Mintz Levin: Equifax Breach: Three Takeaways from the First Four Days
On September 7, 2017, Equifax, one of the three large credit reporting bureaus, announced a cybersecurity incident impacting approximately 143 million U.S. consumers. According to Equifax, the breach occurred mid-May through July 2017. Equifax learned of the cybersecurity event on July 29th, but waited until September 7th to address the public.
Beyond being one of the largest breaches in this nation’s history, this breach is of particular note due to the sensitivity of the information that was breached. Social security numbers, addresses, birth dates, and in certain situations driver’s license numbers may have been accessed. Additionally, around 209,000 credit card numbers and related dispute documents for around 182,000 U.S. consumers were accessed. Further, personal information for UK and Canadian residents may have been impacted as well.
Based on the events that have transpired thus far, three areas have emerged that companies will want to understand, internalize, and learn from.
1. Government Is Taking This Very Seriously
Government at multiple levels see this breach as both a continuation of a very concerning lack of corporate data security, and a strong impetus that more regulation and oversight is required. On September 8th, multiple House committees, including the Judiciary Committee, Financial Services Committee, and Energy and Commerce Committee, announced that they will hold hearings in the near future on the breach and whether to adopt a federal notice law. Further, House Majority Leader Kevin McCarthy (R-Calif.), Reps. Maxine Waters (D-Calif.) and Ted Lieu (D-Calif.), and Sens. Mark Warner (D-Va.) and Ron Wyden (D-Ore.), have all publicly provided their support for a national data breach notice standard and additional cybersecurity legislation.
Federal agencies are also quite active. The Consumer Financial Protection Bureau (CFPB) and the Federal Bureau of Investigation are already investigating. Samuel Gilford, spokesman for the CFPB has stated that CFPB is authorized to pursue enforcement actions against companies that engage in “unfair, deceptive or abusive practices” but that the CFPB “cannot comment further at this time.” Many experts also expect the Federal Trade Commission to launch its own investigation.
At the state level, attorneys general for Connecticut, Illinois, Pennsylvania, and New York have already announced investigations, with many more likely to follow.
2. Appropriate Communications With Affected Consumers Are Essential
In the chaos of a data breach, every company possesses an important aspect of the remediation process that it can control – how it chooses to communicate with the public and those affected by the breach. While data breach notification laws do set a baseline in many cases, how a company handles its obligations, including how quickly it acts and provides information to affected consumers will set the tone for how the breach is viewed by the public, and potentially government as well.
Equifax has already made some decisions in this regard that have been less than helpful. First, it appears that Equifax waited over a six weeks to notify the public of the breach, learning of the event on July 29th, but waiting until September 7th to address the public. Second, at least initially, the tool provided on the website setup by Equifax for consumers to check if they have been impacted, appeared to provide “random results, even for fictional names and social security numbers.” This has likely impacted consumer confidence in Equifax’s handling of the breach remediation process. Third, three executives may have sold $2 million worth of company stock days after the breach, and more than a month before the breach was publically disclosed. Beyond the legal liabilities this could create, such activities may make the public feel that the privacy and security of their data was not the most important issue for company leadership after discovery of the breach. Fourth, as commented on by many, Equifax initially appeared to be using its offer of free products, including credit monitoring, as a mechanism to have affected consumers agree to an arbitration clause or class action waiver, although Equifax has since posted on its website that this was not its intention, and that no such waiver will apply to the cybersecurity incident.
3. Lack Of Incident Response Planning Will Create Negative Consequences
Companies that fail to plan for a cybersecurity incident plan to fail. Based on Equifax’s response to this incident thus far, it is likely that additional incident response planning, before a breach occurred, would been quite beneficial. While every company’s situation will be different, at a minimum every company should have a plan that allows for remediation of a data breach in a timely and effective manner. This means that pre-incident, companies need to: understand what sensitive data is being stored, partner with an appropriate cybersecurity forensics firm and trusted legal counsel, and create a roadmap for the notification of affected individuals and remediation of the breach. Companies that want the best chances of effective remediation will need to test the plan and prepare for the worst, refine the plan as a result of regular testing, and ensure key stakeholders understand their responsibilities for the remediation process.