The NAFCU Journal January - February 2018 - 56

COMPLIANCE CENTRAL

On Equifax: A Case Study
in Failure to Manage Risk
By Elizabeth M. Young LaBerge

L

ast March, a vulnerability was
identified in a piece of opensource software called Apache
Struts. This vulnerability was
described by the Common Vulnerability
Scoring System as posing a high risk to
data confidentiality and integrity, and
requiring an attack of low complexity
and no access privileges to exploit. By
March 8, a patch for that vulnerability
was available. On the same day, the
Department of Homeland Security's
Computer Emergency Readiness Team
notified Equifax and other critical organizations of the immediate need to patch
the vulnerability.
On Oct. 3, while testifying about the 2017
data breach before the House Energy and
Commerce Committee, former Equifax
CEO Richard Smith claimed that an
internal notification advised Equifax IT
personnel to install the patch on the following day, March 9. He stated that "the
human error was that the individual who's
responsible for communicating in the
organization to apply the patch did not."
Smith also testified that Equifax's fail-safe,
a vulnerability scan, was run on March 15,
but that "both the human deployment of
the patch and the scanning deployment
did not work."
Equifax has continued to take the position that these failures were unfortunate
but also somehow understandable as a
function of bad luck - that ultimately,
Equifax is the victim of bad actors - and
that forcing Equifax to accept blame
for the breach ignores the serious crime
committed by those who breached its
56

system. Oprah Winfrey once said, "Luck
is a matter of preparation meeting
opportunity." The Equifax situation, then,
shows that bad luck is a matter of lack of
preparation creating an opportunity.
As a financial institution under the
definition of the Gramm-Leach-Bliley
Act (GLBA), Equifax had a duty to
protect consumers' information against
unauthorized access under the GLBA's
Safeguards Rule. The FTC's implementing regulations for this rule are
bare-bones. However, they do require
Equifax to establish a comprehensive
information security program that
contains technical safeguards appropriate to its size and complexity that will
protect against any anticipated threats
to the security and integrity of consumer information.
However, unlike credit unions and other
financial institutions, Equifax was not
examined for compliance with these
requirements. The CFPB had authority to examine Equifax for regulatory
compliance; however, the FTC was in the
position to determine whether Equifax's security measures were appropriate. Unlike credit unions, which have
thoroughly set-out expectations for
security standards through the FFIEC's
IT Examination Handbooks ("the
Handbooks"), Equifax was left to its own
devices. Unlike credit unions and other
depository institutions, Equifax has little
to no market incentive to make consumers comfortable with how it secures their
information. Equifax's unique position
in the financial ecosystem means it may

be difficult or impossible to connect
losses resulting from the breach to the
breach itself.
NAFCU is asking Congress to close this
examination gap and ensure that, at a
minimum, the credit reporting bureaus
are held to the same standards as other
financial institutions. Given the market
incentives that exist for other financial
institutions but not the credit reporting
bureaus, and the bureaus' unique position
in the financial system, it may be appropriate for their standards to be even more
stringent. For example, NAFCU believes
the bureaus should have a duty to report
a breach of account information to the
financial institution holding the account.
NAFCU is also asking the FTC, the
CFPB and the NCUA to cooperate in the
investigation of the breach and to share
information with credit unions as soon
as possible. Finally, NAFCU is asking
Congress to make Equifax foot the bill
for its own negligence rather than sit back
and let credit unions and their members
bear the cost.
Equifax's failure was both spectacular and appalling, but it is also a
reminder to all credit unions of their
own obligations under the GLBA's
Safeguard Rule. Part 748 of the NCUA
Rules and Regulations requires each
federally-insured credit union's board
of directors, or an appropriate committee of the board, to approve the credit
union's written information security
policy and program and to oversee
the development, implementation
and maintenance of that program to

THE NAFCU JOURNAL  JANUARY-FEBRUARY 2018



Table of Contents for the Digital Edition of The NAFCU Journal January - February 2018

