THE EQUIFAX DATA BREACH –
THE FACTS AND IMPLICATIONS FOR CONSUMERS
By David Aschkinasi
The September 7 disclosure by Equifax that its databases with consumer information had been breached by unknown parties has created significant concerns among large segments of American society. It is the basis for lawsuits by individuals and investigations by state attorneys general. The hackers who penetrated the Equifax databases had access to names, addresses, birthdates, credit card information, social security numbers and drivers’ license numbers of most consumers whose information was in the database, estimated at about 143 million people.
The history of the breach has raised serious issues regarding the manner in which Equifax has maintained the security of the data that it has in its possession. Equifax is a credit reporting business that makes information about consumers available to businesses that want to extend credit to customers. It sells information to banks and other financial lending institutions, as well as to businesses such as car dealers and retailers that want information about people requesting credit. Consumers expect that their personal information will be kept confidential by agencies such as Equifax, unless the consumer provides consent for release of the information. Laws require that companies such as Equifax safeguard the information in their possession.
A little background about the breach itself – On July 29, 2017, Equifax discovered that there was a vulnerability in its database security systems. The Equifax security team called in Mandiant Consulting, one of the leading global cybersecurity analysts, to help determine what had happened. The inquiry resulted in a determination that the breach had occurred starting in mid-May and resulted from a problem in a software application called Apache Struts. On March 7, 2017, a patch (a software fix) for the vulnerability was made available, and this was disclosed by the United States Computer Emergency Readiness Team, an organization within the U.S. Department of Homeland Security. Equifax apparently took no action to implement the patch, and so the vulnerability continued to exist in its system.
On September 19, 2017, Equifax revealed that another breach in its network occurred in March, 2017. Details of that breach have not been provided yet, but this information creates even more concern about the way Equifax has operated its network, especially from the perspective of network security.
What does this mean for you?
For people who have applied for credit, it is very possible, if not likely, that your personal information – name, address, social security number, birthdate, credit card information and maybe driver’s license number – is in the Equifax database, since information for 143 million people may have been accessed in this incident. The hackers that stole this information can sell it or use it for unscrupulous purposes. Your information might be used to apply for credit in your name, but without your knowledge. You may never be aware that this has occurred until a creditor tries to collect from you, or until a credit agency such as Equifax reports that you (or someone acting under your name) has defaulted on a loan that you were never aware of. Your good credit can be ruined. The cost and time to deal with such a situation can be staggering.
What does the law require?
Federal law (the Fair Credit Reporting Act) requires that consumer data must be protected by taking reasonable precautions to protect that data. That law provides that only those with a valid reason to have access to data can get it. Credit reporting agencies such as Equifax are required to have processes in place to assure that consumer data is released only to parties with a legitimate reason to get that information. It seems that Equifax may not to have complied with this provision of the law when its processes to protect information failed. Many states have consumer protection laws that may also include similar protections for consumers’ data.
And what can you do if you believe you have a claim?
The law provides that individuals have the right to claim damages from agencies that violate the law. Many consumers who believe that their rights have been violated by Equifax have already filed claims against the company. Several class action lawsuits have been filed or announced. The attorneys general of several states have announced that they are investigating the Equifax data breaches to determine if they should file lawsuits to protect the rights of consumers in their states and to require Equifax to assure that it will make changes to its processes to assure that consumer data is better protected in compliance with laws.
The people who are responsible for a data breach that has affected you may be subject to criminal penalties. In some cases, criminal prosecutions against those wrongdoers may be able to recover damages for the losses you have suffered. Legal counsel can help you notify the authorities and present a claim, whether to the FBI, government prosecutors or other public officials.
If you believe that you may have a claim against Equifax that you wish to pursue, you should contact legal counsel to determine how best to proceed.