On September 7, Equifax, one of the three major credit reporting firms in the U.S., disclosed a data breach that potentially affects 143 million consumers. Equifax’s disclosure indicated that the breach, which Equifax claims to have discovered in July, resulted from a vulnerability affecting Apache Struts CVE-2017-5638, which is an open-source software (OSS) framework that supports the Equifax online dispute portal web application. The Apache Struts vulnerability was identified and disclosed by the United States Computer Emergency Readiness Team in March 2017. Although Equifax made some effort to identify and secure vulnerable systems, it is unclear what steps Equifax took to patch the system or if it otherwise engaged in remediation measures, including any update to its Web applications.
Managing Regulator Inquiry
If your company has utilized Equifax services, then your customers may have been exposed to an increased risk of identity theft. This risk may leave your business vulnerable to regulator inquiry. Companies can expect regulators to ask questions such as: (1) what is the nature of the relationship between the company and Equifax, including contractual obligations; (2) what types of information have been exchanged between the company and Equifax, and is the company still reporting information to Equifax; and (3) in light of the breach, what will the company do to protect its customers and ensure their information is safeguarded going forward?
Some steps that you can immediately take to help position your company to properly respond to regulator inquiry include:
- Establishing a point of contact and mobilizing your breach response team across departments to specifically manage the Equifax breach.
- Conducting a thorough review of the information policies and procedures that are currently in place. This will allow you to effectively convey a factual report to the regulator regarding your data management practices.
- Working with in-house and outside counsel to initiate an internal investigation to determine how sensitive consumer data is being managed, and what data may be at risk as a result of the breach.
Managing Your Relationship with Equifax
To mitigate any potential liability, you should immediately review your company’s contracts with Equifax. Once this analysis is complete, you can decide how best to manage your relationship with Equifax by determining what action, if any, you should take regarding any costs you may have related to the breach. Some of the questions you should consider while evaluating your contractual relationship with Equifax include:
- What Equifax products or services does your company use and what customer information is and has been exchanged between the company and Equifax?
- Are there any existing contractual provisions that require the company to send data to Equifax?
- If the company is required to use an Equifax service, are there transmission requirements to send the data? Who has access to the data? What is the data retention policy?
- What pathways exist to modify the contract to address Equifax’s data security issues?
- Is it reasonable to stop using the Equifax service?
- Will there be a business disruption and cost to find another vendor? Keep in mind that there is no guarantee that existing alternatives are better equipped to safeguard against a breach.
- What questions, demands and inquires can your company make of Equifax to determine what steps Equifax has taken since the breach to secure its system and customer information?
- What costs should Equifax cover relating to your management of the breach? What improvements should Equifax make to enhance data security practices going forward?
NYDFS Guidance to Regulated Institutions
Following the Equifax breach, the New York Department of Financial Services (“NYDFS”) promptly issued guidance to all financial institutions and insurers that are regulated by NYDFS and its Cybersecurity Requirements for Financial Services Companies. NYDFS strongly urged regulated institutions “to ensure that this incident receives the highest level of attention and vigilance.” This guidance is instructive not only for regulated companies, but also for entities outside the purview of NYDFS, as it highlights the expectations that all companies will face in managing the threat to their customers posed by the Equifax breach.
The NYDFS guidance encourages institutions that provide consumer- or commercial-related account and debt information to Equifax to carefully review the terms of any credit-reporting arrangement with Equifax to determine any potential risk associated with the continued provision of data in light of this cyberattack. In this regard, institutions are specifically cautioned to take into consideration the NYDFS Cybersecurity Regulation with respect to third party service providers. Similarly, institutions that receive credit reports from Equifax are advised to confirm the validity of information contained in Equifax credit reports, as they may have been compromised in the cyberattack.
The guidance also urges regulated institutions to consider the following best practices for information security:
- Install all available security patches;
- Implement appropriate ID theft and fraud prevention programs for both new and existing customers;
- Use an identity verification/fraud service for identity verification;
- Provide a call center for customers to report if their information has been hacked and code these customer accounts with a “red flag”; and
- Use Multi-Factor Authentication and Risk-Based Authentication techniques instead of relying solely on personally identifiable information (PII) as a means of verifying identity.
“The data breach at Equifax demonstrates the necessity of strong state regulation like New York’s first-in-the-nation cybersecurity actions,” said Financial Services Superintendent Maria T. Vullo, warning that NYDFS would take all action that is necessary “to protect New York’s markets, consumers and sensitive information from criminals.” In light of the recent expiration of the deadline for achieving compliance with the NYDFS Cybersecurity Regulations and the increased risk created by the Equifax breach, it is crucial that all companies regulated by NYDFS take immediate and proactive measure to mitigate potential harm to their customers and ensure compliance with the NYDFS Cybersecurity Regulations.
This breach has highlighted the often overlooked importance of proper IT infrastructure and data management. Accordingly, your company must be prepared to examine and defend its policies and practices to ensure your customers and IT network are protected. Areas of focus should include vendor management practices, proactive system monitoring procedures, and data encryption protocols.