Why haven't product liability laws caught up with information services? The Equifax breach here was caused by, at the very least, reckless negligence in that they failed to patch a published vulnerability for MONTHS after it was disclosed.
Now I'm not talking about the BS class actions you get where the class gets nothing (except for the named plaintiffs who, for some reason, make out like bandits) and the lawyers make a ton of money.
What I'm talking about is having the same expectations, requirements and civil and criminal punishments that product liability would have with a physical product, at least when it comes to willful negligence of this sort.
The VW emissions scandal (rightly) is resulting in criminal prosecutions for fraud.
But the makers of routers, IoT light bulbs and the like seem to suffer no consequences for (and thus have no incentive to improve) the security of their products.
I just don't get it.
Why do lawyers get so much? In the above hypothetical scenario,
- No plaintiff is going to be adequately motivated to sue, so the lawyer has to have incentive.
- No plaintiff has an incentive to pay a lawyer, so he or she has to operate on a contingency basis. This is a significant risk.
- Finding and organizing a large number of plaintiffs (some percent of 10 million), and suing a large corporation, is an expensive process.
- The cost of the suit is incurred before the payoff, which may be years later given the appeal process.
I agree that class actions are often inappropriately used, but that lawyers make much more than the individual plaintiffs is not a priori a bad thing.
In most (all?) other developed nations it is the role of the executive branch of the elected government to regulate and punish businesses so as to prevent defuse harms. This business with the civil justice system being distorted to create self appointed, profit seeking, ad hoc regulators is not the only way to skin the cat.
If the state isn't going to prosecute big businesses for misbehaving, say goodbye to _any_ public support for business at all, small or bit.
There was a philosophy that said, 'markets are important, so when a big player misbehaves, make sure the state his them HARD, otherwise people will lose faith in the markets'
Now the prevailing attitude is 'these people can't be allowed to fail or the whole system will fall down.' And then, to nobody's surprise, they misbehave.
As to the question of criminal prosecution or harsher penalties (e.g. dissolving the corporation): to my knowledge, these suits actually draw AG attention to areas of civil misbehavior which often borders criminal misbehavior. They even surface which citizens were harmed and bring forth information gained by discovery, etc. Thus class action lawsuits actually make it easier for the government to act — that they should prosecute but do not is an independent problem.
I'm not sure, but is civil disclosure readily accessible to prosecutors? I thought normally it was kept confidential, and thus would only be available in the case of an active criminal case. I would expect that prosecutors wouldn't be able to trawl through it searching for evidence of wrongdoing, and there's some procedure around that in parallel construction, but I'm not a lawyer and I can't find any specific discussion of that matter particularly.
Under what law?
If there's some specific law they violated, then by all means, prosecute them. But you can't post-facto say "that seems like it was wrong" and prosecute; you can only say "we should pass laws to make that wrong in the future" and prosecute further offenders.
(For instance, they clearly violated insider trading laws. But what other laws, actually written and on the books, did they violate?)
We can and we have. There are a few justification loopholes that have been used in the past, but we can say something is so wrong that laws can be passed after the fact to punish people engaging in it. This power is dangerous, but so is many other government powers currently used.
Perhaps in another jurisdiction, but not in the US you can't. https://en.wikipedia.org/wiki/Ex_post_facto_law
It's a fundamental premise that you can't decide something formerly legal is illegal after the fact and go after someone retroactively. (Now, if they're still doing it, you can, which is also deeply abusable, but marginally less so.)
Yes you can. Even if there are rules banning it, like any system made by humans, exceptions are made when they are popular enough (or when the target is unpopular enough). In the US in particular, the way exceptions are made is to consider the punishments not being punishments. So while this does mean that extra prison time can't be used, things like indefinite involuntary commitment or extensions of no punishment actions are allowed. One example is extensions of time on the SOR, which has been ruled to not violate ex post facto even when the extension happens after the sentence has been given.
As I said, we can and we do. We just play creatively at it so we can pretend we don't violate ex post facto.
American owners of diesel VWs might have their cars bought back from them and be offered up to $10k in additional compensation. Furthermore VW has portrayed this as an obvious decision they made because they love their customers and want to make things right again.
The same customers in Germany might get a free "upgrade" at the dealership which reduces airflow so that the car is compliant with pollution regulations, but less powerful.
I'm not here to say that class actions are the best, or even a good way of regulating, but I really don't see how the joinder rules offer a useful solution.
In terms of being made whole for a substantial tort (on the order of $10k) I don't think standard american tort litigation with joinder is perfect, but I think it is a better base to build upon than rule 23 litigation. With injuries of that size I think it is practical and desirable for cases to be client driven rather than hoping a judge reviewing a settlement will adequately protect the interest of the class as against those of class counsel.
There are so many people who are at least partly to blame when something like this happens. Bob the engineering manager who committed a quick but insecure fix years ago, Shirley the intern who didn't know what she was doing, Joe the manager who hired Bob and Shirley in the first place, Mike the manager at the company supplying third party software that ends up being exploited, etc.
