Rippleshot Blog

This week’s data breach news covers two massive data breaches that have garnered attention on a national and international scale: Equifax and Marriott.

The Equifax breach, believed to have impacted 148 million U.S. consumers, has made headlines since it was discovered in September of 2017. The latest report related to the incident comes from a 14-month congressional investigation that suggests that Equifax could have prevented the breach had they followed proper security measures.

“Equifax failed to fully appreciate and mitigate its cybersecurity risks,” the staff majority report said. “As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable.”

Equifax’s network allowed hackers to gain access to company data for 76 days, according to the House report. Lawmakers are still calling on Equifax to pay to make up for what’s been called a lack of preventative measures to stop the breach from occurring, including a breakdown in recommended security protocols.

The true weight from the massive Equifax data breach that’s believed to have impacted roughly 148 million Americans is going to be felt for years to come. One year later, there seems to plenty of questions as to how the company dealt with the aftermath, and what it is doing to prevent a breach of such magnitude from occurring again.

The Equifax breach has dominated headlines in the fraud ecosystem not just because of the total number of exposed records, but also because of the scope of what those records entailed. The nature of the sensitive details — including SSNs, credit card details and tax IDs — are what placed the incident on the list of worst corporate data breaches in the U.S.

So what’s happened in the year following Equifax’s discovery of the breach? Besides a lot of public criticism, and new leadership, there’s been a series of congressional hearings and investigations that have left the credit reporting agency in the hot seat since the incident was first reported.

The aftermath of headline-grabbing data breaches at deep-pocketed retailers is almost always characterized by litigants of all sizes lining up to seek reparation for their legal injuries. These litigants can come in the form of disgruntled financial institutions, who demand compensation for breach-related expenses, or unhappy consumers who have suffered from theft of personal/ financial information and unauthorized charges on their accounts. Although consumer class-action lawsuits are a dime a dozen, they typically do not fare well in court, as courts generally conclude that their losses are covered in full by banks. On the other hand, financial institutions have a much easier time proving the costs associated with data breaches, such as card reissuance and reimbursement on fraudulent transactions. Follow along as we discuss the most recent data breach lawsuits including Target, Home Depot, and Wendy’s, and their effect on consumers, financial institutions, and retailers.

The landscape of fraud between 2015 to 2016 is best characterized as uncertain and dynamic. As government institutions such as the CFPB and FFIEC begin to play a bigger role in cybersecurity regulation, it has yet to be seen what data security protocols will be required of financial institutions. Also, pending legislation in Congress surrounding data security has the potential to determine federal standards of information security for merchants. Finally, with back-and-forth lawsuits between retailers, payment card networks, and issuers over disputes regarding EMV compliance and liability shift, nobody is exactly sure who will come out on top.

At Rippleshot, we understand how difficult it can be to juggle so many moving parts and develop actionable insights from them. That’s why we created a timeline for you to get up to speed on recent developments in card fraud and payments security.

A fiery debate has resurfaced between financial institutions, merchants, and consumer groups regarding the Data Security Act of 2015. The bipartisan bill introduced to Congress as H.R. 2205 by Representatives Randy Neugebauer and John Carney on May 1st, 2015 explicitly states two purposes: “to establish strong and uniform national data security and breach notification standards for electronic data” and “to expressly preempt any related State laws in order to provide the Federal Trade commission with authority to enforce such standards for entities covered under this Act.”

On February 12th, a day before the White House held a cybersecurity summit at Stanford University, President Obama signed an Executive Order to “encourage and promote sharing of cybersecurity threat information within the private sector and between the private sector and government.”

A couple weeks ago, we covered the initial hearing held by the House Subcommittee on Commerce, Manufacturing, and Trade entitled “What are the Elements of Sound Data Breach Legislation?” The Senate is pursuing a similar path and plan to propose their own version of data breach notification legislation, which started with a hearing on February 5th initiated by the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security.

In the first step toward federal data breach legislation, the House Subcommittee on Commerce, Manufacturing, and Trade held a hearing on Tuesday entitled “What are the Elements of Sound Data Breach Legislation?” Testimony was heard by CompTIA, Acxiom, The Retail Industry Leaders Association and the Cumberland School of Law in the first of what we can assume will be many steps to drive toward a single national breach notification requirement.

During a speech at the Federal Trade Commission on Monday, President Obama outlined his plans on attacking several cybersecurity issues, including a legislative proposal to help protect the millions of Americans whose personal information has been compromised as a result of a data breach.