It looks like it’s going to keep getting worse for Equifax before it gets better. Monday brought news that the company was facing a criminal probe from U.S. prosecutors in Atlanta, in conjunction with the Securities and Exchange Commission, over executives who sold stock after the breach was discovered.
Making matters worse, Bloomberg, which first reported the probe, also reported that Equifax was hacked in March in a separate incident months before the massive breach that exposed the personal information of 143 million Americans.
At the same time, the company is enduring new complications from U.S. lawmakers and state authorities. Rep. Jim Langevin introduced legislation on Monday to create a national data breach notification standard. “Equifax has done a terrible job communicating about the breach to date, and this legislation will ensure that any future such breach has a single standard and one federal regulator to help get actionable information to consumers quickly,” said Langevin, co-chair of the Congressional Cybersecurity Caucus, in a statement. New York is also going after credit reporting bureaus. Cory reports: “Gov. Andrew Cuomo wants to apply New York’s stringent cyber rules for the banking industry to credit reporting agencies in the wake of the massive Equifax data breach.” And Connecticut’s attorney general is unhappy that Equifax is still charging victims for some services.
HAPPY TUESDAY and welcome to Morning Cybersecurity! Your regular MC host is back from vacation in South Carolina with his longest-known friends, which meant plenty of jaw-wagging. The Queen Elizabeth II quote on this holds: “Families, friends and communities often find a source of courage rising up from within.” Send your thoughts, feedback and especially tips to email@example.com and be sure to follow @timstarks, @POLITICOPro, and @MorningCybersec, but full team info below.
SENATE PASSES DEFENSE POLICY BILL — The Senate easily passed its version of the annual defense policy bill (H.R. 2810) on Monday by a 89-8 vote. The upper chamber’s version of the National Defense Authorization Act for the 2018 fiscal year now goes to conference negotiations with the House. The nearly $700 billion policy roadmap includes a government-wide prohibition on using tools made by Russian cybersecurity firm Kaspersky Labs. The ban — added to the initial bill by Sen. Jeanne Shaheen — would codify last week’s directive from the Homeland Security Department to remove Kaspersky’s products from civilian agencies and extend it to military networks. Meanwhile, an amendment from Sen. Cory Gardner to the annual bill would block telecommunications companies that enable North Korea’s cyberattacks from working with the Pentagon. And a Sen. Marco Rubio add-on would mandate a report on the Pentagon’s cyber training shortcomings. Other last-minute additions include a bipartisan amendment to expand a DoD scholarship fund for cybersecurity; a provision requiring the military to better meet demand for reserve cyber positions; and language requesting a report on how blockchain technology can be used to digitally attack and defend.
The massive policy bill also includes language crafted by Senate Armed Services Committee Chairman John McCain to establish the country’s first-ever cyber warfare policy. The strategy would dictate that the U.S. should employ all tools of national power, including offensive digital weapons, to deter and respond to cyberattacks that aim to cause casualties, threaten infrastructure or disrupt normal business. The Trump administration has objected to the clause.