Last week, Congress held four hearings to investigate the Equifax data breach, which jeopardized the highly sensitive data of 145 millions Americans. The exposed consumer information includes social security numbers, prior addresses, student loans, credit card numbers, and other pieces of private data compiled into credit reports that determine if a consumer qualifies for employment, loans, or new lines of credit. For days, members of Congress questioned former Equifax CEO Richard Smith as to how the breach could have occurred and what steps the company was taking to protect consumers. Mr. Smith resigned in September after the extent of the breach was fully disclosed. During the hearings, he offered little in terms of solutions on how to protect consumers going forward, but his answers revealed significant problems with our current data security regime that Congress must address.
Last week, Public Knowledge and the Organization of American States (OAS) organized a joint roundtable on “Cybersecurity and Civil Society in the Americas,” which took place at the OAS headquarters in Washington, D.C. Thanks to the support of Open Society Foundations, the roundtable included civil society organizations from all over the Americans: Derechos Digitales, Instituto Brasileiro de Defesa do Consumidor (IDEC), ADC Asociación por los Derechos Civiles (ADC), Centro de Estudios Legales y Sociales (CELS), Karisma, TEDIC, Red en Defensa de los Derechos Digitales (R3D), CodingRights, InternetLab, Datos Protegidos, Ipandetec, Hiperderecho, Access Now, New America, and more. It also included the active participation of high-ranking members of the Canadian, American, Colombian, and Guatemalan governments, the Brazilian Armed Forces, and private organizations.
This past week, Congress demanded answers from former Equifax CEO Richard Smith about what, exactly, went so terribly wrong in his company’s handling of its massive data breach this summer, and to ask how to keep something like this from happening again. Over the course of four hearings in both the Senate and the House, it became clear that the list of "wrongs" is lengthy. But one of the most damning revelations emerged in the aftermath of the breach in the company’s attempts to mitigate harm post-breach. To be clear, we’re not talking about mitigating consumer harm - we’re talking about Equifax protecting itself from accountability through the use of forced arbitration.
Today, the Information Sharing and Analysis Organization (ISAO) Standards Organization published “SP 4000: Protecting Consumer Privacy in Cybersecurity Information Sharing.” The publication is a set of best practices that organizations of all kinds should take to protect consumer privacy when they share cybersecurity information.
Recently, Reps. Anna Eshoo (D-CA) and Susan Brooks (R-IN) introduced the “Promoting Good Cyber Hygiene Act of 2017.” The bill tasks the National Institute of Standards and Technology to work with the Federal Trade Commission and Department of Homeland Security to develop a list of voluntary cybersecurity best practices for both the federal government and private sector. Sens. Orrin Hatch (R-UT) and Ed Markey (D-MA) introduced the same bill this week.