Conferences
From the Chair
Advocacy Snapshot
Washington and Industry Briefs
Growth Strategies
Stepping Into the Future
A Clear Path Forward
Economic Outlook: It’s Complicated
NAFCU 2018 Vendor Directory
Executive Spotlight
Management Insight
Compliance Central
Inside NAFCU Services
From the President’s Desk
The NAFCU Journal January - February 2018 - Cover1
The NAFCU Journal January - February 2018 - Cover2
The NAFCU Journal January - February 2018 - 1
The NAFCU Journal January - February 2018 - 2
The NAFCU Journal January - February 2018 - Conferences
The NAFCU Journal January - February 2018 - From the Chair
The NAFCU Journal January - February 2018 - 5
The NAFCU Journal January - February 2018 - Advocacy Snapshot
The NAFCU Journal January - February 2018 - 7
The NAFCU Journal January - February 2018 - Washington and Industry Briefs
The NAFCU Journal January - February 2018 - 9
The NAFCU Journal January - February 2018 - 10
The NAFCU Journal January - February 2018 - 11
The NAFCU Journal January - February 2018 - 12
The NAFCU Journal January - February 2018 - 13
The NAFCU Journal January - February 2018 - 14
The NAFCU Journal January - February 2018 - 15
The NAFCU Journal January - February 2018 - Growth Strategies
The NAFCU Journal January - February 2018 - 17
The NAFCU Journal January - February 2018 - Stepping Into the Future
The NAFCU Journal January - February 2018 - 19
The NAFCU Journal January - February 2018 - 20
The NAFCU Journal January - February 2018 - 21
The NAFCU Journal January - February 2018 - A Clear Path Forward
The NAFCU Journal January - February 2018 - 23
The NAFCU Journal January - February 2018 - 24
The NAFCU Journal January - February 2018 - 25
The NAFCU Journal January - February 2018 - Economic Outlook: It’s Complicated
The NAFCU Journal January - February 2018 - 27
The NAFCU Journal January - February 2018 - 28
The NAFCU Journal January - February 2018 - 29
The NAFCU Journal January - February 2018 - 30
The NAFCU Journal January - February 2018 - 31
The NAFCU Journal January - February 2018 - 32
The NAFCU Journal January - February 2018 - 33
The NAFCU Journal January - February 2018 - 34
The NAFCU Journal January - February 2018 - NAFCU 2018 Vendor Directory
The NAFCU Journal January - February 2018 - 36
The NAFCU Journal January - February 2018 - 37
The NAFCU Journal January - February 2018 - 38
The NAFCU Journal January - February 2018 - 39
The NAFCU Journal January - February 2018 - 40
The NAFCU Journal January - February 2018 - 41
The NAFCU Journal January - February 2018 - 42
The NAFCU Journal January - February 2018 - 43
The NAFCU Journal January - February 2018 - 44
The NAFCU Journal January - February 2018 - 45
The NAFCU Journal January - February 2018 - 46
The NAFCU Journal January - February 2018 - 47
The NAFCU Journal January - February 2018 - 48
The NAFCU Journal January - February 2018 - 49
The NAFCU Journal January - February 2018 - 50
The NAFCU Journal January - February 2018 - 51
The NAFCU Journal January - February 2018 - Executive Spotlight
The NAFCU Journal January - February 2018 - 53
The NAFCU Journal January - February 2018 - Management Insight
The NAFCU Journal January - February 2018 - 55
The NAFCU Journal January - February 2018 - Compliance Central
The NAFCU Journal January - February 2018 - 57
