wall Street firms lobbying Bush and Congress not to implement any new regulations back in 2006. Their words were, more or less, any new regulations would kill their competitive nature on the world market. Trust us, we know what we're doing.
The following year we know what happened.
Now here we are again, with a very similar situation. Regulations are evil! Don't kill us with regulations, bro!
I can guarantee not a single executive at Equifax will go to jail or pay a fine. Further, every excuse imaginable will be given why requiring such breaches to be announced immediately should not be done.
In a few years, this will happen again and everyone will look around and ask, "How did this happen?"
Re: (Score:2)
The USA is mostly a bribocracy at the federal level, plain and simple. Both parties are culprits. If you don't kiss up to those who give campaign donations, you get less campaign money and lose elections. It's legalized political prostitution and Americans should be ashamed of such a system.
Re: (Score:3)
Until there is a general understanding that big business is not a noble pursuit, but a socially sanctioned form of criminal activity, we will continue to suffer this kind of crap. The basic assumption should be that corporations always become corrupt and that the law exists to root out that corruption.
There must be accountability for organizations and the people in charge of those organization
Hangin's too good for 'em (Score:5, Insightful)
Re: (Score:1)
If the govt. will not do it, I just hope they get sued into Chapter 7 liquidation. No more Equifax. It's the only solution that will result in real change.
Re: (Score:1)
regulation is always bad for business (Score:5, Insightful)
Its normally quite good for the public, though you couldn't convince them of that since they get their swill from big media.
Re:regulation is always bad for business (Score:5, Insightful)
It's normally good for the public until regulatory capture happens. Then it continues to be slightly less bad for the public...but often only slightly.
Regulators need to be forbidden to accept payments from the groups they regulate not only while in office, but also after leaving. And that includes jobs.
Bastards ... (Score:1)
These clowns want access to our data, with which broad reaching decisions about our lives will be made ... but they want to do it in such a way that they have no responsibilities or liabilities in the event they prove to be incompetent morons. Oh wait, they've just been proven to be incompetent morons.
Capitalism is inherently broken, because it assumes people aren't lying, greedy bastards; the problem is time and time again we see that isn't true. You can't have capitalism without regulation, because the
Re: Bastards ... (Score:1)
I have the same combination on my luggage! (Score:5, Interesting)
UtilitiesHandler.java
static final String masterKey = "EqUiFaX2468";
Not quite "1...1!...2....2!..." but it's pretty darn close.
To be fair, I couldn't tell if it's actually ever used in the mobile app. It seems like the kind of intentionally stupid/obvious password-but-not-really-a-password string you'd leave hanging around in a file on the network if you were tuning your DLP. (The full Zip code of the company is 30309-2468 so the "plus 4" is probably where the ending came from.)
Re: (Score:3)
It's all a plot. Cause a massive leak and that forces everyone to freeze their credit reports. Charge $60 a pop to lock and unlock them. Bam, instant profit.
A side effect of everybody having your data (Score:1)
We should just accept that the more of your information is stored on servers the higher the risk of it being harvested. Doesn't help that these companies withhold breeches for such a long time before even notifying anyone including the people affected. I won't take much action now, its too late to bail out a ship already sinking.
Re: (Score:2)
Re: (Score:3)
They said this data breach took place from May through July. How exactly does one miss terabytes, possibly petabytes of data being transferred to an IP address outside of your network for 3 months? I mean to me this sounds like either the hackers were god like in their ability to hide what they were doing, or the people whose job it was to prevent these things from happening, simply didn't give a shit.
Hiring people to monitor this stuff costs money, and why punish the shareholders with a cost cernter? This will all self correct anyhow, amirite?
Well duh! (Score:4, Funny)
If there were no regulations, this would never have happened, and we would all enjoy perfect internet security.
Still Gonna Happen (Score:2)
Question on "Lobbying" (Score:2)
I notice that the amount of "lobbying" being reported in the media seems to be on the rise again, perhaps after a bit of a post-2008 lull.
However, it really isn't clear what is permitted as "legal" lobbying and what is considered "illegal"? Is this in-person requests for meetings to put forward a case? Is this industry-funded "research" offered up as candidate for government policy? Is this the offer of all-expenses-paid "junkets" to take l
Re: (Score:2)
Re: (Score:2)
A-holes! (Score:2)
So wait a minute (Score:2)
Re: (Score:2)
Re: (Score:2)