The worst outcome is that companies outsource all their IT security and therefore responsibility to companies that disappear as soon as there is a problem. But if we rush too quickly to impose criminal sanctions, that will be the likely outcome.
The better solution is to work this one out as a society. Stop relying on things like SSNs and maiden name as "security", and stop building enormous silos of unnecessary data.
You present a fallacy. No, a rational company with accountability for its data doesn't outsource their IT security or let the intern access production. They take their job seriously and prevent something like this from happening by building security into their architecture.
I have worked for companies that recognize they are liable for protecting the data they hold, and that it only takes one breach for trust to be destroyed. We spent countless hours hardening, compartmentalizing, and monitoring our infrastructure. The nihilistic implication that nothing can be done is maddening.
I don't disagree with that sentiment but you have to deal with the whole triumvirate - Equifax, Experian and Transunion.
Does Lexis Nexus collect financial data on individuals? I thought it's focus was research
Early Warning, however, contains way, way more information about bank accounts. It lists most of your accounts plus dates opened, dates closed, and other stuff. (I don't have my report on hand, so I'm going from memory) You can (and should) request your report here: https://www.earlywarning.com/consumer-information.html#instr...
I request both every year. (Because I churn bank account bonuses)
LexisNexis has a whole crapload of consumer reports. The big one is the CLUE report on insurance claims. They have employment databases as well and probably others, I'm not as familiar with them. You can request a copy of your CLUE report here: https://personalreports.lexisnexis.com/fact_act_disclosure.j...
I have to admit, I've never requested my CLUE report.
I've mentioned this in another comment but there's actually two more credit bureaus, SageStream (request report here: https://www.sagestreamllc.com/consumer-report/) and Innovis (request report here: https://www.innovis.com/personal/creditReport) I've never requested either myself but I am in the process of requesting both right now.
That's a good thing to know that people aren't making insurance claims in your name.
Lexis Nexis long since moved beyond newspaper and courthouse archiving. They have dozens of intelligence products and databases aimed at marketing, debt collection, private investigators, and law enforcement. They collect massive personal consumer (and business) data, including retail purchases and returns, and salaries, and associate it in a Facebook-style graph, loosely associated with SSN and DL#.
Even with normal use and no breaches, all these cross-referenced databases are hell for those of us who went through a gender transition. It is practically impossible to get rid of references to my old name. It outs me anytime I open a bank/credit account or arrange new insurance.
Notably it's used by Bank of America
More information: http://www.latimes.com/business/lazarus/la-fi-lazarus-credit...
Are they a distant 4th then?
If you put a security alert on on your profile with one of the big 3 agencies it automatically propagates to the other 2. I wonder why it doesn't propagate to this agency as well.
THIS. And in this case we have blatant evidence of negligence- There is absolutely zero excuse in this day and age to not keep operating systems patched up with security patches. There is no financial excuse, there is no logistical excuse, and given the sensitivity of the data, there is no ethical excuse. Take the responsibility seriously, or please just go off and die in a fire. (Or, if you're an Equifax executive, retire at the height of your incompetence.)
Which is why I shamelessly say: Fuck Richard Smith, fuck Equifax, fuck Susan Mauldin, and fuck their entire IT management staff. What the fuck is wrong with you people?
Disclaimer: I was recently hacked/had my identity stolen, and although I was fortunate to only have to wait 2 weeks to get back access to everything, I may be a little sore about stuff like this.
Equifax needs to wipe its data and all extant backups. Then it can be sold (for maybe ten dollars).
All the CRAs endure attacks at a scale that are difficult to comprehend. It's frankly a surprise that something like this hasn't happened before to any one of the big 3.
Then again, I once did work for a bank, and witnessed an event where user PINs were discovered to be publicly available if one happened to know the magic URL. This discovery was made through the process of a pen-test team sharing their findings back to development, who in turn extended their findings based on what developers knew about the system. Forensics done after the discovery revealed no cases of anyone actually finding the magic URL, which was a big relief for the company. So maybe the banks aren't as strong as we think, either. We have quite a few payment breaches to look back to as evidence.
Can you cite a source for how we "now know how terribly fast and loose Equifax was operating"?
Equifax is a CRA and is treated as a financial institution under the applicable laws, like banks are.
> Then again, I once did work for a bank, and witnessed an event where user PINs were discovered to be publicly available
Then you should know better than to simply claim that a company that suffers a breach is somehow inherently incompetent or uncaring about security.
Furthering their incompetence by linking to phishing sites in the aftermath, not offering data protection automatically, and suggesting US persons should pay them for protection (!) all point to the deeper corporate problem that is at the root of this issue, which is that they see US persons as suckers and don't really care about data privacy or information security. Otherwise, they'd have staff trained on response and they'd have social outreach folks validating URLs before posting as the company representatives.
It's totally appropriate for the CEO to resign.
Pure conjecture on your part. You have no insight into their security program. The only thing you can accurately infer is that they missed this one.
The phishing site thing was pretty stupid, though, I agree.
