After the Equifax Epic Data Breach Fail - What Next?
One would have to have been hiding under a rock not to have heard about the massive Equifax data breach. The credit reporting agency announced last week that a web application flaw exposed 143 million consumer records to hackers including credit card numbers for 209,000 U.S. consumers and what it described as "dispute documents" containing personal information for 182,000 U.S. consumers. Equifax stated it discovered the intrusion on July 29. On top of that, three senior executives sold shares worth almost $1.8 million in the days after the discovery on August 1 and August 2, although Equifax indicated the executives "had no knowledge that an intrusion had occurred at the time they sold their shares." Equifax's response in responding to the situation fell short of expectations.
So what can a credit union do?
There is no technical federal regulatory requirement for a credit union to notify its members or NCUA of a third party data breach. A credit union is only required to notify members and NCUA when there has been a direct data breach of the credit union's system maintained by it or its third-party service provider. That being said, member notification, in any data breach context, may help to mitigate against the risk of fraudulent or unauthorized transactions. A credit union might also review any contractual agreements with Equifax to see whether and how this situation (arguably, this eventuality) was addressed and whether there are any contractual obligations for either party.
A credit union with a relationship with Equifax could conduct a vendor review if it believes it is appropriate, and question the security surrounding sharing and connections with outside parties. NCUA's Letter to Credit Unions 07-CU-13 and the enclosed Supervisory Letter No. 07-01 might be helpful, as would the Oversight of Third-Party Service Providers section of the Information Security booklet of the Federal Financial Institutions Examination Council's IT Examination Handbook.
What about helping credit union members?
How an individual credit union chooses to serve its members within this context is a business decision. But a credit union can always provide members with resources such as:
- Equifax's notification of the breach webpage, including identity theft prevention tips and regulatory contact information;
- Equifax's check for potential impact webpage;
- Equifax's enrollment for credit protection webpage – (note Equifax has backtracked its conditioning of credit protection services on arbitration agreements.);
- Equifax's FAQs on the breach;
- FTC's The Equifax Data Breach: What to Do webpage;
- Krebs on Security – The Equifax Breach: What You Should Know;
- IdentityTheft.gov provides consumer-facing guidance specific to the Equifax breach and specific to the information lost;
- CFPB blog post Identity theft protection following the Equifax data breach;
- MoneyWatch – Equifax data breach: How to protect your credit rating; and
- Members can be reminded of their ability to access their credit reports at AnnualCreditReport.com.
The scale of this breach means that every Social Security Number in the U.S. in conjunction with the associated name must be presumed to be public knowledge. As a result, security experts are saying a Social Security Number should no longer be used to validate anyone's identity. In addition it was reported yesterday, Visa and MasterCard are sending confidential alerts to financial institutions across the U.S. this week, warning that more than 200,000 credit cards were stolen from Equifax. The data was downloaded in "one fell swoop" in mid-May 2017 and the “window of exposure” for the stolen cards was between November 10, 2016, and July 6, 2017. The breach also impacted an undisclosed number of people in Canada and the United Kingdom but the official list of victim countries may not yet be complete.
The Equifax data breach has already led to the filing of more than 30 lawsuits seeking class-action status. One suit, filed in Portland, Oregon, is demanding up to $70 billion in damages. Equifax executives can also expect to appear before Congress as a result of the breach.
Upcoming NAFCU webcasts:
Tuesday, September 19 | 2:00 p.m. – 3:30 p.m. ET
Tuesday, September 26 | 2:00 p.m. – 3:30 p.m. ET
Tuesday, October 24 | 2:00 p.m. – 3:30 p.m. ET