Most cybersecurity experts now agree thatorganizations should be planning incident response strategies forwhen, not if, their companies experience data breaches.

Credit reporting agencyEquifax learned this lesson the hard way when it washit by a cyberattack that exposed addresses, Social Securitynumbers and financial information for 134 million customers.Equifax is the latest in a line of breaches at large companies,following major incidents at Wells Fargo andYahoo, among others, in the last year.

Related: The changing world of cyber liabilityinsurance

In the current cybersecurity threat landscape where breaches areall but guaranteed, companies often fall short of the regulatorystandards set forth for data security. Regardless, regulators don'tseem to be letting up.

The government's privacy pressure

Although cybersecurity's regulatory landscape has perhaps notkept pace with the rate of data collection and hacker exploits, ithas certainly expanded over the last few years at both the federaland local levels. These emerging regulations keep informationgovernance staff on their toes. Specifically to Equifax,the Fair Credit Reporting Act of 1970 (FCRA) and its amendments inthe Fair and Accurate Credit Transactions Act of 2003 (FACTA) wereinstituted at the federal level to ensure that third-party creditbureaus can use and retain consumer information.

Steve Rubin, head of the cybersecurity practice at Moritt Hock& Hamroff, expects that both will likely prove problematic forEquifax. "Those were both enacted to deal with companies likeEquifax," Rubin said.

Although Equifax may have taken all reasonable steps to secureits data, it's often not possible to be one step ahead ofcyberattacks. Nevertheless, Rubin said that the sensitivity ofinformation at many companies like Equifax at this point is likelya stronger factor than how hard the company may have tried tosecure that information. "They had to do what they needed to do.That all said, you can't be hack-proof. It's possible at the end ofthe day they did take all reasonable measures," Rubin said.

"Settlements will occur well before they find out if [Equifax]took reasonable measures. They had to take fairly extraordinarymeasures to protect the data; I don't know if they did that," Rubinadded.

Karen Hornbeck, senior manager at Consilio, further explainedthat if companies are going to retain highly sensitive consumerinformation, especially identifying information that cannot readilybe changed, data handling processes set forth by regulators are areality that companies will need to deal with.

"Companies have to start doing more from the technical and thepeople aspect, or they can only expect more and more regulation tostart coming down the pipe. It's one or the other. If companiesdon't start doing it themselves, then the government is going tohave to," Hornbeck said.

State notification & remediation policies

In fact, the inevitability of cyberattack is promptinglegislators at the state level to step up data breach notificationand remediation policy in their states. "I think we're going to seemore and more states at the state level come out with regulationsfor companies that do business in their state and for issues thatimpact residents of their states. This is just going to spur it onmore and more," Hornbeck said.

Related: The 12 cybersecurity laws insurance agents need toknow

While the Equifax hack can be attributed to external hackers,oftentimes data breaches are caused by internal mishaps. WellsFargo's recent data breach, which exposed financialinformation for over 50,000 of the bank's customers, was the resultof an attorney unintentionally handing over highly sensitive clientfinancial information to another litigator.

Regulators, however, don't differentiate in how they apply thesemandates to data breaches caused by malicious hackers and thosecaused by human error. "The human component is just as important asthe tech component," Rubin said, adding that he didn't anticipateregulators would apply policy any differently based on the type ofbreach. Wells Fargo's recent breach drewscrutiny from the Financial Industry RegulatoryAuthority.

Planning for disaster

Regulatory scrutiny around FCRA and FACTA paired with the highlikelihood of a data breach make incident response a key piece of acompany's success following a data breach. Equifax's responseshowed strength in some places, but significant weaknesses inothers.

Related: Uncovering silent cyber risk

Shortly after Equifax notified consumers of the data breach, thecredit bureau launched a website, EquifaxSecurity2017.com, to help users assess whethertheir information had been leaked in the data breach and sign upfor one year of free identity theft protection and credit filemonitoring.

Equifax may have created new problems for itself, however, inthe form of an arbitration clause and class action waiver thecompany included in the tool's terms of agreement. While Equifaxincluded a note in its Frequently Asked Questions section that thearbitration clause does not apply to the cybersecurityincident, swift and furious backlash fromconsumers forced the company to make a formal announcementon the website that use of its service does not require that userswaive their rights to class action litigation.

Hornbeck said that while the company did a great job of puttingtogether and publicizing the impact check website quickly, shefound Equifax's decision to quietly include the language in itsterms of agreement "interesting."

'It's a mess'

"It's a mess to be honest, from the corporate perspective, fromthe response perspective," Hornbeck said of the arbitration clauseand its respective backlash.

Rubin added that the arbitration clause would likely bedifficult to enforce. The credit bureau is already obligated toprovide free credit monitoring in the event of such a breach undera number of state laws. Rubin pointed specifically to Connecticut'sdata breach amendments, which calls for businesses tooffer one year of free identity-theft protection service,meaning that Equifax would be obligated to provide this serviceregardless of whether or not consumers opted to forgo their rightto form a class. "There's no exchange there," Rubin explained.

Further complicating matters, Equifax has also drawn publicscrutiny and litigation from allegations thatthree company executives sold $1.8 million worth of stock beforenotifying customers of the data breach.

Related: 5 best practices to avoid a costly databreach

Hornbeck said that a big way that companies can learn from thesemistakes is by bolstering their incident response planning. Whileit's now more common practice to set up a formalized plan, Hornbecknoted that many organizations fail to drill their testing procures,leaving them susceptible to unanticipated problems.

"It is absolutely not enough to just have an incident responseplan written down. You have to test that thing; you have to be sureit's been developed and documented in such a way that it's asairtight as it can possibly be," she said.

This means, ideally, making sure that issues never arise.Regular penetration testing and third-party assessments can helporganizations figure out how to begin addressing potential issues,including human error.

Quality control checklist

Andy Wilson, CEO and founder of Logikcull, said that fororganizations using third-party vendors, as the attorney in theWells Fargo breach attributed data leakage to, thinking through howto apply incident response standards outward is worthconsidering.

"I would demand to see what their quality control checklist was.If you're going to use a human vendor, I would demand to see thechecklist completed prior to the shipment of production. You don'twant to ship something before its ready," he explained.

Related: 3 takeaways from the 2017 Cost of Data BreachStudy

For Wells Fargo, some of the human error could havealso come from confusing user interface design, something thatcould have potentially been avoided with a workflow assessment."Most people don't have enough time to evaluate their own workflowand look for new tools," Wilson added.

Although keeping pace with potential hackers and leaks can seemlike a truly Sisyphean task given the current complexity ofcybersecurity work today, but the need to protect sensitive clientdata is worth the fight. In the eyes of regulators, it absolutelyhas to be.

"We are where we are. For whatever reason were not keeping upwith the bad guys. States are going to do what they feel is correctto protect their residents," Hornbeck said.

Gabrielle Orum Hernadez ([email protected]) is a stafflegal reporter for ALM Media and Law.com.