The NAFCU Journal January - February 2018 - Inside NAFCU Services
The NAFCU Journal January - February 2018 - 59
The NAFCU Journal January - February 2018 - From the President’s Desk
The NAFCU Journal January - February 2018 - Cover3
The NAFCU Journal January - February 2018 - Cover4
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_NovemberDecember2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_SeptOct2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_JulAug2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_MayJun2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_MarApr2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_JanFeb2020
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_NovDec2019
https://www.nxtbook.com/ygsreprints/NAFCU/G109023_nafcu_septoct2019
https://www.nxtbook.com/ygsreprints/NAFCU/G106941_nafcu_julaug2019
https://www.nxtbook.com/ygsreprints/NAFCU/G105388_nafcu_mayjun2019
https://www.nxtbook.com/ygsreprints/NAFCU/G103030_nafcu_marapr2019
https://www.nxtbook.com/ygsreprints/NAFCU/G88665_nafcu_janfeb2019
https://www.nxtbook.com/ygsreprints/NAFCU/G100235_nafcu_novdec2018
https://www.nxtbook.com/ygsreprints/NAFCU/G98517_nafcu_septoct2018
https://www.nxtbook.com/ygsreprints/NAFCU/G96479_nafcu_julaug2018
https://www.nxtbook.com/ygsreprints/NAFCU/G93390_nafcu_mayjune2018
https://www.nxtbook.com/ygsreprints/NAFCU/G90161_nafcu_marapr2018
https://www.nxtbook.com/ygsreprints/NAFCU/G88665_nafcu_janfeb2018
https://www.nxtbook.com/ygsreprints/NAFCU/G83806_nafcu_novdec2017
https://www.nxtbook.com/ygsreprints/NAFCU/G80296_nafcu_septoct2017
https://www.nxtbook.com/ygsreprints/NAFCU/G79086_nafcu_julyaugust2017
https://www.nxtbook.com/ygsreprints/NAFCU/G75911_nafcu_mayjune2017
https://www.nxtbook.com/ygsreprints/NAFCU/G73247_nafcu_marapr2017
https://www.nxtbook.com/ygsreprints/NAFCU/G71923_nafcu_janfeb2017
https://www.nxtbook.com/ygsreprints/NAFCU/G69249_nafcu_novdec2016
https://www.nxtbook.com/ygsreprints/NAFCU/nafcu_septoct2016
https://www.nxtbook.com/ygsreprints/NAFCU/g63853_nafcu_julaug2016
https://www.nxtbook.com/ygsreprints/NAFCU/g61005_nafcu_mayjun2016
https://www.nxtbook.com/ygsreprints/NAFCU/g58935_nafcu_marapr2016
https://www.nxtbook.com/ygsreprints/NAFCU/g56716_nafcu_janfeb2016
https://www.nxtbook.com/ygsreprints/NAFCU/g55605_nafcu_novdec2015
https://www.nxtbook.com/ygsreprints/NAFCU/g53582_nafcu_sepoct2015
https://www.nxtbook.com/ygsreprints/NAFCU/g52154_nafcu_july2015
https://www.nxtbook.com/ygsreprints/NAFCU/g50302_nafcu_mayjune2015
https://www.nxtbook.com/ygsreprints/NAFCU/g48554_nafcu_marapr2015
https://www.nxtbook.com/ygsreprints/NAFCU/g47118_nafcu_janfeb15
https://www.nxtbook.com/ygsreprints/NAFCU/g45886_nafcu_novdec2014
https://www.nxtbook.com/ygsreprints/NAFCU/g44155_nafcu_sepoct2014
https://www.nxtbook.com/ygsreprints/NAFCU/g42892_nafcu_julyaug2014
https://www.nxtbook.com/ygsreprints/NAFCU/g41296_nafcu_mayjun2014
https://www.nxtbook.com/ygsreprints/NAFCU/g39799_nafcu_marapr2014
https://www.nxtbook.com/ygsreprints/NAFCU/g38961_nafcu_janfeb2014
https://www.nxtbook.com/ygsreprints/NAFCU/g38041_nafcu_novdec2013
https://www.nxtbook.com/ygsreprints/NAFCU/g36539_nafcu_sepoct2013
https://www.nxtbook.com/ygsreprints/NAFCU/g34910_nafcu_julaug2013
https://www.nxtbookmedia.com