Equifax, one of the three nationwide credit bureaus that track and rate the financial history of consumers, announced in September that it had suffered a data breach exposing personal information of up to 143 million Americans. The personal information of individuals in the United Kingdom and Canada was also involved in the breach. Below we lay out the three most important steps companies are taking in response to the breach and provide six additional common practices that companies are embracing to further enhance their cyber detection, response and mitigation.
According to Equifax, between mid-May and July 2017, cybercriminals exploited a web application vulnerability—specifically Apache Struts CVE-2017-5638—to gain access to its network. Once in Equifax’s network, hackers were able to access information, such as names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers. Although a patch had been available for the vulnerability on March 7, 2017, Equifax had not applied it before discovering the breach on July 29, 2017. The incident underscores how critical it is for companies to update their software with the latest patches so as to prevent hackers from exploiting known vulnerabilities to access their networks.
In the wake of the Equifax breach, companies that have used its service to provide reports for credit-related decisions or background checks for employment purposes have raised questions about their obligations to applicants and consumers. Specifically, companies are left to ponder whether they are obligated to notify their customers and/or employees about the breach and whether they face any liability as a result of the breach.
While each company’s obligations will depend on the specific nature of its relationship with Equifax, in most cases, companies that have used Equifax’s credit reports will not have an independent obligation to notify potentially affected individuals of the breach. However, 48 states, the District of Columbia and certain American territories have data breach notification laws that require businesses that own, license or maintain certain personal information, including social security and driver’s license numbers, to notify affected individuals when that information is acquired by an unauthorized party.
In some cases where a company collects and provides personal information to a vendor for processing and use by the vendor, the company may face potential liability in the event of a vendor breach. That is not the case with how most companies use Equifax. Equifax owns and maintains the personal information that it uses for its credit reports and background checks. Moreover, as a practical matter, Equifax has assumed the legal responsibility relating to the breach by notifying the affected individuals and relevant regulators and providing identity theft protection services.
The Equifax breach highlights the potentially high costs of data security incidents and the corresponding need for companies to adopt rigorous cybersecurity policies. In response, many leading companies are taking the following key precautions:
Please reach out to James Koenig, Tyler G. Newby, Hanley Chew and Kenia Rincon with concerns related to privacy and cybersecurity.