There are a lot of irrational companies in the world by that standard.
Unacceptable. Software development needs to be treated as engineering. We need to finally rid ourselves of the concept of "quick and dirty". If that means all the people who live off of that style of development leave the industry, fantastic! It would be great if every manager who told his devs "I don't need it to be perfect, it just needs to kind of function and be ready by EOB today" could end up financially liable.
>Shirley the intern who didn't know what she was doing
What was she doing working on a production system unsupervised? A plumber-in-training may get to work with the pipes on his own a bit but you can be sure the certified plumber will inspect everything before signing off.
The IT industry needs a shakeup and if it takes something like this to accomplish it, good.
A small subset of these kinds of systems end up at big companies, because they're acquired, or because the company grows, etc etc. How do you draw a line in the sand where everyone stops the world and re-implements all the "quick and dirty" stuff?
I briefly worked in construction and I've seen plenty of "quick and dirty" there, also, particularly in suburban renovations. Time is money in these projects, and corners are often cut. I'm not saying all engineering works this way, clearly building bridges is a different matter, but I am pointing out that there is a spectrum.
Quite frankly, it seems like you nailed the point when someone should be re-implementing the quick and dirty stuff; the moment it gets acquired and integrated. I do understand what you're saying, but I cannot agreed that just because something is difficult to do means that one can hand-wave responsibility. In the case of large companies that have been subject to breaches recently, the only reason they get by after the fact is because they can afford to; if it were to happen to any of the small shops running in "Quick and Dirty" mode and something happened, the shop would more or less take a hit it could not recover from.
I see this in action and hear the same excuse every single day with my clients, and it doesn't matter if they're a multi-national whose infrastructure spans continents or some dude with a pirated hyper v host in his room, the excuse is always the same: "Oh we had to do it that way, and didn't have time to fix it."
Quite frankly, it's non-sense, infinitely moreso in virtual environments. The workflow and technology available for patch-testing, deployment, and rollback has never been faster, safer, or easier than it currently is; companies just aren't doing it, and no one is holding people accountable for negligence. If the aforementioned construction workers who did a quick and dirty job cause major damage to the house as a result, they would be liable for damages due to their negligence. I'm not sure why we in the Tech community somehow think we're above responsibility for our negligence.
I understand that money is on the line - I deal with clients where every minute of down-time has a substantial dollar figure attached, and there's always the attitude of "we'll deal with it later"; and yet, this attitude always ends up causing more trouble in the end, and naturally costing far more.
Edit: Changed "...responsibility for our own negligence" to remove "own"
How would you propose doing this, though?
In other branches of engineering, there's licensing and certification processes - but only after you have gone thru and passed an accredited course (ie - university engineering degree).
This is fine for the majority of engineering, because most of it is fairly settled knowledge, and doesn't change on a nearly weekly or faster basis; unlike what we call "software engineering".
We could say that current university computer science or similar degrees could be the initial thing to allow you to get certified and/or licensed - but how would that translate into the testing for certification/licensing?
Especially when "best practices" might (will) change almost literally overnight? How could any company know that Bob Jones MSE (Masters in Software Engineering) has and knows everything there is to know and is 100% up-to-date with the latest software engineering, security, database, etc practices needed for his craft (especially those items that changed last week)?
With other engineering fields, such change doesn't happen anywhere near as quickly (and in some, it may be years or decades between new updates).
Also - how would propose "grandfathering" in existing software engineers and other similar professionals? While on the surface I would like to see such a change to a more professional attitude, I don't want to see myself personally "left out in the cold": I don't have a degree in the field; my knowledge is self-taught and/or learned on the job over the past 25+ years.
I don't know anywhere near everything, and in many cases I am always learning something new (or learning the name of some "pattern" that was something I had been taught years or decades ago before it had a name). I honestly find the learning aspect to be one of the things I immensely enjoy about my software engineering career.
But I don't want to find myself tossed aside because I don't have a degree, or find that I have to go back to school just to keep my career (indeed, going back to school for this reason would likely leave me without a job in the end because of many businesses balking at hiring older developers like myself - which is also why I tend to always stay abreast in my skills and knowledge).
I'm not expecting any answers - just wanting to throw out some food for thought.
And I wouldn't expect someone to need this certification before a compiler would run. I would envision something more along the lines of: a company cannot have a "badge of software engineering" or some such unless all the developers working on their production systems have these certifications. If it's a small company running a PHP website then they probably don't need certified people and probably their clients won't (initially) care that they're missing the saftey badge.
In the 18th and 19th century, Britain transported many petty criminals to penal colonies in Australia. Putting aside the brutality of that policy, there was at least some concern over the number of deaths on the voyage. After other attempts failed, one simple policy brought about considerable improvement: shipowners were paid by the number of live transportees arriving. They complained mightily that it would not work, but it did.
Frankly, your post looks like a self-serving defense of business-as-usual mediocrity in IT.
It makes more sense to assign all the blame on whatever entity lost control of the data. They get a big fine and as long as they were following best practices (as outlined by their insurance company), then their insurance company will pay the fine and the business keeps chugging along.
