Using ERM to Protect Your Business from The Equifax Fallout

As with many data breaches, the general conclusion of the Equifax attack is that personnel were not aware of the issue beforehand. This conclusion, however, is false.

In early September, I anticipated that a vulnerability in Equifax’s software was known ahead of time, and that this scandal was, therefore, entirely preventable. A month later, the NY Times reported that the Department of Homeland Security sent Equifax an alert about a critical vulnerability in their software. Equifax then sent out an internal email requesting its IT department to fix the software, but “an individual did not ensure communication got to the right person to manually patch the application.”

The Equifax data breach was a failure in risk management. As a credit bureau that deals with the personally identifiable information (PII) of 200 million U.S. customers, Equifax has a legal and moral responsibility to safeguard their customers’ security, and to adopt the proper systems to do so.

For instance, if Equifax had an enterprise risk management (ERM) system in place, the warning from Homeland Security would have been properly recorded and assigned out to the appropriate personnel. This system would have provided transparency over the status of the task in progress, and would have triggered reminders until the vulnerability was patched and verified by the right subject matter expert.

A Point of No Return

It’s my opinion that this scandal is a point of no return for risk management. While data breaches have abounded in recent years, there has never been one of this magnitude or one that provides every piece of information hackers need to steal our identities. Of course, lawsuits and penalties are piling up around the company’s negligence, but these financial losses are nothing compared to the reputational damages Equifax will suffer—shares fell by 18% following the breach and have yet to fully recover.

What makes this scandal so unique, and therefore a point of no return, is that these reputational damages reach far beyond Equifax. Consumers can’t always choose whether they’re a customer of Equifax, but they can choose whether to do business with the institutions that gave away their information to Equifax in the first place.

I also believe that consumers’ outrage with this scandal will cause them to shift their money, loyalty, and trust to institutions that can demonstrate effective risk management. CEOs and boards of every company will have to prove their organizations have adequate enterprise risk management systems in place. They’ll find that more effective risk management and governance programs are necessary to keep their market shares up and their reputation clean.

Where to Go from Here

While this breach may appear to be an event of the distant past, we are in the eye of the storm. Stolen information can lie dormant for months or years as criminals wait to make their move, and when they do, you’ll have either taken this period of calm as a chance to forget the scandal, finding yourself ill-prepared, or a chance to get to higher ground, finding yourself fully protected.

To protect themselves, businesses must:

  • First, to determine where to focus your security resources, recognize that people, processes, and procedures are now the biggest risks. Businesses need to perform risk assessments across all departments to determine who has access to sensitive information and authentication processes, and what the business impact would be if these employees were to be impersonated.
  • Next, to address these risks, businesses must rewrite their procedures for authenticating the people involved in sensitive requests and actions both verbally and electronically. With so much PII now in the public domain, it is no longer safe to rely on traditional authentication based on these pieces of information. For example, the security question “What was your first car?” is not effective because the answer is now easily accessible. A more effective question would be “Who was your best friend in elementary school?”
  • Finally, it is important to keep your third-party vendors in mind. Vendors often have access to sensitive information and processes, which could have an enormous impact on your company. It is crucial, therefore, to extend your internal authentication procedures out to your third parties so that they are authorizing sensitive requests and actions as securely as your own organization.

Our world, including the business world, is becoming increasingly transparent, meaning it’s up to you to act with integrity and protect your stakeholders. Keeping the Equifax data breach in mind, along with enacting these tactical steps, will help you stay ahead of the competition and out of glaring social media headlines.

Awful but Lawful: Attorney Fee Provision Gone Bad

Companies that sign contracts, including renewals, without careful review could be in for an unpleasant surprise if the unexpected happens. For example, extra caution would have saved “Widget Corp.” a lot of money and time in its dispute with “Acme Inc.”

Here’s the scenario: Widget Corp. enters into a contract with Acme Inc. While Acme Inc. expects to earn more than a million dollars from the contract, Widget Corp. later closes its doors after selling most of its assets. Angered and disappointed, Acme Inc. decides to sue Widget Corp. over the contract even though it has a weak claim that Widget Corp. did anything wrong.

