September 24, 2017

September 22, 2017

Subscribe to Latest Legal News and Analysis

September 21, 2017

Subscribe to Latest Legal News and Analysis

Equifax Breach: Three Takeaways in First Four Days

On September 7, 2017, Equifax, one of the three large credit reporting bureaus, announced a cybersecurity incident impacting approximately 143 million U.S. consumers. According to Equifax, the breach occurred mid-May through July 2017. Equifax learned of the cybersecurity event on July 29th, but waited until September 7th to address the public.  

Beyond being one of the largest breaches in this nation’s history, this breach is of particular note due to the sensitivity of the information that was breached. Social security numbers, addresses, birth dates, and in certain situations driver’s license numbers may have been accessed.  Additionally, around 209,000 credit card numbers and related dispute documents for around 182,000 U.S. consumers were accessed. Further, personal information for UK and Canadian residents may have been impacted as well.  

Based on the events that have transpired thus far, three areas have emerged that companies will want to understand, internalize, and learn from.   

1. Government Is Taking This Very Seriously 

Government at multiple levels see this breach as both a continuation of a very concerning lack of corporate data security, and a strong impetus that more regulation and oversight is required. On September 8th, multiple House committees, including the Judiciary Committee, Financial Services Committee, and Energy and Commerce Committee, announced that they will hold hearings in the near future on the breach and whether to adopt a federal notice law. Further, House Majority Leader Kevin McCarthy (R-Calif.), Reps. Maxine Waters (D-Calif.) and Ted Lieu (D-Calif.), and Sens. Mark Warner (D-Va.) and Ron Wyden (D-Ore.), have all publicly provided their support for a national data breach notice standard and additional cybersecurity legislation.

Federal agencies are also quite active. The Consumer Financial Protection Bureau (CFPB) and the Federal Bureau of Investigation are already investigating. Samuel Gilford, spokesman for the CFPB has stated that CFPB is authorized to pursue enforcement actions against companies that engage in “unfair, deceptive or abusive practices” but that the CFPB “cannot comment further at this time.” Many experts also expect the Federal Trade Commission to launch its own investigation.  

At the state level, attorneys general for Connecticut, Illinois, Pennsylvania, and New York have already announced investigations, with many more likely to follow.

2. Appropriate Communications With Affected Consumers Are Essential 

In the chaos of a data breach, every company possesses an important aspect of the remediation process that it can control – how it chooses to communicate with the public and those affected by the breach. While data breach notification laws do set a baseline in many cases, how a company handles its obligations, including how quickly it acts and provides information to affected consumers will set the tone for how the breach is viewed by the public, and potentially government as well.  

Equifax has already made some decisions in this regard that have been less than helpful. First, it appears that Equifax waited over a six weeks to notify the public of the breach, learning of the event on July 29th, but waiting until September 7th to address the public. Second, at least initially, the tool provided on the website setup by Equifax for consumers to check if they have been impacted, appeared to provide “random results, even for fictional names and social security numbers.” This has likely impacted consumer confidence in Equifax’s handling of the breach remediation process. Third, three executives may have sold $2 million worth of company stock days after the breach, and more than a month before the breach was publically disclosed. Beyond the legal liabilities this could create, such activities may make the public feel that the privacy and security of their data was not the most important issue for company leadership after discovery of the breach. Fourth, as commented on by many, Equifax initially appeared to be using its offer of free products, including credit monitoring, as a mechanism to have affected consumers agree to an arbitration clause or class action waiver, although Equifax has since posted on its website that this was not its intention, and that no such waiver will apply to the cybersecurity incident.            

3. Lack Of Incident Response Planning Will Create Negative Consequences

Companies that fail to plan for a cybersecurity incident plan to fail. Based on Equifax’s response to this incident thus far, it is likely that additional incident response planning, before a breach occurred, would been quite beneficial. While every company’s situation will be different, at a minimum every company should have a plan that allows for remediation of a data breach in a timely and effective manner. This means that pre-incident, companies need to: understand what sensitive data is being stored, partner with an appropriate cybersecurity forensics firm and trusted legal counsel, and create a roadmap for the notification of affected individuals and remediation of the breach. Companies that want the best chances of effective remediation will need to test the plan and prepare for the worst, refine the plan as a result of regular testing, and ensure key stakeholders understand their responsibilities for the remediation process.  

We will continue to update our readers as this situation develops.

©1994-2017 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Associate

Brian has extensive experience in patent litigation and intellectual property matters, as well as privacy and data protection matters, particularly as to data aggregation, network security, and technology transactions. Beyond counseling on compliance, incident response, and data privacy and protection, Brian has advised on technology-centric agreements, licensing issues, open source software licensing, vendor agreements, and hosting agreements, and analyzed patent portfolios for potential assertion or freedom to operate. He is a Certified Information Privacy Professional...

858.314.1583
Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member

Cynthia is Chair of the firm’s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP).  She represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.

Cynthia has extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions.

She conducts privacy audits and risk assessments to determine data and transaction flow and to assess privacy practices, and assists with drafting and implementation of privacy policies and information security policies and procedures and monitoring of privacy “best practices” across all levels of the enterprise.

She is a frequent speaker on privacy issues at conferences and media appearances and presents privacy awareness and compliance training seminars to client companies.

617-348-1732