If the company was negligent, the fine is likely a death sentence.
> The better solution is to work this one out as a society. Stop relying on things like SSNs and maiden name as "security", and stop building enormous silos of unnecessary data.
This doesn't stop aggregators from forming, the data has value someone will collect and sell it.
I'd also much rather have government under-react than over-react. (The former has a lot more flexibility)
EDIT: Fixed words
At the very least, I hope this will cause lenders and credit reporters to take data security very seriously.
I fear that the simple answer is because we no longer live in a country (or political climate, if you prefer something more optimistic) where regulatory and legal structures like product liability are thought of being the role of government. The neoliberal response to this is "the market will punish Equifax and other, more responsible competitors will take their place or force them to change their ways." The very concept of human beings exerting political will to make a company do something is almost unfathomable these days.
neoliberalism is notionally centered on things like free markets, globalization, free-trade, privatization, deregulation, etc. and can be seen as a sort of pro-business or pro-corporate philosophy.
i'd say 'conservative' is really a question of preferring the status-quo, or perhaps traditionalism. consider that 'conservative' can imply potentially very different views if you contrast US and EU conservatives (or elsewhere). a conservative is better contrasted with a 'progressive' who enthusiastically seeks (perceived) beneficial changes to the status-quo or traditions.
“pro-corporate”, perhaps, but corporatism is a different thing and opposed to neoliberalism. (It doesn't come from “corporation” in the sense of the business enterprise, but from the same root referring to a body, in this case referring to the whole of society as a single body.)
Neo-Liberalism is the ideology of the discovery of law through economics (which is held to be a sort of axiomatic "scientific" given). Basically if corporations were people -- and hey look here, they are -- and were to get together and dream up an ideology for themselves -- you know, corporations of the world, unite!! -- they would task some of their human lackies to manipulate their institutions to install Neo-Liberalism as the world wide political-economical regime.
Any other questions?
While neoliberalism and libertarianism are in the same direction, they aren't the same thing. Neoliberals are generally fine with government restricting what can be bought and sold, they just want most legal goods and services to generally be provided by private enterprise with limited regulation, and with only very limited barriers to international trade in goods and services that are legal in both the source and destination jurisdiction.
My credit score was 800 and I had a mortgage for $409,000 I put $80,000 down in cash.
I never missed a payment and was never late.
I went to pay my mortgage and the website looked the same, but the payment button was removed.
I called and was told that my mortgage was sold and that I'll get a welcome packet in the mail explaining to whom I should pay my mortgage...
It never came.
I called daily for months.
Finally I got something in the mail. A foreclosure notice for not paying my mortgage...
I got in touch with them and they told me "don't do anything, Obamas going to fix this" (literally that's what they said)
Then I got another notice.
Then they said they would refi me... then they said I made "too much money to qualify for a refi, and that I needed to pay $52,000 right then to not get foreclosed.
I got foreclosed upon. They came one day and changed the locks when I was at work.
I contacted the person who left a sticker on my door and told him I would come to his house and shoot him in the face if he didn't come open my house within two hours.
He showed up.
I filed suit, class action, and I won.
I won $1,008.00
My credit is ruined
The issue is that while the credit rating system is utter bullshit - there is a LOT attached to it WRT life...
Basically if you have shitty credit, people look down on you.
I make 228K per year, but due to that issue, and regular life circumstances (divorce, etc) my credit is poor - and I just got denied a card from Chase, due to Equifax saying I owe Comcast $128 (for a device I returned to them - but they still are dogging my credit)
Credit industry needs to get ITS CREDIT up.
I get the feeling you're not telling us the whole story because if you did this you're a) stupid and b) would have gone to jail.
So I couldn't care less of your opinion of the situation - but you were not there. I have no issues. They are scum opportunists and its amazing how the whole freaking country just let this happen...
Did you at any point contact your state financial services regulator or the Consumer Financial Protection Bureau or any other federal or state regulator?
When was this?
Did they sell your house or do you still have it?
It's not supposed to make sense. This is how Corporate America works these days (or more precisely, since the late 80s).
He ( C.E.O ) is gracefully landing on his retirement pad in his Golden Parachute of at least 18 MILLION, and there's no mention of any of this in most mainstream media stories. The senate is also preparing to Grant Equifax Immunity from consumer lawsuits
> Disgraced Equifax CEO Richard Smith runs for the hills – toting $18 million in retirement benefits – with 143 million consumers still left in the lurch.
Source: => https://www.commondreams.org/newswire/2017/09/26/not-another...
[edit1] The closet thing I can find is that senate republicans aren't co-signing bills to add more regulation. Not that they're trying to grant immunity to Equifax. http://www.pbs.org/newshour/rundown/equifax-breach-congress-...
[edit2] And at the end of the article:
> Even if the Equifax breach fails to bring about the passage of new legislation, it has scuttled one bill in the works. On the day of Equifax’s announcement, a House subcommittee examined legislation that would have decreased the potential consequences when consumer reporting agencies falsely malign someone. Such mistakes can haunt consumers for years.
