Equifax Data Breach and its Consequences

On September 7, 2017 Equifax Inc. announced a cybersecurity incident that the company estimated would impact approximately 143 million U.S. consumers. Equifax disclosed that hackers had exploited a U.S. website application vulnerability to gain access to certain files. Equifax’s initial disclosure stated that, based on the company’s initial investigation, the unauthorized access occurred from mid-May through July 2017.

Equifax stated that the information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers were accessed. The company stated that, to a more limited degree, hackers gained unauthorized access to certain information related to UK and Canadian residents.

The unauthorized access apparently was made possible due to a flaw in a tool designed to build Web applications, and Equifax admitted it was aware of the security flaw for two months before hackers gained access. The application tool, known as Apache Struts, is used by many large businesses and government organizations. Equifax used it to support its online dispute portal—a Web location where Equifax customers can visit to log issues regarding individual credit reports.

A cybersecurity division of the U.S. Department of Homeland Security, US-CERT, first identified and disclosed the Apache Struts flaw in March, according to Equifax. In a statement, Equifax said that the company’s security department took actions to identify and to patch any vulnerable systems; however, hackers were later able to exploit the flaw.

Equifax has been criticized both for not fully correcting the flaw in a timely manner, and for waiting more than one month before alerting customers of the breach.

In an effort to address the potential impact to customers, Equifax offered to provide a year of free credit monitoring. However, the initial offer of this service required customers to provide more personal information to Equifax, gave unclear information regarding whether a customer’s information had actually been compromised, and included an automatic enrollment for the credit monitoring service at the end of the free year’s term.

Additionally, included in the initial free credit monitoring offer was Equifax’s use of an arbitration agreement that would have prevented customers taking advantage of the free service from pursuing class-action cases against the company. Equifax received significant criticism regarding the inclusion of the arbitration clause, which has since been removed. This criticism comes at a time when Congress is considering action, under the Congressional Review Act, to nullify the Consumer Financial Protection Bureau’s recently issued Arbitration Rule that would ban mandatory arbitration clauses in consumer contracts. U.S. House Republicans passed a resolution to overturn this rule in July, and Senate Republicans are attempting similar action. However, following Equifax’s initial attempt to insert an arbitration clause in its program to assist customers, it is unclear if sufficient votes exist to nullify the rule.

Because of the breadth of individual information released in this particular breach, experts warn of the heightened risk of fraudulent account openings at a time when banks and other financial firms are increasingly allowing customers to more rapidly open new accounts on mobile devices. These experts advise financial firms to closely evaluate their processes in light of the breach to make certain the customer information being used is valid and accurate.

Experts further warn banks that, in many instances, they are providing nonpublic information to credit reporting agencies. This situation points out the need for extreme due diligence by banks in dealing with these third-party vendors. These experts advise banks to determine what legal agreements exist with both the credit bureaus and bank customers regarding liability in a breach.

Federal bank regulators have issued no formal statements or directives regarding the data breach. Informally, the agencies are reminding banks of the third-party vendor risk management guidance previously issued by them. Regulators are also using this event as a teachable moment regarding the need for strong cybersecurity risk management practices—particularly patch management practices—on the part of regulated financial institutions.

The Federal Trade Commission disclosed that it is investigating the Equifax breach, as are the U.S. Department of Justice, the Federal Bureau of Investigation, and several state attorneys general. At least one state attorney general has filed a lawsuit alleging Equifax failed to maintain appropriate safeguards protecting consumers’ personal information. Several consumer lawsuits seeking class-action status have also been filed. Congressional hearings are also planned regarding the breach.

Members of Congress are seeking additional information from Equifax and others. Rep. Carolyn Maloney, D-NY, sent a letter to TransUnion and Experion on September 13, 2017 requesting the steps these companies are taking to safeguard consumer data in light of the breach. Senator Mark Warner, D-VA, sent a letter to the Federal Trade Commission asking if Congress should limit the ability of credit reporting agencies to sell data outside specific contexts, such as credit, banking, and employment inquiries.

Senator Elizabeth Warren, D-MA, announced that she is launching an investigation into Equifax’s security practices and she, along with Senator Brian Schatz, D-HI, have introduced a bill, the Freedom from Equifax Exploitation (FREE) Act, that would create a federal requirement for credit bureaus to offer free credit freezes to consumers affected by a data breach and prevent credit bureaus from selling consumer information while a freeze is in place. The bill would also require credit bureaus to offer an additional annual free credit report. There are indications this bill could possibly receive bi-partisan support.

Moving in the opposite direction, U.S. House Republicans are considering six proposals as part of their “Proposals for a More Efficient Federal Financial Regulatory Regime.” One of these proposals, the FCRA Liability Harmonization Act, would reduce the penalties for credit bureaus when consumers are harmed. This bill would cap damage awards in class action lawsuits at $500,000 filed under the Fair Credit Reporting Act and eliminate punitive damages entirely. Rep. Barry Loudermilk, R-GA, the bill’s sponsor, has announced that consideration of this bill will be delayed pending a full and complete investigation into the Equifax breach.

Washington – The Week Ahead, October 2–6, 2017

Read More

Washington – The Week Ahead, September 25–29, 2017

Read More

Equifax Data Breach and its Consequences

Read More

comments powered by Disqus