The risk is that, perhaps recognizing it will lose on its breach of contract claim, Acme Inc. points to a peculiar provision in the contract that, in a nutshell, requires Widget Corp. to pay Acme Inc.’s attorney fees—win or lose. (Can you guess which company drafted the contract?)

The result: At arbitration, a respected arbitrator hears arguments on the contract dispute and concludes that Widget Corp., in fact, had done nothing wrong and had not broken its contractual promises to Acme Inc. The arbitrator, nonetheless, required Widget Corp. to pay Acme Inc.’s attorney fees incurred in litigating the dispute—those fees exceeded $150,000.00.

Widget Corp.’s counsel raised a number of defenses:

  1. As a general rule, courts won’t interpret contract provisions in such a way that creates absurd or unreasonable results. Widget Corp.’s counsel argued that it would be absurd if Acme Inc. could sue Widget Corp., lose all of its arguments, but still collect attorney fees.
  2. Attorney fees aren’t typically awarded unless the side getting the attorney fees wins at least part of the dispute. This is so because courts view attorney fees as a form of damages, and if the other side did nothing wrong, then there is no damage to award—including attorney fees.
  3. An attorney fee award must be “reasonable.” Widget Corp.’s counsel argued that it is unreasonable to award any attorney fee whatsoever given that Acme Inc. lost the entire dispute.

The arbitrator found these arguments unpersuasive and enforced the contract as written. Since the contract said what it said, at the end of the day Widget Corp. signed the contract. As the arbitrator aptly quipped, the provision was “awful but lawful.”

Lessons:

  1. Companies must read contracts carefully to understand what they mean. Companies may be particularly tempted to sign without internal or legal review when renewing an annual or semi-annual contract; companies sometimes assume that the renewal contract will contain the identical language, and the companies do not want to spend additional time or money to review what has already been reviewed. Nothing guarantees that next year’s contract will match the current contract, however. Companies are thus wise to review even renewal contracts to ensure they understand the terms, exposure and risks.
  2. Get a second (and even third) set of eyes on the contract before signing. Companies would be prudent to devote even more resources to reviewing contracts that impose more liability. The rub is that companies often do not comprehend their contractual exposure until multiple people review the contract.
  3. Assume the worst when it comes to a particular, seemingly unreasonable contractual provision. In other words, assume the provision will be enforced as written. Reasonable minds can differ as to what constitutes a “reasonable” provision and it is foolhardy to assume that a court or arbitrator will disregard what parties agreed to—particularly when those parties are businesses.
  4. Remember, if a provision seems questionable in what it purports to do, it is easier to request that the other side remove the provision before you sign than to ask a court or arbitrator to ignore the provision despite your agreement. As Benjamin Franklin once advised fire-threatened Philadelphians, an ounce of prevention is worth a pound of cure.

RIMS Legislative Summit 2017: Focus on Flood

WASHINGTON—The RIMS Legislative Summit kicked off on Wednesday in Washington, D.C. with a panel lead by Congressional office staff.

Panelists included: Democratic Staff in the U.S. House of Representatives; Jason Tuber, Senior Advisor to Senator Menendez (D-NJ); Ed Skala, Deputy Staff Director for the House Financial Services Committee; and Brandon Beall, Professional Staff Member, Office of Senate Committee on Banking, Housing and Urban Affairs; as well as Lisa Peto, chief counsel for the Financial Services Committee.

The focus was the once-again looming expiration of the National Flood Insurance Program (NFIP). The program that was set to expire in September, but was saved with a temporary extension now set to expire again on Dec. 8.

The panelists, each of whom began with the disclaimer that these were their opinions and not the opinions of their office, came to a consensus that a new NFIP was critical, that a gap in coverage is certainly not ideal and they acknowledged that their offices were working on a bi-partisan resolution.

