Why haven't product liability laws caught up with information services? The Equifax breach here was caused by, at the very least, reckless negligence in that they failed to patch a published vulnerability for MONTHS after it was disclosed.
Now I'm not talking about the BS class actions you get where the class gets nothing (except for the named plaintiffs who, for some reason, make out like bandits) and the lawyers make a ton of money.
What I'm talking about is having the same expectations, requirements and civil and criminal punishments that product liability would have with a physical product, at least when it comes to willful negligence of this sort.
The VW emissions scandal (rightly) is resulting in criminal prosecutions for fraud.
But the makers of routers, IoT light bulbs and the like seem to suffer no consequences for (and thus have no incentive to improve) the security of their products.
I just don't get it.
Why do lawyers get so much? In the above hypothetical scenario,
- No plaintiff is going to be adequately motivated to sue, so the lawyer has to have incentive.
- No plaintiff has an incentive to pay a lawyer, so he or she has to operate on a contingency basis. This is a significant risk.
- Finding and organizing a large number of plaintiffs (some percent of 10 million), and suing a large corporation, is an expensive process.
- The cost of the suit is incurred before the payoff, which may be years later given the appeal process.
I agree that class actions are often inappropriately used, but that lawyers make much more than the individual plaintiffs is not a priori a bad thing.
In most (all?) other developed nations it is the role of the executive branch of the elected government to regulate and punish businesses so as to prevent defuse harms. This business with the civil justice system being distorted to create self appointed, profit seeking, ad hoc regulators is not the only way to skin the cat.
There are so many people who are at least partly to blame when something like this happens. Bob the engineering manager who committed a quick but insecure fix years ago, Shirley the intern who didn't know what she was doing, Joe the manager who hired Bob and Shirley in the first place, Mike the manager at the company supplying third party software that ends up being exploited, etc.
The worst outcome is that companies outsource all their IT security and therefore responsibility to companies that disappear as soon as there is a problem. But if we rush too quickly to impose criminal sanctions, that will be the likely outcome.
The better solution is to work this one out as a society. Stop relying on things like SSNs and maiden name as "security", and stop building enormous silos of unnecessary data.
You present a fallacy. No, a rational company with accountability for its data doesn't outsource their IT security or let the intern access production. They take their job seriously and prevent something like this from happening by building security into their architecture.
I have worked for companies that recognize they are liable for protecting the data they hold, and that it only takes one breach for trust to be destroyed. We spent countless hours hardening, compartmentalizing, and monitoring our infrastructure. The nihilistic implication that nothing can be done is maddening.
Unacceptable. Software development needs to be treated as engineering. We need to finally rid ourselves of the concept of "quick and dirty". If that means all the people who live off of that style of development leave the industry, fantastic! It would be great if every manager who told his devs "I don't need it to be perfect, it just needs to kind of function and be ready by EOB today" could end up financially liable.
>Shirley the intern who didn't know what she was doing
What was she doing working on a production system unsupervised? A plumber-in-training may get to work with the pipes on his own a bit but you can be sure the certified plumber will inspect everything before signing off.
The IT industry needs a shakeup and if it takes something like this to accomplish it, good.
In the 18th and 19th century, Britain transported many petty criminals to penal colonies in Australia. Putting aside the brutality of that policy, there was at least some concern over the number of deaths on the voyage. After other attempts failed, one simple policy brought about considerable improvement: shipowners were paid by the number of live transportees arriving. They complained mightily that it would not work, but it did.
Frankly, your post looks like a self-serving defense of business-as-usual mediocrity in IT.
> The better solution is to work this one out as a society. Stop relying on things like SSNs and maiden name as "security", and stop building enormous silos of unnecessary data.
This doesn't stop aggregators from forming, the data has value someone will collect and sell it.
I'd also much rather have government under-react than over-react. (The former has a lot more flexibility)
EDIT: Fixed words
At the very least, I hope this will cause lenders and credit reporters to take data security very seriously.
I fear that the simple answer is because we no longer live in a country (or political climate, if you prefer something more optimistic) where regulatory and legal structures like product liability are thought of being the role of government. The neoliberal response to this is "the market will punish Equifax and other, more responsible competitors will take their place or force them to change their ways." The very concept of human beings exerting political will to make a company do something is almost unfathomable these days.
