Equifax Breach is a Category 5 Incident Affecting You – Our Recommendations on How to Safeguard Your DataPrint PDF
On September 7, 2017, Equifax announced what appears to be the largest breach of consumer data in US history. According to Equifax, it discovered on July 29, 2017 that it had suffered a cyber-attack which lasted from May to July 2017, and potentially impacted approximately 143 million US consumers.
The Equifax hacking is the cyber equivalent of a Category 5 hurricane. It is not only vast in its scope – impacting most of the US adult population – it is also a breach of the most sensitive financial data. According to Equifax, the information accessed included Social Security numbers, birth dates, addresses, and driver’s license numbers. In other words, exactly the information that an identity thief would need to steal your identity. Indeed, depending on how the stolen data is used, it could easily lead to widespread fraud and may call into question our entire system of monitoring and tracking credit through credit rating agencies.
Nutter’s Privacy and Data Security practice group is monitoring the Equifax breach, and will issue lessons learned from Equifax’s handling of the breach as more details become available. In the meantime, this client alert provides immediate suggestions on what you can do to protect your own personal information in light of this massive breach.
Unlike in prior major breaches, Equifax says it will not individually notify the consumers whose data has been breached. Instead, it has set up a website and asked consumers to enter their personal information (including the last six digits of their Social Security numbers) to find out if their data was included in the breach. We do not recommend using this website. Early reports suggest that on its first day the website did not actually tell users whether they had been impacted, and on its second day told anyone who used the site (even fictitious people with random digits entered as Social Security numbers) that they were victims. In other words, the information on the site cannot at this point be trusted. Moreover, it is probably not worth the effort to check – if you are an adult living in the US who has ever applied for a mortgage, credit card, or utility service, your data is almost certainly a part of this breach.
Equifax is also offering one year of free credit monitoring to any adult in the US (regardless of whether your data was included in the breach). We believe this offer to be woefully insufficient. Credit monitoring is a good idea, as detailed below, though one year is not long enough. The data that was accessed in this breach does not expire in a year, and thus the risk from this breach will not go away in 12 months. Additionally, it is extremely important to note that the breach of Equifax’s data indirectly impacts the other credit rating agencies too, as the data in Equifax’s database can be used to authenticate the identity of someone whose name appears in other credit rating agency files. Instead of what Equifax is offering, we recommend the following:
- Immediately begin monitoring your credit reports. This can be done either through a credit monitoring service such LifeLock, IDShield, Identity Guard, or Credit Secure (or a number of other companies including the free one year offer from Equifax) or even more cheaply by ordering and checking your free credit reports every few months directly from the credit agencies.
- Monitor your bank accounts and credit cards for signs of fraud. Immediately report any suspicious activity to your bank.
- Seriously consider placing a credit freeze on your credit file. A credit freeze makes it much more difficult for anyone to open a new account in your name (though it also makes it more difficult for you to open new accounts in your name as each new account needs to be authorized using a PIN). Credit freezes can be placed with each of the major credit bureaus (and one small one) through these links: Equifax, Experian, TransUnion, and Innovis. There is a small fee for placing a freeze on your account.
- If you decide not to place a credit freeze, at least place a fraud alert with each of the credit rating agencies on your account. A fraud alert is intended to warn creditors that you may have been the victim of identity theft and asks them to verify the identity of anyone seeking credit in your name. Fraud alerts can be placed using these links: Equifax, Experian, TransUnion, and Innovis.
- The FTC also recommends filing your taxes early to make sure that someone else doesn’t file in your name to get a refund before you file your own tax returns.
Nutter will provide further updates as this situation develops.
Nutter’s Privacy and Data Security practice group is led by Seth Berman. Prior to joining Nutter, Seth worked for 10 years at a leading cyber security investigations firm where he oversaw data breach and hacking investigations. Earlier, he served as an Assistant US Attorney in Massachusetts where he prosecuted, among other things, numerous individuals and criminal gangs for identity theft. In addition to his work at Nutter, Seth currently teaches Cyber Criminal Law at Harvard Law School.
This advisory was prepared by Seth Berman, a member of Nutter's Litigation Department. For more information, please contact Seth or your Nutter attorney at 617.439.2000.
This advisory is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.