Some of the major concerns discussed were:

  • Funding—who will fund the NFIP? If the NFIP expires or ceases to exist would the burden fall on the taxpayer and then ultimately on government anyway? Should excess flood coverage be privatized? There was also discussion on whether mandating states to offer certain protections for flood exposure would help the situation.
  • Accessibility and Affordability—what measures must be included in the new bill to not only make sure flood insurance is available but that it is available at an affordable price?
  • Residential vs. Commercial—The idea was discussed as to whether there should ultimately be two versions of the NFIP that separate residential and small businesses from large commercial businesses. It was noted that large commercial businesses might have flood coverage elsewhere or are better funded to retain some risk and, as such, should have the opportunity to opt out. This would spur new challenges to determine what qualifies a business as small or large (i.e., an online enterprise that generates considerable revenue but operates out of someone’s basement).
  • Risk Mitigation—Should risk mitigation be a part of the final bill? Incentives for both the insurer and the insured would support organizations that practice good risk management. The argument was made, however, that not all residents and not all businesses have the funds for risk management. For example, not everyone has the money in the bank to raise the height of a house or storefront.

Jim McIntyre, RIMS Washington, D.C. counsel and chair of McIntyre & Lemon stated, “It is probable that we’re looking at another extension come December. Unfortunately for the National Flood Insurance Program, bills regarding trade, healthcare and immigration will take precedent at the moment and [the NFIP] might have to wait a bit longer.”

On Day two of the summit, about 50 RIMS members descended on Capitol Hill for meetings with congressional leaders. The goal was to share RIMS priorities for a long-term National Flood Insurance Program.

New Voluntary Hot Air Balloon Safety Program Announced

The Balloon Federation of America (BFA) has instituted new safety accreditation for companies and pilots. The Envelope of Safety program was the result of the Federal Aviation Administration’s (FAA) year-long call to action from the commercial hot air balloon industry in response to last year’s mid-air accident in Lockhart, Texas which caused 16 fatalities.

The Envelope of Safety aims to enhance the standards for commercial balloon operators and reduce the risk of injury or death leading up to and during a flight. The program is voluntary and aims to reassure confidence by giving consumers the ability to select a ride company or pilot meeting the new flight worthiness certification. The Envelope of Safety’s missions it to insure that companies and pilots carrying four or more passengers:

  • Are commercially certificated for 18 months
  • Accumulate a specified amount of flight experience
  • Hold a second-class medical certificate from the FAA

Additionally, pilots are required to pass a drug and alcohol background check, attend a BFA-sanctioned safety seminar in the 12 months before takeoff and be enrolled in the FAA WINGS pilot proficiency program.

The program features three levels of safety accreditation—Silver, Gold and Platinum—which detail stringent safety requirements for companies of all sizes. That criteria includes meeting pilot requirements, holding valid aircraft and commercial vehicle insurance and hosting a forum for passengers to rate the company.

While the FAA is not connected to the new program in an official capacity, it did applaud the BFA’s announcement on its own website and promoted it via social media. Following last year’s deadly incident in Texas, the agency was criticized for having previously rejected the National Transportation Safety Board’s (NTSB) recommendations for stricter safety oversight regarding commercial hot air balloon travel. That accident, in which a Heart Of Texas Hot Air Balloon Ride vessel crossed power lines, caught fire and plummeted 100 feet to the ground, is considered the worst of its kind in U.S. history.

The NTSB held a board meeting to examine the cause of the July 30, 2016 crash and found the accident attributable to the Heart Of Texas pilot’s pattern of poor decision making, which led to “the initial launch, continuing the flight in fog and above clouds and to dissent near clouds that decreased the pilot’s ability to see and avoid obstacles.” The board believed the operator’s bad judgment may have been exacerbated by the many prescription drugs found in his blood, according to a toxicology report. The board stressed, however, that it did not believe the medications impaired the pilot’s ability to operate the balloon.

The NTSB recommended that the FAA review its policies based on the findings and, in particular, close a loophole that exempts balloon operators from holding the same second-class medical certification that other aviators must possess.

“Today’s recommendations, if acted upon, will bring the safety standards and oversight of commercial passenger carrying balloon operators closer to those that apply to [general aviation] pilots,” said NTSB Chairman Robert L. Sumwalt.

According to the FAA, 413 people died in 219 general aviation accidents in 2016, with inflight loss of control—mainly stalls—accounting for the largest number of fatal accidents.

Visit the BFA’s site or the FAA’s endorsement for more information regarding the Envelope of Safety.