> The bill would have eliminated punitive damages for violations of the Fair Credit Reporting Act. The bill’s sponsor, Rep Barry Loudermilk, R-Ga., said the legislation was aimed at curbing frivolous lawsuits and would not have granted any immunity to Equifax for the data breach. “Nevertheless, given the unfounded attacks on me and the rampant misinformation circulating about this legislation, the Financial Services Committee has not scheduled further action on any bill at this time.”
So I suppose there was bill that could have done that, but it's dead now.
Here you go: Ga. lawmaker defends bill curtailing class actions after Equifax hack => http://politics.blog.myajc.com/2017/09/16/ga-lawmaker-defend...
> Georgia Congressman Barry Loudermilk is shooting back at consumer protection groups and other critics who have slammed his bill to curb the use of class action lawsuits in the aftermath of Equifax’s mammoth data breach.
Note the Congressman is from Georgia and Equifax is HQ-ed in Atlanta, Georgia.
Managed by a security VP who had no relevant experience?
I posted this in another comment, and got massively downvoted. Not sure why...
The internal culture there is such that revenue is prioritized over responsibility. Said culture is driven from the top. EFX stock had been rising steadily for years under Smith's direction, and we're now seeing at what cost.
Concern yourself all you want with the CISO's music degrees. I'm just glad to see the person actually responsible for this toxic culture has finally taken the knife.
I have seen their degree, but that's meaningless as most of the truly talented developers and technical people I know have a degree that is not directly specific to their current role.
What was their experience before Equifax? Do you have links?
Equifax “Chief Security Officer” Susan Mauldin has a bachelor’s degree and a master of fine arts degree in music composition from the University of Georgia. Her LinkedIn professional profile lists no education related to technology or security.
Her LinkedIn profile has since been removed entirely.
A copy is shown here:
She was previously Senior Vice President and Chief Security Officer at First Data Corporation, until July 2013.
The snippet posted there shows her previous jobs as "professional".
No security person I know has zero security experience on their resume.
it's one thing to say it happened on mauldin's watch and as the senior person in charge of security they bear responsibility (as any leader does).
this degree stuff, however, is mostly security theater and very weak argumentation.
While I don't expect an exec to be at the same level as current researchers, they should know something about the field.
Her music degree is not completely relevant, tho it is concerning. The rest of her resume (and total lack of relevant experience) is more damning.
Look, I personally know someone who's a C level in a tech company, with a political science degree. But his resume shows 15 years of full-time employment in his current field, plus summer jobs in university, and going back to high school. So with 20 years of experience in the field, his degree doesn't matter so much.
Your counter position seems to say that execs can manage a division while knowing nothing about what the division does. There's just no way that's true. The exec must know something in order to be able to prioritize projects, set goals, mediate disagreements, etc.
Or would you say that someone who has no education in a field, and no experience in a field, is qualified to be an executive-level manager for that field?
That's just hard to believe.
Alice Goldfuss @alicegoldfuss
Hi, I'm a Site Reliability Engineer at a large tech company.
I have a BFA in Film.
Steaknap Sleepchew @treelzebub
Android Tech Lead here. Was a Religious Studies major, then a cook/chef for 12 years. #unqualifiedfortech
Richard Bejtlich @taosecurity
Undergrad degrees in history, pol sci, French, German. Masters in public policy. Wrote 4 #cybersecurity books, was CISO. #unqualifiedfortech
Twitter Ads info and privacy
(Bejtlich is the former chief information security officer at Mandiant, a cyber forensics firm that has investigated data breaches at many companies, including Equifax.)
Joe Uchill @JoeUchill
Peter Thiel majored in 20th centrury philosophy. Now he harvests the blood of the young.#unqualifiedfortech
About 85 percent of Duo Security's hires do not have a formal background in information security,
Wendy Nather @wendynather
I don't have a degree; if I'd gotten one, it would have been in liberal arts. But I've been in tech for 30 years, so their logic is flawed. https://twitter.com/alicegoldfuss/status/908430394529259520 …
Derek Robson @asinine_net_nz
I know several people in infosec wth a music degree.
And a CISO is as much about risk management as CS and tech.
Do these people have any competence in the field before they're hired into an executive position?
> Steaknap Sleepchew @treelzebub Android Tech Lead here. Was a Religious Studies major, then a cook/chef for 12 years.
> Richard Bejtlich @taosecurity Undergrad degrees in history, pol sci, French, German. Masters in public policy. Wrote 4 #cybersecurity books, was CISO.
> Joe Uchill @JoeUchill Peter Thiel majored in 20th centrury philosophy. Now he harvests the blood of the young.
> About 85 percent of Duo Security's hires do not have a formal background in information security,
Do they have experience in information security?
a) yes, therefore they have some qualifications, and the comparison is not relevant
b) no, therefore the employers are hiring people who are manifestly incompetent at their jobs
> Wendy Nather @wendynather I don't have a degree; if I'd gotten one, it would have been in liberal arts. But I've been in tech for 30 years, so their logic is flawed.
i.e. she has experience, and the comparison is not relevant.
