Three Lessons from the Equifax Data Breach

Posted on by James P. Harris
  1. Every company is at risk, no matter how sophisticated. It might have been safe to assume that an entity as large and sophisticated as Equifax had top-notch security.  Perhaps that was an erroneous assumption.  But, almost every company possesses data about others (its customers, employees, business partners) that is valuable to a hacker.  Small and mid-size companies should continue to do what they can to protect their data, but they should not assume the data is truly secure. Nor should companies assume its vendors or partners are secure.  Dealing with the liabilities associated with breaches through contractual indemnification clauses takes on increased importance in today’s connected world.
  1. Every company should plan for a breach. Given that all companies are at risk, they should prepare to act swiftly in the event of a breach.  Equifax suffered additional public relations damage because it “waited” six weeks to notify the public.  There are several possible legitimate reasons for a delay, including a request by law enforcement.  Complying with the country’s patchwork of notification laws is not as straightforward as it should be.  Every company should develop an action plan that addresses investigating the breach and providing notification as soon as practicable.
  1. Credit monitoring is only somewhat helpful. Equifax offered a year of free credit monitoring for affected individuals and most people have come to expect that benefit in the event of a breach.  The Equifax event shone a light on an on-going discussion about the usefulness of credit monitoring because it only provides alerts and does not actually prevent the wrongful use of one’s identity.  A credit freeze, on the other hand, makes it more difficult for hackers to benefit from the stolen information.  Of course, a credit freeze can be problematic for the person rightfully attempting to access credit, but that inconvenience probably pales in comparison to trying to undo fraudulent transactions. Because the information taken from Equifax has lasting value, credit monitoring for one year might not provide sufficient protection against identify theft.  Companies may need to consider offering to pay for credit freezes, as opposed to credit monitoring, in the future.

For more: Equifax Breach

Related News

NH’s new comprehensive privacy law: Tips to prepare your business to meet compliance
The fine print: key contract clauses impacting cyber liability
NH Legal Perspective: Is NH about to enact a comprehensive personal information privacy law?
NH Legal Perspective: Will the U.S. ever have a comprehensive privacy law?
Boston Office
28 State Street, 22nd Floor
Boston, MA 02109
Phone: 617.897.5600
Fax: 617.439.9363
Concord Office
Two Eagle Square, 3rd Floor
Concord, NH 03301
Phone: 603.223.2020
Fax: 603.224.8899
Manchester Office
1000 Elm Street, 17th Floor
Manchester, NH 03101
Phone: 603.668.0300
Fax: 603.627.8121
Portsmouth Office
75 Portsmouth Boulevard, Suite 110
Portsmouth, NH 03801
Phone: 603.431.1222
Upper Valley Office
35 Railroad Row, 4th Floor
White River Junction, VT 05001
Phone: 603.643.9070