On September 7, Equifax, one of three nationwide credit-reporting agencies that compile and evaluate the financial history of consumers, announced that it suffered a security breach in which sensitive information of approximately 143 million Americans was compromised. According to Equifax, the breach lasted from mid-May through July 2017, and was discovered on July 29. The hackers accessed people’s names, Social Security numbers, birthdates, addresses and, in some instances, driver’s license numbers. The credit card numbers of about 209,000 people and credit report dispute documents containing personally identifiable information of about 182,000 people were also stolen. The breach also involved the personal information of people in the United Kingdom and Canada. Equifax has stated that the cyber criminals exploited a U.S. website application vulnerability to gain access to certain files. Further details about exactly how the breach occurred are still forthcoming, but it has been reported that the attack may have been due to Equifax’s use of an unpatched version of open-source web application software used for creating web applications.
Equifax’s delay in announcing the breach and its actions in the wake of the announcement drew criticism from consumer groups, lawmakers, and regulators. Equifax set up a website for consumers to inquire whether their information may have been compromised in the breach and to sign up for a year of free credit monitoring, but consumers trying to access the website have encountered technical difficulties and confusing instructions. Three Equifax executives, including its chief financial officer, collectively sold $1.8 million in company shares days after the company discovered the breach, although the company maintains that the executives were unaware of the breach. While Equifax is offering free credit monitoring, it initially required people who enrolled in the service to agree to a mandatory arbitration clause, thereby waiving the right to sue Equifax. After swift public backlash, a company spokesperson clarified that its arbitration clause applied only to the free credit monitoring service, and not the breach itself, meaning that consumers may still sue Equifax over the breach. As of Monday, September 11, more than 30 lawsuits have already been filed against Equifax in the United States related to the breach, including at least one accusing the company of securities fraud.
Response from Lawmakers and Potential for Increased Regulation
The revelation of the breach has drawn the attention of lawmakers and regulators at both the federal and state level, several of whom have expressed the view that increased federal regulation of the credit reporting industry and other companies that store vast amounts of sensitive personal information may be needed to combat similar incidents in the future. The attorneys general for New York and Massachusetts have launched investigations and suits, and the Consumer Financial Protection Bureau (CFPB), which shares oversight of credit bureaus with the Federal Trade Commission (FTC), is looking into the breach and Equifax’s response. Three committees of the U.S. House of Representatives – Judiciary, Financial Services, and Energy and Commerce – plan to hold hearings on the breach in the coming weeks. Senate Finance Committee Chairman Orrin Hatch (R-Utah) and ranking member Sen. Ron Wyden (D-Oregon) have issued a letter to Equifax’s leadership stressing the gravity of the breach, stating that “Equifax is a critical partner of the Internal Revenue Service, Centers for Medicare & Medicaid Services, the Social Security Administration and other federal agencies that are the sources and recipients of some of the most sensitive information affecting individuals, as well as the targets of the vast majority of identity theft fraud against taxpayers.” The senators are demanding that by September 28, 2017, Equifax provide responses to 13 questions set forth in the letter, which request information such as a detailed timeline of the breach, actions Equifax has taken to mitigate and properly respond to the breach, background on Equifax’s information security program, whether Equifax used third-party security experts to test its systems, and whether the company worked to fix any of the issues that were identified in security testing. The chairman of the House Small Business Committee sent a letter to the FTC asking for more information on the breach and the government’s response, and whether TransUnion and Experian, the other two major consumer credit bureaus, have taken measures to protect consumer information. The spokeswoman for the Trump administration has also expressed concern regarding the breach and indicated that new regulations may be needed.
On September 14, the FTC took the unusual step of confirming that it is investigating the Equifax breach. Equifax and its competitors, Experian and TransUnion, faced almost no federal oversight until 2012, when the CFPB was granted power to police the credit bureau industry. While the FTC has authority to sanction companies that fail to take reasonable security measures to protect consumers, it does not proactively monitor credit bureaus the way banks are monitored by regulators such as the Federal Reserve and the Office of the Comptroller of the Currency. The CFPB has authority to make sure financial companies maintain standards to keep consumer information secure, but it has so far focused its scrutiny of credit bureaus on ensuring that credit reports are based on accurate data and that consumer complaints are adequately addressed, rather than cybersecurity. Last year the CFPB initiated its first and only enforcement action centered on cybersecurity concerns, in which it fined online payment company Dwolla, Inc. $100,000 for allegedly deceiving companies about how secure its systems were.
Importance of Incident Response Planning
The Equifax breach serves as a reminder of the importance of having an incident response plan in place to turn to when a major incident such as a data breach occurs. Though companies often delay breach notification in order to determine the scope of the breach and coordinate an adequate response, once notification is made, focus on clear, consistent and effective communications and provide specifics on credit monitoring or any mitigation and remediation. A well-coordinated incident response plan that is thoughtful and transparent goes a long way in helping to mitigate the effects of a data breach and to reassure customers and regulators that the company is taking all necessary steps to respond to the breach. For tips on how to implement an incident response plan, see Bradley’s webinar on data breaches and incident response.
While we do not yet know all of the technical details about the vulnerability that the hackers exploited, initial reports are that it was caused by Equifax’s use of an unpatched version of open-source web application software. This demonstrates how critical it is to install the latest updates and security patches to your company’s operating system and any software used, which are provided by technology companies to address vulnerabilities that have been identified in the software or operating system. By failing to install readily available updates and security patches, companies increase the likelihood of falling victim to cyber thieves and the chance that they will face litigation and government enforcement action for failing to take reasonable safeguards to protect customers’ information. While it is not possible to foresee and address every security threat posed by malicious hackers, installing available security updates is an important step that all companies can take to protect information.
Recommended Steps for Individuals
Given the large number of individuals affected and the sensitivity of the information that was compromised, many people are wondering what steps they can take to protect themselves from identity theft, and whether they should take advantage of the free credit monitoring being offered by Equifax. While credit monitoring services may alert you that your identity has been stolen and assist you in the process of disputing unauthorized charges and accounts opened in your name, these services will not actually help to prevent your identity from being stolen. Well-known cybersecurity researcher Brian Krebs recommends that you place either a fraud alert or a security freeze, also known as a credit freeze, on your credit reports with the four consumer credit bureaus – Equifax, Experian, TransUnion, and Innovis. The difference between the two is described in FAQs on the FTC’s website. Of the two, a security freeze provides stronger protection, and stays in effect for a longer period of time.
Implications for the Healthcare Industry
One of the many concerns outlined in the Senate Finance Committee’s letter to Equifax is the potential for the breach to lead to the perpetration of fraud against the Medicare and Medicaid programs. In addition, Equifax is reportedly the financial verification vendor to the U.S. Department of Health and Human Services for millions of enrollees on the marketplace exchanges created under the Affordable Care Act, and may serve as a vendor to other healthcare entities. The Centers for Medicare and Medicaid Services (CMS) has allegedly been informed by Equifax that health insurance marketplace exchange data was not involved in the breach, but this highlights the risk that vendors with security vulnerabilities pose to healthcare entities. In the meantime, healthcare providers and companies in the healthcare industry should consider taking extra measures to verify the identity of beneficiaries at the point of service before submitting claims for payment to CMS.