> And a CISO is as much about risk management as CS and tech
So you're honestly saying that a widget company can hire a VP of widget manufacturing, who knows nothing about widgets or manufacturing? This is not just false, it's patently absurd.
The point isn't "OMFG she has a music degree". It's that there is no reason to believe she has any experience or competence in the field.
If you have more insight, please do share, but there is none in those links.
So basically you're posting about the degree nonsense and non-story.
So far as any evidence goes, she has zero experience in the field.
So basically you're trying to nit-pick at me for saying that there's no evidence she has any experience... while not showing any evidence that she has experience.
Er.. no. As far as evidence goes there is not enough evidence to draw a conclusion. Saying she has zero experience is not the default - it's a position.
So basically, again, I ask for any evidence of the original statement. So far there has been none (this might be why there were downvotes before btw).
It is entirely reasonable, therefore, to suggest she has no relevant experience.
Likewise, it is entirely reasonable to suggest she might have some relevant experience, but is unwilling to state more than "Professional" on her resume.
The problem for the law is that things are much more indirect in this case.
Now if you wanted to sue for $1 million per copy instead of $10,000 or so, then you'd have to take it to court and prove those damages.
Not that I'm anybody, but the idea is out there.
If you've been harmed by Equifax but it is difficult for you to legally prove the chain of causation, that's a problem that tort law needs to solve. The law is flexible enough to come up with such solutions, albeit slowly. See for example the doctrine of market share liability.
What was the faulty product in this case? Struts? Why is Equifax liable?
> The Equifax breach here was caused by, at the very least, reckless negligence in that they failed to patch a published vulnerability for MONTHS after it was disclosed.
You have no knowledge of their internal security practices, or what the status of knowledge of the vulnerability was. Did they make a mistake? Absolutely. But no security is perfect. You have zero basis to make such a claim.
> What I'm talking about is having the same expectations, requirements and civil and criminal punishments that product liability would have with a physical product, at least when it comes to willful negligence of this sort.
There are already laws on the books that cover this, as well as the CFPB. I expect significant fines and additional oversight for Equifax in the coming months.
> The VW emissions scandal (rightly) is resulting in criminal prosecutions for fraud.
Because that was a real, provable, honest to goodness fraud, where there was provable criminal intent. Just like Enron. Where's the criminal intent with Equifax?
If they had been using commercial software they might have been able to shift the liability (if it existed) to the vendor based on it being not fit for purpose, but as they were using open source, no such option would be open to them.
The fact that they didn't sell those services to consumers but that consumers are the ones impacted is actually a big part of the problem.
There's an externality here in that the people who suffer the loss have no part in the transaction (they are neither buyer no seller) so have no way to, in an economic sense, impact Equifax's behaviour, which does lead to the idea that regulation could be an appropriate approach.
Perhaps, but it's a different problem that product liability.
> which does lead to the idea that regulation could be an appropriate approach.
CRAs are already regulated.
I don't follow. Who's the unauthorized party that's "allowed" to make spurious changes via their systems and security practices?
And how was this "allow[ing] unauthorized people to make spurious changes"? No data was changed in the breach.
Struts had provided a remedy for the fault, months prior. Equifax had _failed_ to implement that remedy, because it was 'difficult', 'complex' (due to its own application / deployment / infrastructure), for several months, on a highly sensitive service.
Can you cite your source for these claims?
"Upon discovering a vulnerability in the Apache Struts web application framework as the initial attack vector, Equifax patched the affected web application before bringing it back online."
According to your quote, they patched only after they were the victims of a breach; they should have been pro-active and dealt with the issue as soon as the vulnerability was made public.
On the other hand you have rigorous protocol with professional regulated engineers held responsible for their actions and the consequences of design.
I've always been a bit of a proponent for bringing these regulations into tech jobs when it matters on public safety but the tech groups can swing wildly in pro/anti favor of such direction on a day to day basis. You definitely lose a bit of the "do it quick and break things" attitude which is responsible for a lot of great product but the stability and rigor is what benefits imo.
We all know the drill. If you're not sure what the product is then you're the product. This "information services" aren't for the advantage of the masses. They exist for the elites. Think about. You're being tracked and there's no provision to opt out of that.
We're not protected because in the eyes of the powers that be we're the product. We're not in danger. We're what's being sold.
In general I think civil penalties will be more appropriate for this sort of thing than throwing people in jail. Jail time when there was criminal intent could be reasonable, though.
Data breaches seldom result in fatalities or physical injury.
That is such a perfect way to sum up the pay disparities in large corporations these days. I have no problem whatsoever with someone making $300MM from the sale of the business they created, but making the same amount for manning a desk? Seems like madness.
From time to time, a CEO will have to choose between increasing employee compensation and benefits or increasing profits or dividends. The CEO works with employees all the time and most normal human beings would naturally tend to side with the employees because they're the ones that are working hard to generate the profits that the shareholders receive. Stock options create a financial incentive to override that tendency, so that the CEO will side with shareholders more often.
