Welcome to Codebook, the cybersecurity newsletter looking for vacuum recommendations.
Today's Smart Brevity: 1,286 words, 5 minute read
Welcome to Codebook, the cybersecurity newsletter looking for vacuum recommendations.
Today's Smart Brevity: 1,286 words, 5 minute read
Illustration: Aïda Amer/Axios
After Equifax agreed this week to a landmark settlement with state and federal regulators for its historic 2017 data breach, regulators are hoping that its penalties — which will cost Equifax up to $700 million — are big enough to deter the next firm from allowing the next breach.
Why it matters: There has never before been a breach like Equifax, where enough personal data was pilfered to steal the identity of the majority of U.S. adults. It's a milestone that consumers and regulators alike hope will only happen the once.
By the numbers: The Equifax settlement includes $275 million in penalties to state and federal regulators and up to $425 million to provide protection and reimbursement to consumers harmed in the breach.
Details: The consumer fund — which starts at $300 million, with provision to go up to $425 million as needed — will provide identity theft protection insurance and pay for 4 years of credit monitoring at all 3 major credit bureaus along with an additional 6 years at Equifax.
But the fund also contains a unique feature that experts believe could become a new standard in future penalties for breaches. It will reimburse costs of dealing with the breach, like lawyers, out-of-pocket credit monitoring services and time spent wrangling with the whole ordeal, up to $20,000 per individual.
Stricter than Europe: Penalties under GDPR, Europe's privacy law, are usually portrayed as tougher than those in the U.S. While GDPR didn't take effect until after the Equifax breach, had Equifax spilled personal information on 147 million Europeans, the fine under GDPR would actually be smaller than what the U.S. just dished out.
The big question: Will this settlement's bite carry over to future breaches?
The intrigue: It's only a matter of luck that a federal agency was able to dole out a fine for a privacy violation. While the CFPB can penalize financial institutions, no federal agency has the authority to fine most other companies on this issue.
What they're saying: "I expect a good number of lawyers will be using this as a case study for their clients in the future," said Marcus Christian, an attorney in Mayer Brown's cybersecurity practice.
Photo: Buyenlarge/Contributor/Getty Images
Attorney General William Barr delivered a plea this week for tech companies to weaken encryption, allowing law enforcement to access digital communications that are, at present, unreadable by them.
But, but, but: An argument Barr made during his address at an FBI-run cybersecurity conference encapsulates one of the main problems with his position:
It’s wildly irresponsible to pretend that security can be reduced to a percentage. Hackers will focus on the insecure part. As WannaCry — malware that caused billions of dollars of damage globally — demonstrated, Windows systems that were .001% insecure effectively were 100% insecure.
The bottom line: Barr's percentages probably don't apply to the reality of the situation. And until law enforcement can argue for backdoors in encryption using an applicable assessment of risk, we'll still be at an impasse.
Go deeper: How to break the encryption deadlock
A few cybersecurity notes from Robert Mueller's testimony. I promise to be quick.
California Rep. Tom McClintock (R) attempted to confront Mueller with what appears to be a misinterpretation of ongoing proceedings against Russia's troll farm.
Google announced it would join the governing council of an emerging phishing prevention protocol on Wednesday, marking a huge step forward in its potential adoption.
The big picture: Brand Indicators for Message Identification, or BIMI, places a brand specific logo on emails verified to be from a vendor.
Background: The protocol is new, but a key player in BIMI says adoption is growing quickly. Patrick Peterson, the founder and CEO of email security firm Agari, notes that BIMI adoption grew dramatically over the last quarter, from 180 companies onboard to 511.
"A story that’s not always told is there’s a lot of people fixing the internet," Peterson told Codebook.
The NSA announced its Cybersecurity Directorate (WSJ): The defensive-minded Cybersecurity Directorate will be headed by Anne Neuberger and will be better integrated with signals intelligence than the division it replaces, the Information Assurance Directorate.
Harold Martin gets 9 years (DOJ): The former NSA contractor plead guilty to hoarding classified documents in his home for 20 years.
Huawei built North Korea's 3G network (Washington Post): Leaked documents show Huawei's covert involvement with North Korean 3G networks.
New tools watch: