Don’t blame Richard Smith for the Equifax breach. Smith, the former CEO of Equifax, told a Senate panel last week that a single employee at Equifax was responsible, having failed to install a patch on the vulnerability used to gain access to Equifax’s system. He also threw shade on the vulnerable software, Apache Struts, and the unnamed scanning tool Equifax uses to search for vulnerabilities.
Equifax clearly does not want to be seen as an evil company that practiced corporate malfeasance by showing little to no regard for the security of the data it collected and sold on millions of Americans. Instead, Equifax would like to be viewed a victim of malicious cyber actors. Equifax is now hinting that it was targeted by nation state actors, suggesting that somehow it is blameless because, well, who can stop the Chinese?
It’s a powerful argument. It’s also morally repugnant and bad policy. No one should blame individual victims of crimes. However, when companies like Equifax try to drum up sympathy by portraying themselves as the victim, we should all be extremely suspect. No one in corporate America should be surprised any longer that connecting their systems to the internet puts the data they hold at risk. All companies should recognize that protecting the data they hold is their responsibility.
To put aside the moralizing, let’s not talk about who to blame but who should be held liable and how. Equifax, will of course, try and avoid full liability for the harm caused by the breach. By its reasoning, the people who should be held liable are the criminals who stole the data. No one will disagree with that but doing so will do little good.
Yes, attribution has gotten better, and whoever stole this data may have their next trip abroad interrupted by the Secret Service in an airport lounge. But more likely than not, the perpetrators of this crime will never see the inside of a U.S. court room. If they do, they won’t be able to return the data or compensate the victims. And criminal deterrence is a myth. Arresting these guys is not going to convince the next bunch of over-confident criminal hackers in some far-off country from thinking they can go after U.S. companies with impunity.
If criminals can’t be held liable, or if doing so will not stop future breaches, there needs to be other ways to hold Equifax and other companies liable. If not, it’s the individual victims (you, me, all of us) who will be left holding the bag even though none of us ever asked Equifax to hold our data.
Ultimately, the question of liability should not be about assigning blame, but how liability can be used in the interest of positive outcomes. First year law students and anyone in the cyber community who has been listening to Senator Whitehouse will be familiar with the case of Escola v. Coca Cola Bottling Co. of Fresno.
In this case, a soda bottle exploded injuring the hand of Gladys Escola. As Senator Whitehouse explains, the case made “the bottler responsible for the exploding bottle, to create the incentive not to make exploding bottles.” Quoting Justice Trainor who wrote the concurring opinion that establishes this principle, “public policy demands that responsibility be fixed wherever it will most effectively reduce the hazards.”
Fixing responsibility in China or Ukraine or wherever the hackers who carried out the attack on Equifax will not effectively reduce the hazard of future such attacks. Making IT guys liable for failing to patch would lead to an exodus from the industry. You can’t hold an open source community responsible (and I have given up on software liability). But you can hold corporations responsible, and doing so will create the right incentives for security, whether or not they are innocent victims or negligent actors deserving of blame.