An interesting thought experiment is to consider: what would happen to a CEO if he or she refused to accept stock options and would only agree to a modest salary? What would the board of directors do? Would they be happy that the CEO is being a responsible steward of the company's finite resources, or would they regard the CEO as untrustworthy and remove him/her at the first opportunity?
Perhaps stock options aren't a "reward" for services rendered, but in fact one of the necessary qualifications for holding the office.
Do we live in the same world? In all seriousness, not meaning to be a jerk - this is not how corporations or CEOs think. They don't "work with the employees all the time". They don't choose employee compensation/benefits over increasing profits. We're lucky that they _sometimes_ choose "minimizing deaths" over profit, and even that track record is spotty at best.
I assume most CEOs don't talk to their board of directors every day. Most normal people will empathize with and want to please the people they work with to achieve some common goal (i.e. create a good product, grow the business, and beat their competitors). To the stockholders, that would be an undesirable trait, and so the board of directors gives the CEO stock options to encourage the CEO's self-interest to override his or her innate desire (if it exists) to treat employees well at the expense of profits and dividends.
I don't know why it's SO disparate, but it's way more than manning a desk.
I've seen non-founder CEOs take a $100M business to $4B, and others take a $4B to $500M. $100M to $4B deserves the reward.
If a CEO is making $100m per year in cash, there is no incentive to do a good job. Especially if they do so poorly they get fired, which means they get a $500m bonus as a reward for being fired.
It's tough to distinguish who 'created' a company in situations like those — do we define it by the original incorporation papers, or by who had the largest effect on turning the company into what it is today? Where do we draw that line?
That's around ~430,000,000 USD for Equifax alone [edit: if] 143M people got their credit frozen at $3 per freeze. (Obviously back of napkin math, and not everybody pays the same or even freezes their credit)
Retiring is not protection against criminal charges.
Also, there would be oodles of money involved in the case of firing, resignation, or staying on anyway.
Not the big pile of money for leaving/getting fired, the accepting of consequences for legal actions taken while working for the corporation.
Not when gross negligence occurs.
EDIT: Gross negligence in the legal sense.
Because my comment is clearly scoped to "legal actions".
It is, however, protection against a for-cause firing.
edit: ceejayoz has pointed out that they are free for 30 days only (and we're in that time window already).
You still need to freeze with the other two agencies, and in a few weeks it'll cost money to lift your Equifax freeze if you want to open a new account.
> How do I place a freeze on my credit reports? Contact each of the nationwide credit reporting companies.
> Ask 1 of the 3 credit reporting companies to put a fraud alert on your credit report. They must tell the other 2 companies.
> In response to public outcry, Equifax announced that fees to freeze your credit will be waived for the next 30 days. But even that doesn't totally protect your information since your data isn't fully frozen until it is on ice at all three credit bureaus. The other bureaus have their own fees. It's also unclear whether Equifax would still charge you a fee to lift the freeze. The company did not immediately respond to request for comment.
No political figure has talked about making these companies disclose this information as soon as possible, and no political figure is furthering any type of bill to make it illegal to know about a data breach and not tell anyone for months.
American obsession and addiction to media is what caused Trump to win, and it's why egregious failures of trust such as this will continue to go relatively unpunished.
We are constantly pumping out the equivalent of crude oil into your culture at the rate of millions of gallons a second. It's all trash, and it pollutes discussion and any sort of cooperation.
Left/Right is the new religious battle, and the new holy books are blogs and twitter feeds. The media is under no obligation to tell you the truth, and in this case the lie is omission.
You aren't wrong in a theoretical sense, but I am all for equality before the law as a precursor to due process. Due process without equitable treatment means very little except to those at the top.
Just deciding that they aren't operating in the public interest and revoking their charters probably wouldn't violate due process. Not in fashion though.
Hopefully, this then will create a different culture in other companies. Things did change after Enron (though SOX is such a pain).
Why is it that American corporations and their leadership have less oversight than your average 15 year old driver? They keep reminding us of corporate personhood when it is convenient, but where is the personhood responsibility?
Companies aren't going to spend money on security until the potential costs impact them rather than others (in this case all of us). That's something that urgently needs to change. As you can see by Equifax's stock, nobody in the stock market thinks that the governments are going to punish or collapse Equifax, and the worst part is that they're likely right (see BP for example).
This too big to fail, too big to jail, too big to punish thing is really starting to get on my nerves. Even if we aren't ready to send corporate executives to prison, let's at least fine Equifax so much they go out of business, and it sends a shot across every other business's bow about what will happen if they mishandle sensitive information.
> Now if you'll excuse me, this golden parachute isn't going to pull it's own rip cord. Have fun fixing all your credit reports and enjoy Equifax's "free" data protection services, your contributions and patience (or short attention span, whichever you prefer) will be thoroughly appreciated by my successor, until he too fails too hard and has to endure a life of permanent financial security and nonstop leisure.
