The Equifax Inc. hack may be the alarm bell that finally jolts Congress and large enterprises out of their somnambulance and forces them to do something meaningful about cybersecurity.

At least that’s the hope of one of the computer industry’s largest trade associations. Todd Thibodeaux (below), chief executive of the nonprofit CompTIA Inc., said he has been encouraged by the number of class-action lawsuits that have already been filed against the consumer credit reporting giant, as well as by what he termed the “ferocity” of the language in them.

“If the courts come back with a landmark decision that sides with consumers it could be a turning point,” in corporate attitudes toward cybersecurity, he said in an interview with SiliconANGLE.

Among the factors that make this breach unlike those that came before it is the length of time Equifax took to report the incident, insider trades by executives before the breach was brought to light and Equifax’s initial attempts to charge customers to have their reports frozen and to release Equifax from liability in exchange for information about their accounts. Although Equifax has backtracked on some of that and announced the immediate “retirement” of its chief security and chief information officers, the anger is unlikely to abate anytime soon — especially with governments and innumerable lawyers now circling.

Anger and resentment

“There’s a lot of anger and resentment,” Thibodeaux said. “It’s a little more vocal than in the past.”

CompTIA has reasons to agitate for change. It’s one of the largest providers of vendor-neutral cybersecurity certifications, and the companies it represents are struggling with a patchwork of state-by-state regulations.

Lack of standards on definitions and reporting are one of the chief reasons for lackadaisical corporate cybersecurity practices, Thibodeaux said. So are poor accountability, confusing regulations and the reluctance of courts to hold victimized businesses accountable. “Up till now, the courts have tended to side with the companies [that were breached], saying they did everything they could,” he said. “There haven’t been any penalties.”

Most companies have limited insight into their own security posture and are unwilling to share information publicly for fear of embarrassment. In fact, until two years ago federal antitrust law made that sharing illegal. The Cybersecurity Information Sharing Act of 2015 lifted those decades-old restrictions, but “there’s so much stigma attached to being hacked that it’s natural that companies wouldn’t be forthcoming,” he said. “In Equifax’s case you can see that when you handle the situation poorly, it hurts you more.”

States’ rights

Congress has left it to states to administer their own rules for cyberincident disclosures. The result is that a technology services firm doing business in New England may have to be intimately familiar with laws in six different states. “Now is a time when it might make sense for some federal pre-emption of these rules,” Thibodeaux.

While that seems unlikely in a political climate that is decidedly antiregulation, Thibodeaux said he is encouraged that Equifax CEO Richard Smith has been called to testify before a House of Representatives panel and that nearly 40 states are probing the company’s handling of the breach. “I hope that, at the minimum, we get greater awareness” of the need for better cybersecurity practices, he said. “I’d also like to see a national standard for what is a data breach.”

The General Data Protection Regulation that’s due to go into effect in the European Union next spring provides that, but even though many U.S. companies will technically be covered by the rule, Thibodeaux said he doesn’t expect much to change. “The EU won’t bring suits in U.S. courts,” he said.

Plentiful advice

There’s no shortage of guidance for enterprises that want to beef up their own security. The National Institute of Standards and Technology’s Cybersecurity Framework offers a comprehensive overview of best practices. Organizations such as CompTIA and the Sans Institute also have voluminous libraries of advice.

Despite rustling at the federal level, Thibodeaux said he doesn’t believe evidence of change will emerge from Congress. Look to the courts instead, he advised. “If Equifax is found liable for significant civil damages that would indicate a game changer.”

Insurance companies will also play a role. As liability costs pile up, they may press for stronger disclosure laws to enable more realistic rate-setting. Higher insurance costs are bound to get the attention of corporate boards. “Insurance companies don’t have the risk and actuarial information they need because breaches are slow to report and data is elusive,” he said.

But will things really change? History indicates otherwise. Massive breaches such as those at Yahoo! Inc. and  Target Stores Inc. failed to jolt lawmakers or enterprises into action. But the fact that the Equifax hack involves so much personal information may make this case different.

Thibodeaux also has a personal reason for speaking out. Last year his identity was stolen.

Image: Prawny/Pixabay