My credit score was 800 and I had a mortgage for $409,000 I put $80,000 down in cash.
I never missed a payment and was never late.
I went to pay my mortgage and the website looked the same, but the payment button was removed.
I called and was told that my mortgage was sold and that I'll get a welcome packet in the mail explaining to whom I should pay my mortgage...
It never came.
I called daily for months.
Finally I got something in the mail. A foreclosure notice for not paying my mortgage...
I got in touch with them and they told me "don't do anything, Obamas going to fix this" (literally that's what they said)
Then I got another notice.
Then they said they would refi me... then they said I made "too much money to qualify for a refi, and that I needed to pay $52,000 right then to not get foreclosed.
I got foreclosed upon. They came one day and changed the locks when I was at work.
I contacted the person who left a sticker on my door and told him I would come to his house and shoot him in the face if he didn't come open my house within two hours.
He showed up.
I filed suit, class action, and I won.
I won $1,008.00
My credit is ruined
I get the feeling you're not telling us the whole story because if you did this you're a) stupid and b) would have gone to jail.
When was this? Did they sell your house or do you still have it?
It's not supposed to make sense. This is how Corporate America works these days (or more precisely, since the late 80s).
He ( C.E.O ) is gracefully landing on his retirement pad in his Golden Parachute of at least 18 MILLION, and there's no mention of any of this in most mainstream media stories. The senate is also preparing to Grant Equifax Immunity from consumer lawsuits
> Disgraced Equifax CEO Richard Smith runs for the hills – toting $18 million in retirement benefits – with 143 million consumers still left in the lurch.
Source: => https://www.commondreams.org/newswire/2017/09/26/not-another...
[edit1] The closet thing I can find is that senate republicans aren't co-signing bills to add more regulation. Not that they're trying to grant immunity to Equifax. http://www.pbs.org/newshour/rundown/equifax-breach-congress-...
[edit2] And at the end of the article:
> Even if the Equifax breach fails to bring about the passage of new legislation, it has scuttled one bill in the works. On the day of Equifax’s announcement, a House subcommittee examined legislation that would have decreased the potential consequences when consumer reporting agencies falsely malign someone. Such mistakes can haunt consumers for years.
> The bill would have eliminated punitive damages for violations of the Fair Credit Reporting Act. The bill’s sponsor, Rep Barry Loudermilk, R-Ga., said the legislation was aimed at curbing frivolous lawsuits and would not have granted any immunity to Equifax for the data breach. “Nevertheless, given the unfounded attacks on me and the rampant misinformation circulating about this legislation, the Financial Services Committee has not scheduled further action on any bill at this time.”
So I suppose there was bill that could have done that, but it's dead now.
Managed by a security VP who had no relevant experience?
I posted this in another comment, and got massively downvoted. Not sure why...
The internal culture there is such that revenue is prioritized over responsibility. Said culture is driven from the top. EFX stock had been rising steadily for years under Smith's direction, and we're now seeing at what cost.
Concern yourself all you want with the CISO's music degrees. I'm just glad to see the person actually responsible for this toxic culture has finally taken the knife.
I have seen their degree, but that's meaningless as most of the truly talented developers and technical people I know have a degree that is not directly specific to their current role.
What was their experience before Equifax? Do you have links?
The problem for the law is that things are much more indirect in this case.
If you've been harmed by Equifax but it is difficult for you to legally prove the chain of causation, that's a problem that tort law needs to solve. The law is flexible enough to come up with such solutions, albeit slowly. See for example the doctrine of market share liability.
What was the faulty product in this case? Struts? Why is Equifax liable?
> The Equifax breach here was caused by, at the very least, reckless negligence in that they failed to patch a published vulnerability for MONTHS after it was disclosed.
You have no knowledge of their internal security practices, or what the status of knowledge of the vulnerability was. Did they make a mistake? Absolutely. But no security is perfect. You have zero basis to make such a claim.
> What I'm talking about is having the same expectations, requirements and civil and criminal punishments that product liability would have with a physical product, at least when it comes to willful negligence of this sort.
