Post-Equifax: What Do We Do Now?

By now, everyone has likely been inundated with information about the Equifax data breach.  If you are one of the few who has not heard about what happened, here’s the short version: Equifax suffered an enormous security breach as a result of its poor data privacy hygiene resulting in over 143 million people having their credit information, including their social security numbers, names and addresses, potentially exposed. The impact will be felt for a long time and the consequences if you are affected could be significant.

So what exactly did Equifax do wrong? To be blunt, EVERTYTHING. First, according to industry experts, Equifax failed to install a readily available security update that left it vulnerable to hackers. Second, the lack of security updating was compounded by the fact that Equifax’s administrative passwords were simplistic, certainly for a company that’s primary purpose is to store sensitive information, and was easily decipherable by the cyber-intruder.  Third and what makes matters worse is that the security update was available to Equifax two months before the breach. Fourth, in addition to the lax cyber-hygiene of Equifax was the fact that Equifax waited for months after it knew of the breach before reporting it to the public.  Fifth, when Equifax finally reported the breach, the message it sent was a weak one that left the public feeling exposed and betrayed, especially when it turned out the certain Equifax executives sold large quantities of company stock after the breach was discovered but before it was reported.  It is hard to envision any worse corporate conduct both leading up to the breach and continuing until today.

In the aftermath of such an historic cyber-breach, what lessons can companies and individuals learn and what steps are to be taken to mitigate the damage? On the corporate level, companies need to take cybersecurity and data privacy seriously, invest adequate resources to addressing the issue and partner with professionals versed in all aspects of today’s cybersecurity environment, including legal counsel, technical/forensics experts and insurance professionals. Develop and implement prudent Information Technology practices that include continuous system maintenance, updating/patching of software, mapping, segregating and encrypting data as well as actively being vigilant for intrusions or data loss.  Prepare a plan for how to respond to breaches or data losses. Perform vulnerability assessments under the guidance of counsel, to determine where you need to shore up your defenses while maintaining the confidentiality of the assessment results through attorney-client privilege.  Obtain insurance policies to blunt the impact of data breaches and to obtain resources to assist with specific breaches like ransomware/malware.

And should your company be a victim of a breach, react quickly and send the right message, even if it means hiring a public relations professional to help you craft the notification to the public.   Consider that amount of time lost when Equifax delayed its notice of the breach and when it delivered a weak explanation as to what occurred and why.  Imagine what could have been done by those people affected to take steps to secure their valuable personal information in the months between the breach and the date of notification.

On the individual level, if you determine that you were potentially impacted by the Equifax breach, you need to tailor how you treat your information for the foreseeable future.  It is estimated that the hackers who acquired the Equifax information may not use the information for some time, but rest assured, they will act.  Consider placing credit freezes on your accounts with all three credit reporting agencies.  Freezes will not affect your credit rating, but will prevent the opening of new accounts under your name. As credit freezes will prevent new accounts from being opened, you also need to be vigilant about your existing information. Obtain a credit report to review for recent credit inquiries. If you see an unfamiliar entry, contact the credit bureau immediately to investigate.  If you see charges on credit cards that were not made by you, report and challenge them immediately, no matter how small they are.  Similarly if you see unusual activity in your bank or investment accounts, contact the financial institution without delay. Finally, consider changing passwords on existing accounts and using password-management software and applications that will create random passwords. Even if your information was not accessed, it is a good idea to adopt these practices.

Lindabury’s Cybersecurity and Data Privacy Practice group has commented on the changing landscape of data privacy before, but the Equifax breach raises the issue to a new level.  While not the largest data breach in recent history, the Equifax breach is potentially more damaging based on the nature of the information Equifax maintained and in light of the fact that its security practices were so poor.   It is more important than ever to get guidance on how to protect your company and yourself from the evil-doers who just acquired an enormous amount of information that can be used to damage you. We remain ready to assist you with any cybersecurity and data privacy concerns you have.