They have a point. This ass hat enriched himself at the expense of customers held at gun point, and didn't even oversee due diligence in the execution of a bullshit monopoly.
Retiring to ride horses and pensively stare at the far horizon of one of his ranches and come back with think piece hagiography in 4 years on the lessons learned...
...there should be bigger consequences.
Its scary how little information the media is providing on this. Equifax does not provide an FAQ over what conditions you may be affected. I don't have a line of credit, and I have never used their services personally, HOWEVER, if a prior employer used them through a background check, or if they used a 3rd party who sends my data to equifax without me knowing, I'm pwned and didn't even know it.
There are about 250 million adults in the US.
I would take that to mean that if you're a US adult, with any sort of credit history, you're affected. The affected data for the larger 143 million was: "Most of the consumer information accessed includes names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers."
There's also a smaller set that had even more data exposed:
"In addition, credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed."
However Equifax offers other services such as Background Checks which more americans are passing off their SSN to, generally unintentionally (its mandatory for work).
This leads me to believe even young people are affected if theyve taken an internship or anywhere (AT ALL) that uses Equifax.
Naturally, not a single republican supports this legislature.
Resigning is a known way of avoiding more serious penalties and loss of pension etc a lot of UK Police when facing serious charges suddenly resign due to stress.
Its telling that when found guilty or far less serious offences the CEO of shell resigned giving up a lot of !$
>"“Speaking for everyone on the board, I sincerely apologize,” Mark Feidler, the Equifax board’s new chairman"
Where is the apology from the CEO?
(obviously under the table because above the table would acknowledge the double standard)
Yeah, she fucked up. No, it wasn't because of her college major.
It's the same divide between self taught developers and developers with a formal computer science background. If I'm hiring someone to make a website, then it may not make much of a difference, but if I need them to write kernel device drivers, more often than not your best bet is going to be with someone with a formal background who has had to demonstrate at school that they have certain knowledge prerequisites in a standardized setting.
I can't speak for the cybersecurity at HP, Sun Trust, and First Data. It's possible they have great records, or it's possible they've made mistakes and gotten away with them, and these experiences led Mauldin to believe Equifax was more secure than it was.
Edit: I found that she was Group VP at SunTrust from 07-09 and Senior VP and Chief Security Officer at First Data from 09-13. Her experience at First Data is relevant to the discussion and it's strange that the Washington Post article you linked to didn't mention that.
the best people (engineering-wise) i've worked with are people who had a passion for the subject, were generally inquisitive sorts, and engaged in a lot of self-directed learning and research because they simply wanted to... some had degrees, and some were high-school dropouts.
How do you reconcile the fact that the individual could barely program, but they graduated from what you consider respected CS programs? Or are you saying that the programs have a public perception of respect that you personally don't believe they deserve? If the person passed that institution's examinations, then it seems to me that you're indicating either the institution has low standards compared to your industry or that they erroneously passed someone who did not meet their standards (either through incompetence or deception). I think it's relevant to note if the individuals graduated with a high GPA or if they barely scraped by.
Of course autodidactism exists, but it can be very difficult to judge an individual's abilities based on one interview alone. A degree from a university at least indicates that the individual was exposed to the subject matter for a number of years, tested by individuals in the field who themselves have advanced credentials in the field, and passed the institution's examinations of knowledge. This isn't to say they're better qualified, but it gives you information that's more difficult for an individual to mislead you with. I can safely assume that a university has taken the expected precautions to ensure an individual's grades and credentials are reflective of their own work, as opposed to a self taught developer showing me a portfolio that may or may not be their original work entirely.
that isn't to say that undergrad schooling doesn't have utility - it can have plenty for the sufficiently motivated.
What concrete information do we have to make that conclusion?
It would be naive to say the just the clear oversights in management were solely to blame - you can do everything right and still have data breaches. Far more intricate attacks could be perfected had the current vulnerabilities been resolved.
You can argue "its a big company" all you want and that the responsibility shifted. However, at that position, setting up a shoddy website where customers can see if they were impacted, then request/pay for their own credit freeze, is NOT SUFFICIENT handling of the situation and betrays a long historied past of never having to had handle a situation so grave.
Lives and livelihoods are at stake here. This isn't just a senior software engineer or technical director job where messups only breach trust. A crappy application developer could release buggy software, but one can "delete the app" at the end of the day. You can't uncork this bottle. This is a security position over some of the most personal data available on US citizens.
If there is ANY belief that this person "fell up" through a security role, that needs to be identified.
The first computer science department dates to 1962 at Purdue University (home of Eugene "Spaff" Spafford). Others formed generally during the 1970s and 1980s.
Your responses strongly suggest a failure to grant charitable consideration:
Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize.
Do you know the story about the famous actress Hedy Lamarr, who invented a channel switching anti-jamming system for torpedos with a friend? Both were musicians with little or no experience, and their invention, aside from being patented and used by the military, is now credited as part of the basis for Wi-Fi and Bluetooth.