Equifax, one of the three nationwide credit bureaus that track and rate the financial history of consumers, announced in September that it had suffered a data breach exposing personal information of up to 143 million Americans. The personal information of individuals in the United Kingdom and Canada was also involved in the breach. Below we lay out the three most important steps companies are taking in response to the breach and provide six additional common practices that companies are embracing to further enhance their cyber detection, response and mitigation.
According to Equifax, between mid-May and July 2017, cybercriminals exploited a web application vulnerability—specifically Apache Struts CVE-2017-5638—to gain access to its network. Once in Equifax’s network, hackers were able to access information, such as names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers. Although a patch had been available for the vulnerability on March 7, 2017, Equifax had not applied it before discovering the breach on July 29, 2017. The incident underscores how critical it is for companies to update their software with the latest patches so as to prevent hackers from exploiting known vulnerabilities to access their networks.
Who was compromised?
- Credit card information for approximately 209,000 American consumers
- Personal identifying information for approximately 182,000 American consumers.
Do Companies That Have Used Equifax Need to Notify Customers of the Data Breach?
In the wake of the Equifax breach, companies that have used its service to provide reports for credit-related decisions or background checks for employment purposes have raised questions about their obligations to applicants and consumers. Specifically, companies are left to ponder whether they are obligated to notify their customers and/or employees about the breach and whether they face any liability as a result of the breach.
While each company’s obligations will depend on the specific nature of its relationship with Equifax, in most cases, companies that have used Equifax’s credit reports will not have an independent obligation to notify potentially affected individuals of the breach. However, 48 states, the District of Columbia and certain American territories have data breach notification laws that require businesses that own, license or maintain certain personal information, including social security and driver’s license numbers, to notify affected individuals when that information is acquired by an unauthorized party.
In some cases where a company collects and provides personal information to a vendor for processing and use by the vendor, the company may face potential liability in the event of a vendor breach. That is not the case with how most companies use Equifax. Equifax owns and maintains the personal information that it uses for its credit reports and background checks. Moreover, as a practical matter, Equifax has assumed the legal responsibility relating to the breach by notifying the affected individuals and relevant regulators and providing identity theft protection services.
3 Steps Leading Companies are Immediately Taking in Wake of Equifax Breach
The Equifax breach highlights the potentially high costs of data security incidents and the corresponding need for companies to adopt rigorous cybersecurity policies. In response, many leading companies are taking the following key precautions:
- Preparing Q&A Script to Be Ready to Answer Customer Inquiries. Many companies who issue credit, make loans and/or otherwise access and/or rely on credit reports have been preparing brief statements and Q&A scripts for customers who contact their company through call centers or websites describing the company’s relationship with Equifax and the impact of the breach on their company and customers.
- Developing Training on Dealing with Credit Freezes. Many individuals are filing credit freezes in the wake of the Equifax breach. Where relevant for their business, to help customers and minimize business impact, some companies are implementing training for online developers, sales associates and HR personnel for responding to and dealing with individuals who are subject to a credit freeze.
- Reviewing and Updating Red Flags of Identity Theft. If the Equifax compromised information is misused, there may be a rise in fraudulent credit applications, attempted bank account takeovers and online/offline fraud. To better identify and respond to suspicious activity, many companies have been reviewing and updating their “red flags” potentially indicating financial and medical identify theft and enhanced monitoring of customer and company transactions for unusual, unexpected or otherwise anomalous activity.
Additional Preventive Measures Companies Should Take to Enhance Cyber Capabilities
- Insider Trading: Develop internal guidelines and policies for trading by insiders during a breach or other data security incident.
- Incident Response: Develop, update and test your incident response plan on a quarterly basis.
- Vulnerability Management: Conduct vulnerability scans and penetration testing on a quarterly basis.
- Access Control: Restrict access to sensitive personal or confidential information to only those individuals who need such access to perform their duties.
- Vendor Due Diligence: Conduct thorough diligence on the cybersecurity practices and procedures of vendors.
- Contracting: Include provisions in your vendor agreements requiring them to notify you of a data breach, provide you all relevant information, notify affected individuals, indemnify you for any third party claims arising from the breach, maintain adequate cyber insurance, and return or destroy your company’s data at the end of the engagement.
Please reach out to James Koenig, Tyler G. Newby, Hanley Chew and Kenia Rincon with concerns related to privacy and cybersecurity.