A US
Senate report on an investigation into the monumental Equifax breach chastises
the company for lax security, and proposes heading off similar incidents in the
future – by making American companies punishable by law for mishandling
personally identifiable information.

The
67-page report is replete with information on the 2017 incident, including that
Equifax was aware it had cybersecurity deficiencies as early as 2015. One
statement in the report, though, could serve to summarize the investigator’s
findings:

“Equifax
was unable to detect attackers entering its networks because it failed to take
the steps necessary to see incoming malicious traffic online.”

The
Executive Summary is a few pages long, but it aggregates the key findings.
Those curious to learn more can access the report here.

For
those tired of reading stories covering the incident, an interesting proposal
in the Senate’s report would create an American version of the E.U.’s General
Data Protection Regulation. In short, the breach has convinced some lawmakers that
America needs its own unified legal framework for protecting personally
identifiable information of residents in all 50 states. Under Findings of Fact
and Recommendations (page 11), the upper chamber of the legislature proposes
the following:

“Congress
should pass legislation that establishes a national uniform standard requiring
private entities that collect and store PII to take reasonable and appropriate
steps to prevent cyberattacks and data breaches. Several cybersecurity recommendations,
including a widely known framework from NIST, already exist. However, the
framework is not mandatory, and there is no federal law requiring private
entities to take steps to protect PII.

Congress
should pass legislation requiring private entities that suffer a data breach to
notify affected consumers, law enforcement, and the appropriate federal
regulatory agency without unreasonable delay. There is no national uniform
standard requiring a private entity to notify affected individuals in the event
of a data breach. All 50 states, the District of Columbia, Guam, Puerto Rico,
and the Virgin Islands have enacted legislation requiring data breach notification
laws. In the absence of a national standard, states have taken significantly
different approaches to notification standards with different triggers for
notifications and different timelines for notifying individuals whose
information has been stolen or improperly disclosed.”

The
report outlines some of this new law’s scope, such as forcing private entities
to re-examine their data retention policies.

In related news, outspoken politician Elizabeth Warren last week proposed an amendment that would establish criminal liability for negligent executive officers of major corporations. The Corporate Executive Accountability Act seeks to fine and even imprison executives of companies that suffer data breaches or engage in scams. The act would apply to entities that turn over $1 billion or more annually.

Equifax’s
blunder, revealed soon after the WannaCry and Petya ransomware pandemics that
same year, has served as inspiration for legislators and corporations alike on
a global scale. Two years after the incident, the repercussions are still
palpable for the credit reporting agency, highlighting once again the
importance of having the right tools and processes to keep hackers at bay.