There are already laws on the books that cover this, as well as the CFPB. I expect significant fines and additional oversight for Equifax in the coming months.
> The VW emissions scandal (rightly) is resulting in criminal prosecutions for fraud.
Because that was a real, provable, honest to goodness fraud, where there was provable criminal intent. Just like Enron. Where's the criminal intent with Equifax?
If they had been using commercial software they might have been able to shift the liability (if it existed) to the vendor based on it being not fit for purpose, but as they were using open source, no such option would be open to them.
Struts had provided a remedy for the fault, months prior. Equifax had _failed_ to implement that remedy, because it was 'difficult', 'complex' (due to its own application / deployment / infrastructure), for several months, on a highly sensitive service.
On the other hand you have rigorous protocol with professional regulated engineers held responsible for their actions and the consequences of design.
I've always been a bit of a proponent for bringing these regulations into tech jobs when it matters on public safety but the tech groups can swing wildly in pro/anti favor of such direction on a day to day basis. You definitely lose a bit of the "do it quick and break things" attitude which is responsible for a lot of great product but the stability and rigor is what benefits imo.
We all know the drill. If you're not sure what the product is then you're the product. This "information services" aren't for the advantage of the masses. They exist for the elites. Think about. You're being tracked and there's no provision to opt out of that.
We're not protected because in the eyes of the powers that be we're the product. We're not in danger. We're what's being sold.
In general I think civil penalties will be more appropriate for this sort of thing than throwing people in jail. Jail time when there was criminal intent could be reasonable, though.
Data breaches seldom result in fatalities or physical injury.
That's around ~430,000,000 USD for Equifax alone [edit: if] 143M people got their credit frozen at $3 per freeze. (Obviously back of napkin math, and not everybody pays the same or even freezes their credit)
Retiring is not protection against criminal charges.
Also, there would be oodles of money involved in the case of firing, resignation, or staying on anyway.
It is, however, protection against a for-cause firing.
edit: ceejayoz has pointed out that they are free for 30 days only (and we're in that time window already).
You still need to freeze with the other two agencies, and in a few weeks it'll cost money to lift your Equifax freeze if you want to open a new account.
That is such a perfect way to sum up the pay disparities in large corporations these days. I have no problem whatsoever with someone making $300MM from the sale of the business they created, but making the same amount for manning a desk? Seems like madness.
From time to time, a CEO will have to choose between increasing employee compensation and benefits or increasing profits or dividends. The CEO works with employees all the time and most normal human beings would naturally tend to side with the employees because they're the ones that are working hard to generate the profits that the shareholders receive. Stock options create a financial incentive to override that tendency, so that the CEO will side with shareholders more often.
An interesting thought experiment is to consider: what would happen to a CEO if he or she refused to accept stock options and would only agree to a modest salary? What would the board of directors do? Would they be happy that the CEO is being a responsible steward of the company's finite resources, or would they regard the CEO as untrustworthy and remove him/her at the first opportunity?
Perhaps stock options aren't a "reward" for services rendered, but in fact one of the necessary qualifications for holding the office.
I don't know why it's SO disparate, but it's way more than manning a desk.
I've seen non-founder CEOs take a $100M business to $4B, and others take a $4B to $500M. $100M to $4B deserves the reward.
It's tough to distinguish who 'created' a company in situations like those — do we define it by the original incorporation papers, or by who had the largest effect on turning the company into what it is today? Where do we draw that line?
You aren't wrong in a theoretical sense, but I am all for equality before the law as a precursor to due process. Due process without equitable treatment means very little except to those at the top.
Just deciding that they aren't operating in the public interest and revoking their charters probably wouldn't violate due process. Not in fashion though.
Hopefully, this then will create a different culture in other companies. Things did change after Enron (though SOX is such a pain).
Anecdata example: my PhD is in neurobiology. Some of my engineering has been orbiting Mars since 1976. No neurons involved, just aerospace engineering.
The breach that occurred on her watch is definitive of her incompetence. Nothing to do with her degree.
The lack of a relevant degree isn't exactly a mark in her favour, but it's not a red flag either (especially this far into her career).
