On Sept. 7, Equifax Inc. announced a breach by hackers affecting as many as 143 million consumers.
The information impacted by the breach is as sensitive as personally identifiable information gets – names, Social Security numbers, birth dates, addresses, and driver’s license numbers (among other information, including credit card data in some instances).
While data breaches are nothing new, the Equifax breach is particularly alarming given its size, scope of data impacted, as well as the credit reporting role Equifax plays in the United States, and even globally. While industry experts, regulators, and effected consumers pick up the pieces, it remains to be seen how the world of privacy will change in its aftermath.
As one of the “big three” consumer credit reporting agencies, Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. The vast amount of data held by Equifax made it an obvious target for hackers.
Reports vary, but some believe that the breach may impact as many as 55 percent of adult Americans. While the breach was announced last month, the intrusion was discovered internally on July 29, 2017 – raising question of whether the disclosure should have been swifter – one of the many questions that federal and state regulators are investigating and an issue that has been widely criticized in the media.
Given the volume and sensitivity of the consumer data it holds, lawmakers and regulators, including the Consumer Financial Protection Bureau and the Federal Trade Commission, are also scrutinizing whether Equifax’s cyber-security systems were adequate. Many, including Massachusetts Attorney General Maura Healy, believe they were not, prompting the filing of the nation’s first enforcement action against Equifax for violating state consumer protection laws.
While Healy may be leading the charge, more than 40 other state attorneys general are investigating the cyber-attack and some have hinted similar courses of action. Lawmakers aren’t alone as numerous class action lawsuits were promptly filed, the first of which was in Portland, Oregon where plaintiffs are seeking damages up to $70 billion.
As details for the breach trickle out, there’s reason to be concerned about the overall robustness of cybersecurity, or lack thereof. Equifax CEO Richard Smith, who resigned on Sept. 26 (joining other senior managers departing in the wake of the breach), testified before the U.S. House Committee on Energy and Commerce on Oct. 3. His testimony revealed that Equifax was notified by the Department of Homeland Security in March 2017 of the need to patch a vulnerability in software related to an online dispute portal. The responsible security team was notified but the patch was never applied. Shortly thereafter, a security scan was run but failed to detect the continuing vulnerability. It appears that hackers first accessed the data, which was not encrypted at rest, on May 13 yet Equifax did not detect “suspicious activity” until July 29.
In an unrelated incident, a week after Equifax’s disclosure of the breach, it was learned that an online employee tool used in Equifax’s Argentina operations could be accessed by typing “admin” as both a login and password (although no breach has been tied to this insecurity). Collectively, red flags are being raised as to why one of the largest credit reporting agencies was so exposed.
The congressional inquiries certainly suggest that stricter regulation may be in store for Equifax and other consumer credit reporting agencies, which are largely for-profit entities. Stricter regulation, if it comes, will likely address protection of consumers – who no control of their information in a breach like this.
To this end, Equifax has already proposed a consumer’s ability to freeze and unfreeze their credit at will for free. The privacy industry is also speculating that this breach could be the impetus for broad-form federal privacy legislation, which is currently a patchwork of industry based regulation at the federal and state levels.
Regardless of the outcome, this is a stark reminder that cybersecurity should be top of mind for businesses and consumers alike.
- Partner
Marc P. Jerabek is a partner with expertise in financial services, real estate and business matters. An accomplished litigator, Mr. Jerabek represents financial institutions, mortgage servicers, large and small businesses, and ...
Add a comment
Subscribe
RSSTopics
- Commercial Liability
- Tax Law
- Personal Tax Controversy
- Business Tax Controversy
- Business Risk Management
- Contracts
- Business Torts
- Commercial Real Estate
- Commercial Loans
- Civil Litigation
- Commercial Leasing
- COVID-19
- Property tax
- Alternative Dispute Resolution (ADR)
- Bankruptcy
- Banking Law
- Real Estate
- Standing
- Real Estate Mortgages
- Coronavirus
- Lending
- Mortgage Foreclosure
- Facilitation
- Appellate Law
- Risk Management
- Trade Secrets
- Litigation Discovery
- Corporate Formation
- Fraud Activity
- Cyber Attack
- Shareholder Liability
- Insurance
- Cryptocurrency
- Regulatory Law
- Cybersecurity
- Damages Recovery
- privacy
- Statute of Limitations
- Class Action
- Product Liability
- Pensions
- e-Discovery
- Noncompete Agreements
- Biometric Data
- e-Commerce
- Internet Law
- Venue
- Consumer Protection
- Residential Liability
- Zoning and Planning
- Clawback
- Department of Education (DOE)
- Receiverships
- Fair Debt Collection Practices Act
- Fair Credit Reporting Act
- Garnishments
- Unfair Competition
- Uniform Commercial Code (UCC)
Recent Updates
- Why Delinquent Taxpayers Should Circle the IRS Collection Statute Expiration Date on Their Calendars
- How the Reversal of Chevron will Impact the IRS
- IRS Passport Denial and Revocation Program - What you Need to Know and how to Reclaim Your Passport
- Understanding the Federal Taxpayer Advocate Service and Taxpayer Bill of Rights
- Innocent v. Injured Spouse Relief: A Guide for Navigating Complex Tax Issues After Marital Changes
- Understanding Joint Filing and Innocent Spouse Relief - A Guide for Married Taxpayers
- Obtaining Injured Spouse Relief from Federal Income Tax Liability
- What is 'Currently Non-collectible' Status and how do you get it Applied to Your Federal Income Taxes?
- Offer-in-Compromise or Partial Pay Installment Agreement – Which Option is Right For You?
- Offer in Compromise Programs Provide Taxpayers with Options to Settle Federal, State Tax Debt