Equifax's security failures leading to this breach were serious. Equifax failed to respond to a known vulnerability for over 3 months (whereas the information security team required patches to be applied within 48 hours). The technical and security-focused postmortems will continue and there is of course a lot for Boards and security teams to learn.
However, there are a couple (at least!) of other equally salutary lessons here for businesses with strategically valuable datasets.
For example, the FTC has commented that "companies that profit from personal information have an extra responsibility to protect and secure that data" (my emphasis). There's a reasonable argument that almost all modern businesses "profit from personal information" to some extent, but nonetheless this is a clear signal that many businesses will need to 'raise the bar' in terms of their approach to and investment in data security.
Secondly, the Director of the Consumer Financial Protection Bureau has also been quoted as saying that Equifax engaged in "unfair and deceptive practices" and "broke the law before and after the breach". We frequently have this very same conversation with clients: what you do after a breach counts. It is unfortunately all too easy to generate more risk (for the affected data subjects and the business) through inappropriate or ill-informed conduct in the hours, days, weeks and months following a data breach.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said the FTC chairman, Joe Simons.