Question

Using the Equifax Data Breach, please explain in a few paragraphs what regulations or laws that would have been applicable. Also include a discussion of what penalties were or could have been assessed as a result of the incident.

For example, if your incident involved a health insurer with a data breach, HIPAA (medical info), PCI (payment info), and state breach notification regulations might all be applicable.

Will give thumbs up if good!

Answer 1

Equifax Inc. is a consumer credit reporting agency. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide.

The theft of an estimated 143 million Americans’ personal details in the breach of consumer-credit reporting agency Equifax and the Russian hack of the U.S.

They were partly possible because our personal data has no legal protections. Though the U.S. Constitution provides Americans with privacy rights and freedoms, it doesn’t protect us from modern-day scavengers who obtain information about us and use it against us. Our privacy laws were designed many years ago and are badly in need of modernization. Much damage has already been done to our finances, privacy, and democracy — but worse lies ahead.

The FTC can possibly fix this problem by requiring data brokers to provide industrial-strength security. University of California at Berkeley law professor Pamela Samuelson says the FTC has “statutory authority to regulate unfair and deceptive practices can act on that authority by initiating claims against those who fail to maintain adequate security.”

Equifax’s handling of the breach investigation and response has spurred numerous states to enact new or amended data security laws and regulations,

These emerging standards around breach notification have gotten legal departments’ attention, particularly around issues of timing, Most, if not all, of the newly enacted laws and regulations establish express timeframes for notifying affected individuals and regulators of a data breach.

And there have also been attempts to create broader cybersecurity frameworks through federal legislation. Some of these have been revived in the last 12 months after the Equifax incident.

As with HIPAA, they have capitalized certain GDPR-defined terms below. GDPR is comprised of 99 articles set forth in 11 chapters, and 173 “Recitals” explain the rationales for adoption. Similar to the way regulatory preambles and guidance published by the U.S. Department of Health and Human Services (HHS) can be helpful to understanding HIPAA compliance, the Recitals offer insight into GDPR applicability and scope.

Under Article 3, GDPR applies:

(1) To the Processing of Personal Data in the context of the activities of an establishment of a Controller or Processor in the EU, regardless of whether the Processing takes place in the EU;

(2) To the Processing of Personal Data of data subjects who are in the EU by a Controller or Processor not established in the EU, where the Processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or

(b) the monitoring of their behavior as far as their behavior takes place within the EU; and

(3) To the Processing of Personal Data by a Controller not established in the EU, but in a place where EU member state law applies by virtue of public international law.

The Genetic Information Nondiscrimination Act of 2008 prohibits the use of genetic information in health insurance and employment. But it provides no protection from discrimination in such matters as long-term care, disability, housing, and life insurance, and it places few limits on commercial use. There are no laws to stop companies from using aggregated genomic data in the same way lending companies and employers use social media data, or to prevent marketers from targeting ads at people with genetic defects.