Lots of more experienced IT Security people don't have appropriate degrees, generally as they didn't exist when those people got into the profession.
As a personal data point, I've been in IT Security for 17 years, my degree is in accountancy :)
>"“Speaking for everyone on the board, I sincerely apologize,” Mark Feidler, the Equifax board’s new chairman"
Where is the apology from the CEO?
https://www.nbcnews.com/business/consumer/equifax-executives...
https://www.washingtonpost.com/news/the-switch/wp/2017/09/19...
Do you know the story about the famous actress Hedy Lamarr, who invented a channel switching anti-jamming system for torpedos with a friend? Both were musicians with little or no experience, and their invention, aside from being patented and used by the military, is now credited as part of the basis for Wi-Fi and Bluetooth. https://en.m.wikipedia.org/wiki/Hedy_Lamarr#Inventor
Its scary how little information the media is providing on this. Equifax does not provide an FAQ over what conditions you may be affected. I don't have a line of credit, and I have never used their services personally, HOWEVER, if a prior employer used them through a background check, or if they used a 3rd party who sends my data to equifax without me knowing, I'm pwned and didn't even know it.
There are about 250 million adults in the US.
I would take that to mean that if you're a US adult, with any sort of credit history, you're affected. The affected data for the larger 143 million was: "Most of the consumer information accessed includes names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers."
There's also a smaller set that had even more data exposed:
"In addition, credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed."
However Equifax offers other services such as Background Checks which more americans are passing off their SSN to, generally unintentionally (its mandatory for work).
This leads me to believe even young people are affected if theyve taken an internship or anywhere (AT ALL) that uses Equifax.
(obviously under the table because above the table would acknowledge the double standard)
No political figure has talked about making these companies disclose this information as soon as possible, and no political figure is furthering any type of bill to make it illegal to know about a data breach and not tell anyone for months.
American obsession and addiction to media is what caused Trump to win, and it's why egregious failures of trust such as this will continue to go relatively unpunished.
We are constantly pumping out the equivalent of crude oil into your culture at the rate of millions of gallons a second. It's all trash, and it pollutes discussion and any sort of cooperation.
Left/Right is the new religious battle, and the new holy books are blogs and twitter feeds. The media is under no obligation to tell you the truth, and in this case the lie is omission.
Why is it that American corporations and their leadership have less oversight than your average 15 year old driver? They keep reminding us of corporate personhood when it is convenient, but where is the personhood responsibility?
Companies aren't going to spend money on security until the potential costs impact them rather than others (in this case all of us). That's something that urgently needs to change. As you can see by Equifax's stock, nobody in the stock market thinks that the governments are going to punish or collapse Equifax, and the worst part is that they're likely right (see BP for example).
This too big to fail, too big to jail, too big to punish thing is really starting to get on my nerves. Even if we aren't ready to send corporate executives to prison, let's at least fine Equifax so much they go out of business, and it sends a shot across every other business's bow about what will happen if they mishandle sensitive information.
> Now if you'll excuse me, this golden parachute isn't going to pull it's own rip cord. Have fun fixing all your credit reports and enjoy Equifax's "free" data protection services, your contributions and patience (or short attention span, whichever you prefer) will be thoroughly appreciated by my successor, until he too fails too hard and has to endure a life of permanent financial security and nonstop leisure.
They have a point. This ass hat enriched himself at the expense of customers held at gun point, and didn't even oversee due diligence in the execution of a bullshit monopoly.
Retiring to ride horses and pensively stare at the far horizon of one of his ranches and come back with think piece hagiography in 4 years on the lessons learned...
...there should be bigger consequences.
Naturally, not a single republican supports this legislature.
Resigning is a known way of avoiding more serious penalties and loss of pension etc a lot of UK Police when facing serious charges suddenly resign due to stress.
Its telling that when found guilty or far less serious offences the CEO of shell resigned giving up a lot of !$
No CEO ever
Aye, the noble folks must upheld to diffent standards. Onwards, to bigger and better things they grow- they are a diffrent people, not bound to clean up after themselves. All that outdated respons-hillbillity just holds the innovation of scams back.
