Copyright © 2017 Albuquerque Journal
New Mexico Credit Union Association CEO Paul Stull is rallying the state’s credit unions into action to aggressively push for federal standards to protect consumers against cyber crime following credit-reporting company Equifax Inc.’s announcement Thursday of a potentially massive breach of its data systems.
Stull said the breach, which could impact about 143 million U.S. consumers, was a disaster waiting to happen, because of the lack of federal laws to force adequate cyber protection by firms like Equifax.
Worse, he said, the company waited 41 days to notify the public, and before doing so, three executives sold a combined $1.8 million in stock. Equifax has said the executives in question did not know about the breach before the stock sales.
“Congress has failed the American public, and, today, 143 million people are going to pay the price,” Stull said in a statement.
The New Mexico Attorney General’s Office says it is investigating the Equifax breach.
“We are investigating the breach, including allegations of using delay tactics to sell stocks and not comply with other regulations and laws,” said AG spokesman James Hallinan. “Attorney General Hector Balderas will take all steps within our power to investigate and pursue remedies for impacted New Mexicans, However, we cannot share the details of any such investigation at this time.”
Stull will lead a delegation of local credit union executives to Washington, D.C., later this month to press New Mexico’s congressional representatives to push for federal legislation that imposes uniform, nationwide standards for cybersecurity and public disclosure of data breaches by companies.
“We must take action on setting standards and laws,” Stull said. “We will speak up and speak out to be heard on this issue.”
Impact on NM
The Equifax breach is smaller than other incidents of cyber theft in recent years in terms of total number of people affected. But given the broad access hackers gained to sensitive personnel information – including customers’ names, social security numbers, birth dates, addresses and, in some cases, driver’s licenses – the damage to consumers could be immense.
That information could potentially be used by criminals to not just access current bank accounts, but to take out new loans or credit cards. Stull called it “breathtaking” in scope.
Although it’s unclear how many New Mexico consumers may be directly affected, with one-half of the U.S. population’s data at stake, it’s fair to assume about one-half of the local population will be affected as well, Stull said.
“It’s safe to say more New Mexicans than not will be impacted,” he said.
Credit unions and other financial institutions have pushed for years for federal cybersecurity standards that clearly delineate responsibilities for companies that manage consumer data. But to date, only state-level laws exist.
A new data breach notification act took effect in New Mexico last April after the state Legislature approved it in this year’s session and Gov. Susana Martinez signed it into law.
The act mandates “reasonable” security measures by organizations that manage personal data, with public notification of data breaches required within 45 days after being discovered.
Only two states, Alabama and North Dakota, have not enacted data breach notification laws. But the standards vary widely among states, with some requiring public notification within 25 days of a breach, said Michael Barrio, spokesman for the public relations firm Leverage Point, which represents the New Mexico Credit Union Association.
“For us, Equifax shows the critical need for uniform standards through federal statutes that must be adhered to by everyone,” Barrio said.
Other countries impose much stricter mandates.
“In the European Union, data breach standards require notification in just 72 hours,” Stull said. “Equifax took 41 days, and we still don’t know the full impact of what happened.”
National and local banking associations also want clear federal standards and mandates. The American Banking Association, for example, has made cybersecurity legislation one of its key priorities, said New Mexico Banking Association Vice President John Anderson.
“We do need good, stiff federal regulations, not just state legislation, because these are interstate commerce issues,” Anderson said.
But it’s questionable whether federal standards will change the vulnerability of data management institutions given the rapidly evolving sophistication of cyber criminals.
“With technology moving as fast as it does in today’s world of hackers, new cyber security protections can become antiquated almost as soon as it’s out of the box,” Anderson said. “It seems almost like Jell-O where you stomp down in one place and it pops up elsewhere. It’s very hard to keep up.”
But with data management growing exponentially, cybersecurity experts say uniform federal standards are important to ensure adequate protection by all firms large and small.
“We want everyone to be self-vigilant and self-governing and to uphold their fiduciary responsibilities, but when that doesn’t work, we absolutely need regulations to enforce it,” said Srinivas Mukkamala, co-founder and CEO of the Albuquerque-based cybersecurity firm RiskSense. “The government must define the responsibilities of companies, not just to their shareholders, but to the public.”