How to Respond to the Equifax Security Breach

September 8, 2017 | Shari Claire Lewis | Privacy, Data & Cyber Law

Yesterday, Equifax, a company whose credit services are central to the financial activities of virtually every American, announced a massive security incident described by its CEO as an event that struck at the heart of what Equifax does. Approximately 143 million U.S. consumers had personal information, such as their names, social security numbers, birth dates and driver’s license numbers accessed by cybercriminals.  The credit card accounts and dispute documents of approximately 200,000 consumers were also accessed.

Equifax advised that, based on its investigation, cyber-criminals exploited a vulnerability in its  U.S. website application to gain access to personal data from mid-May through July 2017, but found no evidence of unauthorized activity on Equifax’s core consumer or commercial reporting database.

The personal data accessed is “gold” to cyber-pirates who can use the data to commit identity theft or sell it for use by others. Pamela Dixon, executive director of the nonprofit research group, World Privacy Forum, in a New York Times article said the likelihood is good that you have been affected by this breach. “If you have a credit report, chances are you may be in this breach. The chances are much better than 50 percent.”

What do you do when one of the entities that you have been told to entrust with your private data and to rely on to help you monitor potential ID theft becomes a source of the potential risk?

First:  DON’T PANIC!

Next, consider whether to take advantage of the free services Equifax is offering. Equifax’s dedicated breach website — www.equifaxsecurity2017.com/ — provides information and a link that may help consumers determine whether their information has, in fact, been compromised. The site also contains a link to enroll in Equifax‘s complimentary credit monitoring services that it is offering to all U.S. consumers for one year, regardless of whether the consumer has been identified as a breach victim. The  offering, called TrustedID Premier, includes credit monitoring by the three credit bureaus, (Equifax, Experian and TransUnion ), copies of Equifax credit reports, the ability to lock and unlock Equifax credit reports, identity theft insurance and internet scanning for social security numbers.

Equifax promised to send direct mail notices to the subset of consumers whose credit card and dispute data was accessed. Equifax has also sent notice to the U.S. state and federal regulators, including the states attorney general, of the cyber breach.  Equifax encourages consumers to contact it with any questions through the website or through its dedicated call center at 866-477-7559.

Of course, it is always best practice, in every circumstance, to read websites’ Terms of Service (“TOS”) and other website policies, in order to decide whether you wish to accept an Internet offer, even one for “complimentary” services. For example, Trusted ID Premier’s TOS  require that any dispute be resolved through arbitration or individual adjudication in a small claims court and  that class action participation be waived. Only you can determine whether, in your view, you should agree to be bound by the TOS in light of your individual circumstances, the risks involved and personal preferences regarding litigation.

Finally, even with Equifax’ monitoring, cyber hygiene is paramount. You should continue to protect your information, change your passwords, be vigilant against cyber phishing and other scams, and act quickly to address any questionable activity you observe.

Related Publications


Legal updates and news delivered to your inbox