Tip of the Month: What You Should Know About the Equifax Breach*

There are many, many lessons being learned from the recent Equifax breach – reputational, legal and technological.  Much has been written and much will be written about the effects of this massive exposure of personal information that, once exposed, could lead to identify theft, tax fraud and more. Let’s break it down. Following is an annotated guide.

• The Equifax Data Breach – Boiled Down to the Essentials (Ride the Lightning)
• Cotter’s Corner: Privacy, cybersecurity increasingly require attention from attorneys (Chicago Daily Law Bulletin, subscription required)

Who is Equifax?

• Before the breach, Equifax sought to limit exposure in lawsuits (Washington Post)
• How to Handle a PR Crisis a Lot Better Than Equifax  (LifeHacker)
• Equifax Breach: Two Executives Step Down as Investigation Continues (New York Times)

Did my data get exposed?

• Hackers Steal Personal Information of 143 Million US Consumers From Credit Reporting Agency Equifax  (Gizmodo)
• 6 Equifax hack rumors fact-checked (CNN Money)
• Equifax Breach: Setting the Record Straight (KrebsonSecurity)
• Hackers Entered Equifax Systems in March (Wall Street Journal)

What should Equifax have done (versus what they have done)?

• State Data Breach Notification Laws (Foley & Lardner)
• Data Breach Response: A Guide for Business (Federal Trade Commission)
• Summarizing Federal & State Data Breach Notification Laws (BitSight)
• Data Breach Notification Laws: A How-To Guide (Bryan Cave)
• Equifax tweets sent victims to phishing site (CNBC)

How did this happen?

• Failure to patch two-month-old bug led to massive Equifax breach (Ars Technica)
• Equifax officially has no excuse (Wired)
• Safer but not immune: Cloud lessons from the Equifax breach (InfoWorld)

What should I do?

• Credit monitoring
• Fraud alerts
• Credit freezes
  • Identity theft protection following the Equifax data breach (Consumer Financial Protection Bureau)
  • How I Learned to Stop Worrying and Embrace the Security Freeze (Krebs on Security)
• Keep your PINS and other identifying information safe
  • Equifax: woeful PINs put frozen credit files at risk (Sophos Naked Security)
  • Equifax to Fix Weak Pins for Security Freeze on Consumer Credit Reports (Ars Technica)
• Scrutinize your bills
• Turn on two factor authentication
  •  Set Up Two-Factor Authentication: What Are You Waiting For? (ABA Law Practice Today)
• Talk to your bank about what they are doing for you.
• Watch for phishing and whaling emails
  • CBA LPMT Security Videos (CBA members only)
• Do not use the same password for personal and business
• Consider using other pay services (Paypal, Venmo) rather than using credit cards directly when making online payments.

What does this mean for lawyers?

• Get up to speed with the issues to help your practice/firm.
• Get up to speed to help your clients
  • Consumer clients may need help regaining identity for years to come. They also need to be protected from misinformation.
    • DoNotPay bot wants to help you sue Equifax  (VentureBeat)
  • Corporate clients, small businesses need to know what to do – the right way – if they find out they have a breach.
  • Military personnel are at special risk, and have special tools:
    • Service members should secure their identity after the Equifax data breach (Consumer Financial Protection Bureau)
  • If you are a sole practitioner and your personal data is exposed it may have consequences for your business. Get an EIN, consider an LLC
    • When Does a Sole Proprietor Need an EIN? (NOLO)
  • Help your team follow best security practices
    • Awareness Officers – What to Communicate About the Equifax Hack (SANS.org)
    • Password Managers (SANS.org)
    • Cybersecurity Audits: Getting to Good (ABA GP|Solo Magazine, may require member login)
    • The New ACC Protection of Sensitive Client Data Guidelines for Outside Counsel (Ride the Lightning)

What happens to Equifax?

• Legal Experts See Room for Deal in Equifax Data Breach Lawsuits (Insurance Journal)
• Equifax faces its biggest litigation threat from state attorneys general (Market Watch)
• Massachusetts sues Equifax for not protecting state residents (CNBC)

Why do we persist in using DL numbers and social security numbers as unique identifiers?

• The equifax breach exposes america’s identity crisis (Wired)

*Thanks to Dan Cotter for his review and help with this Tip!