Asked and Answered . . .

Kathy Ossian on Equifax breach

By Steve Thorpe
Legal News

Recently the credit reporting agency Equifax announced that data of 143 million consumers was potentially compromised through a “website vulnerability” that occurred from mid-May through July, 2017. Equifax discovered the breach on July 29, but was criticized for waiting nearly six weeks to reveal the problem. Kathy Ossian is the principal of Ossian Law PC in Ferndale, which provides legal expertise in all areas involving Information Technology and the Internet. She concentrates on the legal risks involved with IT activities like cloud computing, social media, phishing and mobile devices. Ossian is a frequent speaker and author on IT law trends and topics.

Thorpe: Give us a quick summary of what happened with Equifax.

On Sept. 7, 2017, Equifax publicly announced the breach. According to the company, on July 29, the Equifax security team first observed “suspicious network traffic associated with its U.S. online dispute portal web application.”

Although Equifax says that it blocked that traffic, suspicious activity was observed again the next day, so the application was taken down. Equifax identified a vulnerability in the open source Apache Struts web application framework that supports the application. The company then hired an outside cybersecurity firm to assist in the investigation. The investigation revealed that, between May 13 and July 30, unauthorized access may have taken place to data of approximately 143 million consumers, including Social Security numbers, dates of birth and, in some cases, driver’s license numbers. Equifax claims that the September 7 announcement occurred “as soon as the company understood the potentially impacted population” and was in a position to “proactively support” impacted consumers.

Thorpe: There have been even bigger data breaches, including Yahoo’s between 2013 and 2016 that affected more than one billion accounts, but you’ve speculated that the impact of the Equifax breach could be the farthest reaching to date. Explain?

The number of potentially accessed consumer records alone doesn’t necessarily correlate with the resulting damage. What makes the Equifax breach farther reaching is the nature and specific type of data involved. With breaches of companies that hold more traditional consumer accounts, such as Target, Yahoo, Home Depot and LinkedIn, consumers are largely aware of the type of data, i.e., contact information, information about products and services purchased and credit card information. In large part, this data was provided directly from the consumer to the retailer. Contrast this with Equifax that obtains its data from third parties (rather than the consumers themselves) such that consumers may not even be aware of the full range of information that Equifax collects and maintains.

Further, Social Security numbers are used as a primary identifier in the credit reporting industry, so it is likely that most, if not all, of the 143 million consumers’ social security numbers were potentially accessed.

Thorpe: Equifax has created a website (equifaxsecurity where consumers can find out if their personal data has been compromised and is at risk. Consumers can also enroll for “free” identity-theft protection and credit-file monitoring. But their response has been heavily criticized. Why?

On the same date as the public announcement of the breach, Equifax launched the site. In order to determine whether a consumer has been impacted, he or she is required to enter last name along with last six digits of his or her social security number. In light of the breach, many consumers are wary of providing Equifax with additional sensitive information. Beyond this, the terms of the site included an arbitration clause, which some believed was a deliberate attempt to prevent consumers from joining in any future lawsuits against Equifax over the breach. Equifax later stated that the arbitration clause would not apply to consumers signing up for credit monitoring services because of the breach. The site itself has experienced technical problems. For example, as of 5 p.m. on September 22, the site contained the message:  “We are currently experiencing difficulties with our TrustedID website. As a result, the site may be unavailable periodically, and we are working hard to help reduce interruptions. We apologize for any inconvenience and appreciate your patience.” The Equifax “fix” itself appears to be flawed.

Thorpe: Individuals and businesses currently have limited options for holding companies responsible for not protecting their data. What are some of those options?

In the case of a breach by a retailer, like Target, or internet service provider, such as Yahoo, the consumer can make a decision to no longer do business with that company. As a credit reporting agency, Equifax is utilized by a financial institution or retailer and not the consumer directly, so the consumer doesn’t have the option to stop doing business with Equifax. Dozens of lawsuits have already been filed against Equifax, many fashioned as potential class actions. Based on other class actions instituted after major breaches, few impacted consumers receive significant direct monetary relief. Some consumers have determined to use services other than Equifax to monitor or freeze their credit. Days after the Equifax announcement, Sen. Elizabeth Warren (MA) introduced a bill that would allow consumers to freeze their credit without charge in these circumstances. Rep. Bill Himes (CT) introduced a similar bill in the House.

Thorpe: Some have called for a “Digital Bill of Rights” to protect consumers from lapses by companies entrusted with their information. What might be in such a bill?

: Privacy and consumer protection advocates have long called for consumers to have standard, uniform rights with respect to the protection and compromise of their data. On the front end, such a bill would require true transparency in the privacy policies and practices of companies, including consumer-dictated parameters and limitations on what data is collected and how it can be used or shared. Such a bill would also include a set timeframe for notifying impacted consumers, as opposed to the patchwork of existing, often conflicting state data breach notification laws. To afford an actual remedy to consumers and act as a deterrent to companies with lax policies and practices, such a bill could also include statutory damages, assessed on a per record basis.

Thorpe: Legislators, government agencies and major corporations have been slow to keep up with protecting information in the digital age. Do you see any bright spots on the horizon, or are we doomed to see these leaks over and over again?

As mentioned above, some legislation has been introduced on the federal level in reaction to the Equifax breach. Unfortunately, prior initiatives toward enacting uniform federal laws governing data security and data breaches have failed. I don’t expect that the Equifax breach will result in any imminent change in that regard. Unless companies begin facing more certain, substantial consequences, I expect that we will not see any great diminishment of these types of occurrences.

Subscribe to the Legal News!
Full access to public notices, articles, columns, archives, statistics, calendar and more
Day Pass Only $4.95!
One-County $80/year
Three-County & Full Pass also available