On September 7, 2017, Equifax reported that it had experienced a data breach potentially affecting 143 million consumers in the United States. Equifax is one of the three major credit reporting agencies (sometimes referred to as credit bureaus) that compile financial data about U.S. consumers. The Equifax data breach is unusual because, unlike many other high-profile data breaches, the personal information Equifax held was not customer data. Rather, the information was largely developed—without the consent of the consumers themselves—as a product for Equifax to sell to banks and other clients in need of information about consumers’ creditworthiness.
The data breach resulted from the exploitation of a vulnerability in a widely used piece of software known as Apache Struts. Apache Struts’ producer announced the existence of the vulnerability on March 7, 2017 and made a patch available to eliminate the vulnerability.
Equifax failed to install the patch, however, and an unknown hacker or hackers exploited the vulnerability to learn the names, Social Security numbers, birth dates, addresses, and, in some cases, driver’s license numbers from Equifax’s systems. This unauthorized access occurred from mid-May 2017 through July 2017, but Equifax did not discover it until July 29, 2017. Equifax reports that it “acted immediately to stop the intrusion,” reported the incident to law enforcement, and retained a cybersecurity firm to “determine the scope of the intrusion.” Equifax’s delay in installing the patch remains unexplained. Nevertheless, the data breach appears to have prompted the retirements of Equifax’s Chief Executive Officer, Chief Information Officer, and Chief Security Officer.
Equifax has been roundly criticized for its response to the data breach. Although it learned of the breach on July 29, 2017, it did not announce it to the public until September 7, 2017. Equifax’s apparent lack of promptness raises concerns that its data breach notification may have come unnecessarily late to enable consumers taking action to protect themselves. In addition, although Equifax established a website to allow consumers to determine if they are potentially affected by the data breach and to offer one year of free identity theft protection and credit report monitoring, the service that Equifax provides is one provided by Equifax itself. This has caused concern among some affected persons that they are being asked to trust Equifax to help them protect their financial identity even after Equifax demonstrated serious problems with its information security preparedness and response. Consumers have also reported significant difficulties using the website Equifax set up to help them determine if they were affected and to access Equifax’s remedial services. This suggests that Equifax was shockingly apathetic in its security planning and data breach response preparation.
Precautions for those affected
As a legal matter, consumers may be surprised to learn that companies who experience a data breach are not automatically liable for any financial fraud or other harm resulting from the breach. Although there are laws in most states, including Wyoming, that require companies to inform consumers of data breaches involving their personal information, these laws do not require the companies to provide any compensation or require the kind of identity theft and credit report monitoring services that Equifax has volunteered to provide. And, because it is generally very difficult for affected individuals to obtain persuasive evidence that a particular fraudulent financial transaction or fraudulently opened financial account was a direct consequence of a particular data breach, consumers often lack any meaningful legal remedy for either the cost and inconvenience of being vigilant for fraud in the wake of a data breach, or even the value of the fraud itself. The good news for consumers is that credit card companies have rules that restrict financial institutions from requiring consumers to promptly report fraudulent charges.
Generally, the best practice for affected persons is to monitor their credit files either by obtaining free credit reports from the major credit reporting agencies or by using a service (such as the one provided by Equifax) that monitors the person’s credit files for significant changes.
Affected persons can also place fraud alerts or security freezes on their credit report files. A fraud alert warns potential creditors that they need to verify the identity of the consumer before extending credit to the consumer. A consumer may institute a fraud alert by contacting any one of the major credit reporting agencies, which will notify the other major agencies.
A security freeze prohibits the credit reporting agency from releasing the consumer’s credit file to new creditors without prior written authorization. Although security freezes may be prudent precautions, they can sometimes delay or otherwise interfere with the affected person’s requests for credit, employment, or even housing. The credit reporting agencies are allowed to charge for this service and each agency must be contacted separately.
In addition, consumers should monitor their existing accounts for unauthorized transactions.
Cautionary tale for business
Equifax’s data breach is also a potent cautionary tale for businesses. Nearly every business collects at least some financial or other personal information about their customers and their employees.
Businesses need to make sure they have a meaningful information security plan that makes sure critical security precautions—like installing security patches for hardware and software— are in place to prevent data breaches. It is stunning that a significant proportion of security breaches result from vulnerabilities, such as unpatched hardware or software or the use of default passwords on computers and other devices, that could be eliminated at a minimum cost.
A security plan should also include consideration for how to communicate a data breach to those affected and the public, how to minimize legal liability stemming from the investigation and disclosure of the breach, and the procedures and contact information for technology professionals to promptly begin their investigation.
Dustin Berger is an attorney at Holland & Hart who focuses on workplace technology, high-tech workforces, and information security. He can be reached at firstname.lastname@example.org.