The Equifax breach has been a regular news item since it was announced earlier this month, not just because of the size of the breach, but because of the sensitive nature and extent of the personal data that was compromised. IT professionals have as much to learn from the Equifax hack as privacy officers and those in a public relations/communications role within organizations.
Open Source Software (OSS)
Recent reports identified Apache Struts 2, an open-source web application framework, as the source of the vulnerability that led to the Equifax breach. The vulnerability in the software was discovered in March and a patch was made available soon after (see the United States Computer Readiness Team announcement of the patch). The fact that Equifax didn’t act sooner to install the patch is extremely troubling and re-enforces the need for OSS users to be extremely diligent about open-source management, and ensuring security policies and procedures are enforced. As the Apache Software Foundation advised in its September 9th statement in light of the Equifax breach, businesses using any OSS should “understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting [the] products and versions.”
In a 2015 study, Gartner predicted that by 2016, 99% of Global 2000 companies would use OSS in mission-critical software. OSS offers a number of advantages. It is flexible, low cost and transparent. It can lead to better performance and security since an entire community is able to contribute to the software’s development and interoperability. Today, many large technology companies not only use but also actively contribute to open-source projects.
Service Provider Risk Management
Many companies obtain the software that runs their core operations from third parties. Those third parties are likely using OSS, but unless disclosure is specifically demanded, the vendor is unlikely to offer that information. Organizations cannot afford to be lax when it comes to extending security policies to their vendors. Before onboarding a software vendor, the vendor should provide a list of all OSS, including the version in use. If the customer discovers a vulnerable or unsupported version is listed, the vendor should be held accountable to remediate.
Keep in mind that not all patches are a simple download and reboot. As in the case of Apache Struts 2, patches can be labor intensive, requiring web applications to be rebuilt with an updated version of the code. Before Equifax, many vendors would argue that their use of vulnerable or unsupported OSS, and/or their failure to install a patch in a timely manner, was a reasonable operational risk. Now that the issue is under the microscope of regulators, such practices by vendors, and the failure of their clients to be aware of vendor OSS usage and monitoring, are unlikely to continue to be considered reasonable.
We can also expect cybersecurity insurers to pay close attention to how their policy restrictions are set out. Organizations are ultimately accountable for their customer data, and it will be increasingly difficult to transfer risk to an insurance provider if specific timelines have not been met to address software vulnerabilities. Organizations will want to seek specifics on those rules to ensure carve-outs for their coverage are known and avoided.
Equifax Canada Response
The Equifax cybersecurity incident was announced on September 7, 2017, and after much criticism about leaving Canadians in the dark, the company published last week that approximately 100,000 Canadian citizens have been impacted. Names, addresses, Social Insurance Numbers, and in some cases, credit card numbers, were compromised in the breach.
As outlined in PRIVATECH’s last blog post, the Office of the Privacy Commissioner of Canada (OPCC) asked Equifax Canada to put a priority on informing Canadians of how the devastating data breach experienced by its parent company affects them. Finally, Canadians have some information – consumers are directed to a page entitled ‘Cybersecurity Incident & Important Consumer Information’ from the Equifax Canada homepage.
Breach notification and reporting in Canada
Draft breach of security safeguards regulations published by the Federal Government on September 2, 2017 will soon make breach reports to the OPCC and notice to affected individual legal requirements. If already law, would Equifax Canada have passed the tests?
The company didn’t actually file a report of the breach with the OPCC. In fact, Equifax Canada was approached by the Commissioner’s office who was probing into whether Canadians are affected by the widely publicized data leak. Organizations that fail to report data breach that poses a real risk of significant harm to the OPCC will soon face potential fines under PIPEDA.
As for individual notification, the content of the Equifax Canada website notice for the most part covers the topics expected by section 3 of the draft regulations, however there is no mention of the right to file a complaint with the OPCC (s.3(g)). This is a provision that we may not see in the final regulations however, based on stakeholder feedback that it is unnecessary and not a standard statement in breach notices.
The draft regulations assume that organizations will decide whether to directly or indirectly notify individuals of a breach, with indirect notification being appropriate only if the cost of direct notification is prohibitive or the organization doesn’t have up-to-date contact information of affected individuals.
The Equifax Canada notice states that the company “will be proactively contacting impacted customers by mail outlining the steps they should take. For impacted Canadians we will also be providing complimentary credit monitoring and identity theft protection for 12 months.” The approach used by the company (indirect notification followed by direct notification) is one that makes sense given the public pressure and negative reputational costs Equifax Canada has encountered over the past several weeks. The goal is to provide as much information as is known as quickly as possible through a public announcement, and then, in consultation with the OPCC, send out individual notices to affected individuals. Proactive or not, direct notification is expected by the new regulations in a context such as the Equifax breach, and individual letters should have been scheduled for release much earlier.
The Equifax breach provides a good example of how important it is for organizations to diligently think through and test their breach response plans in Canada. For more information on compliance with Canada’s new regulations and key breach response resources and templates, enroll in an upcoming PRIVATECH webinar! CLICK HERE for our webinar brochure.