Equifax Fallout: What Should CUs Do?
The Equifax breach fallout of what should be a drawn-out process, has already begun, including a class-action lawsuit filed on behalf of Oregon consumers and guidance for credit unions.
To recap: credit rating firm Equifax revealed a breach exploited a website weakness to access the personal information, including credit card and social security numbers, of as many as 143 million Americans. The Atlanta-based firm said it discovered that hackers accessed certain files from mid-May through July on July 29 but waited until Sept. 7 to warn consumers.
The data included names, social security numbers, birth dates, home addresses, and in some cases, driving license information. Equifax also disclosed 209,000 credit card numbers, and other personally identifiable information on 182,000 consumers, might now be available to hackers.
NAFCU President and CEO Dan Berger in a letter urged congressional leaders to support national data security standards for retailers and others who collect and store consumers’ personal and financial information following news of the Equifax data breach. “The massive breach at Equifax, and the report that they had known about it for weeks without notifying consumers, is yet another demonstration of the need for a legislative solution."
“Equifax is a company that trades in data security, but has failed miserably in subjecting nearly half of the American population to identity theft. Waiting 41 days to announce the data breach and evidence that company executives may have used this time to sell their stock, in advance of the bad news, is criminal in nature,” Paul Stull, CEO of the Credit Union Association of New Mexico, said. “Worse than that, this may have happened because Congress has failed to pass any meaningful national penalties or standards to keep our data safe.”
Brian Witt, regulatory and compliance attorney, for Portland, Ore-based Farleigh Wada Witt, which serves as general counsel to the Northwest Credit Union Association as well as several hundred credit unions in the Pacific Northwest and nationwide, said the firm is actively working with clients regarding communication to members and assessing their recourse against Equifax.
“The Equifax data breach does not appear to involve the magnitude of credit/debit card replacement losses that credit unions generally fear and have experienced in many past data breaches,” Nevertheless credit unions and their members still could suffer from the Equifax breach. “One of the real disturbing issues with respect to Equifax is their lack of contractual responsibilities for data security. If you want to truly know the heart of who Equifax is and what they do, look at the service contracts they maintain with credit unions. Equifax provides virtually no data security protections and flat refuses to negotiate reasonable data security protections.”
Witt noted Interestingly, within hours of Equifax’s public announcement of their breach, a class action lawsuit, filed in Oregon on behalf of several Oregon consumers, sought $20 (for ID theft monitoring) for each victim based upon Equifax’s negligence.
Farleigh Wada Witt provided guidance in a bulletin to its Oregon, Washington and Idaho credit union clients on preliminary compliance considerations.
Among the law firm’s recommendations:
- “Due to the potential identity theft risk the loss of the data represents, credit unions will want to be vigilant in watching for application fraud and account takeover attempts,” the guidance said. The concern is that data this incident, combined with data from other breaches, could complete consumer profiles of members already on the Dark Web.
- Members will also look to their trusted credit unions for advice and assurance. Local media will look to you for information on the effect of the breach, and tips on what consumers should do.
- “Consumers’ information put at risk by the Equifax breach is separate from their credit union data, but you want to help consumers protect both,” the guidance offered. “Assure members you remain ever-vigilant in securing their credit union data. They also should use your products available to monitor their credit union accounts, and report any suspicious activity to you.”