Equifax data breach: consumers and companies at risk

By now almost everyone has read or heard about the massive data breach at Equifax, one of the three large credit reporting companies.  According to news reports, 143 million Americans have had sensitive personal information, including names, addresses, social security numbers, and birthdates stolen.  This information enables a criminal to steal the identity of an individual and apply for credit cards or loans, file fraudulent tax returns, and commit other bad acts in the name of the individual.

How did the breach happen?

According to news reports,  hackers were able to get into Equifax by exploiting a flaw in software that Equifax used for an online portal where consumers could dispute errors in their credit reports. The creator of that software, the Apache Software Foundation, says it issued a fix for the flaw in March, right after it was discovered, but claims Equifax failed to install it.  Apparently, starting in May the hackers were in Equifax’s system for six weeks before Equifax discovered the breach in late July and shut it down.

It took more than a month after Equifax discovered the breach to announce it publicly.  Presumably, the company had an incident response plan in place, setting out how to deal with such a breach.  In addition, the company brought in an outside cyber investigation company to determine the extent of the breach and the data compromised.

Risks to consumers from Equifax data breach

On a personal level, there has been a lot of advice, not all of it clear or helpful, on how a person can protect their credit after this breach.  Equifax has offered free credit monitoring for a year, but has been criticized for their public response. Other experts have advised placing a “freeze” on accounts with all three of the credit reporting companies, so that no one, including identity thieves, can have a credit check done on your information to get credit.  The Federal Trade Commission, which acts to protect consumers, has also published advice on what steps consumers can take.

Potential consequences to Equifax from breach

In addition to the risks to consumers from this breach, Equifax as a corporation is facing a long list of potential consequences, most of which could be very costly, running into the millions of dollars.  These include:

• The Federal Trade Commission and the Consumer Financial Protection Bureau have opened investigations into whether Equifax violated its obligations concerning protection of consumer information
• Several Congressional committees have called for hearings
• The Massachusetts attorney general filed a lawsuit alleging Equifax violated that state’s consumer protection and data-privacy laws, and attorneys general in other states have asked the company for information about the breach and its response
• Over 300 private consumer lawsuits have been filed since Equifax disclosed the hack, claiming violations of the federal Fair Credit Reporting Act’s data privacy requirements
• Cost of offering free credit monitoring services to millions of consumers

More information will certainly come out in the future about how well prepared Equifax was to resist a cyberattack, and how it responded internally. Companies of every size are vulnerable to cyberattacks, and not just large companies like Equifax, Target, Home Depot, and others that have suffered breaches in recent years.  Equifax is a very large company, with tremendous resources to devote to data security, but small and mid-sized companies can take reasonable, cost-efficient steps to reduce the changes of a cyberattack and be prepared to respond if one does occur.

If you would like more information on how to protect your company against a cyberattack, please contact me at mark@spitzlegalcounsel.com or 720-575-0440.