Sep 6, 2018

After Equifax's mega-breach, nothing changed

Former Equifax CEO Richard Smith is grilled before the Senate Banking committee in 2017. Photo: Mark Wilson / Getty

The Equifax data breach was supposed to change everything about cybersecurity regulation on Capitol Hill. One year later, it's not clear it changed much of anything.

Why it matters: A year ago Friday, Equifax — one of the major credit reporting agencies — announced that 145.5 million U.S. adults had their social security numbers stolen in an easily preventable breach. If any data breach was going to be able to shock Washington into enacting sweeping privacy reforms, this should have been it.

But that didn't happen: "The initial interest that was implied by congressional actions didn't pan out," said Michelle Richardson, director of the Privacy and Data Project at the Center for Democracy and Technology (CDT).

What was supposed to happen: After the first of several hearings involving Equifax, Sen. Chuck Grassley (R-Iowa), chair of the Judiciary Committee, said it was "long past time” for federal standards for how companies like Equifax secure data.

  • Data security wasn't the only anticipated reform. Congress appeared poised to create a national breach notification law governing how and how quickly companies must notify anybody whose personal information is stolen in a breach. Currently, to the chagrin of national retailers, those laws vary state to state.
  • Several investigations were supposed to penalize the credit bureau for lax cybersecurity, including failing to patch the vulnerability hackers exploited despite government warnings.

What actually happened: The bills petered out.

What went wrong:

  • "A lot of issues fall through cracks in the early days of an administration, especially one with so much controversy," said CDT's Richardson.
  • Congress often has difficulty focusing on more than one cybersecurity-related topic at a time. Russia and election security are now in the spotlight.
  • "Regulation is tough in this political climate," said Tom Gann, chief public policy officer at McAfee.
  • The cybersecurity field averages one "this-changes-everything" event a year, none of which actually changes everything. A year before Equifax, there were attacks on the election. In 2015, China hit the Office of Personnel Management. In 2014, North Korea hit Sony.
  • "For people who think of themselves as privacy experts, they keep waiting for the straw that will break the camel's back," said Steven Weber, director of UC-Berkeley's Center for Long Term Cybersecurity. "The fact is these don't change the public's view."

Richardson is still optimistic about Equifax-type legislation in the new congress. But Equifax's moment has past: "When we take calls from the Hill, Cambridge Analytica is the incident that gets mentioned first."

Other jurisdictions: While federal laws didn't adapt to Equifax, state laws did. New York added strict cybersecurity controls for credit bureaus operating in the state.

  • As the Equifax ordeal unfolded, the European Union had a massive data privacy law ready to go in its General Data Protection Regulation. California soon responded with its own.
  • Ironically, pushback against California's rules might have more impact on national policy than Equifax did.

Even without legislation, Equifax did cause a spike in financial firms investing in cybersecurity, at least at McAfee, said Gann.

Correction: An earlier version of this story stated that Consumer Financial Protection Bureau halted its investigation in Equifax, citing a report by Reuters. The CFPB disputed that report and said the investigation is ongoing. 

Go deeper

The cost of going after Bloomberg

Illustration: Eniola Odetunde/Axios

Here's the growing dilemma for 2020 Democrats vying for a one-on-one showdown with frontrunner Bernie Sanders: Do they have the guts — and the money — to first stop Mike Bloomberg?

Why it matters: Joe Biden, Pete Buttigieg, Amy Klobuchar and Elizabeth Warren all must weigh the costs of punching Bloomberg where he looks most vulnerable: stop-and-frisk, charges of sexism, billionaire entitlement. The more zealous the attacks, the greater the risk he turns his campaign ATM against them.

How Trump’s economy stacks up

Source: "Presidents and US Economy", Trump figures through 2019 courtesy of Alan Blinder; Note: Data shows real GDP and Q1 growth in each term is attributed to the previous president; Chart: Axios Visuals

Average economic growth under President Trump has outpaced the growth under Barack Obama, but not all of his recent predecessors.

Why it matters: GDP is the most comprehensive economic scorecard — and something presidents, especially Trump, use as an example of success. And it's especially relevant since Trump is running for re-election on his economic record.

Coronavirus cases rise as 14 American evacuees infected

Data: The Center for Systems Science and Engineering at Johns Hopkins, the CDC, and China's NHC; Note: China refers to mainland China and the Diamond Princess is the cruise ship offshore Yokohama, Japan. Map: Danielle Alberti/Axios

14 Americans evacuated from the Diamond Princess cruise ship tested positive for the novel coronavirus before being flown in a "specialist containment" on a plane repatriating U.S. citizens back home, the U.S. government said early Monday.

The big picture: COVID-19 has now killed at least 1,770 people and infected almost 70,000 others. Most cases and all but five of the deaths have occurred in mainland China. Taiwan confirmed its first death on Sunday, per multiple reports, in a 61-year-old man with underlying health conditions. Health officials were investigating how he became ill.

Go deeperArrowUpdated 5 hours ago - Health