Equifax Breach: Lessons Corporations Must Learn from Equifax’s Poor Planning and ResponsePrint PDF
Equifax’s stunning security breach and inadequate response has now claimed its most prominent victim – the CEO of Equifax, Richard Smith, announced his immediate resignation.
In light of this rapid fall from grace, here are lessons learned from Equifax’s mistakes:
- Take cyber security very seriously. Defending against sophisticated hacking or advanced phishing attacks is hard enough without making a hacker’s task easy by failing at the basics, such as patch management of known vulnerabilities.
- Prepare in advance for a cyber security incident. Even though Equifax took six weeks from the time of discovery of the breach until its announcement of the breach, it seemed completely unprepared for what happened next. Every company needs a plan for how to respond to a breach, and should regularly test that plan through realistic simulations.
- Engage with outside counsel early. Equifax’s counsel was not announced until a week after the breach was made public. This suggests Equifax did not use the six weeks in which it was investigating the breach to prepare for the inevitable legal consequences. In fact, counsel should be brought in as soon as possible to oversee the investigation, allow privileged communications, and prepare for litigation. Indeed, outside counsel should have been involved in developing an incident response plan, even before there was a breach.
- Have a clear story about what happened, how you are going to fix it, and what affected consumers can do. Not only will this help your PR strategy, it will make the inevitable lawsuits and government investigations easier to defend.
- Think through in advance how your statements will be perceived by your customers. Understand that even though you may feel like the victim as a result of the breach, customers will not be sympathetic.
- Don’t look like you (or your executives) are evading responsibility or, even worse, trying to profit off the breach.
- Ensure your consumer-facing websites and call centers are prepared for customer questions and give out accurate information in response.
In the less than three weeks since the announcement of the breach, Equifax has succeeded in making itself into a case study in how not to prepare for or respond to a breach. Indeed, Smith’s resignation is not the first from Equifax this month – immediately after the announcement of the breach, Equifax’s Chief Information Officer and Chief Security Officer also abruptly retired. At the same time, the lawsuits and investigations into Equifax’s conduct continues to expand. Several class action and individual lawsuits have been filed against Equifax, its executives, and even individuals on its security team. Both the Federal Trade Commission and the Department of Justice have opened investigations into the conduct of Equifax and its senior executives, and several state Attorneys General have opened their own investigations, including the Attorneys General for both Massachusetts and New York. Congress has scheduled hearings on the subject, and the New York State Department of Financial Services, which regulates many of the country’s financial institutions, has announced an intent to change its rules to ensure that credit rating agencies will in the future be subject to its regulation.
The list of Equifax’s public relations failures in the wake of the breach also continues to grow. To touch on a few: Though Equifax did not admit it initially, it quickly came out that the breach was not the result of super-sophisticated hacking techniques, but rather the exploit of a well-known software flaw, whose fix had been available for months before the breach occurred. Equifax’s initial website set up to inform customers if they had been victims didn’t work properly, frustrating consumers. This website also contained a legal disclaimer click through that required consumers to waive their right to sue in return for Equifax’s promised year of free credit monitoring (Equifax quickly withdrew this requirement). Equifax charged consumers to freeze their credit reports, which was widely interpreted as an effort by Equifax to profit from the breach. Even after Equifax promised to waive the fee, the website wouldn’t allow any credit freezes to go through without payment. The passwords Equifax automatically assigned to individuals who did successfully freeze their credit were based on a simplistic formula, which appeared to be easily guessable by hackers, seemingly inviting a second round of breaches (Equifax later changed the formula). Even worse, Equifax tweeted multiple consumers a link purportedly to its website to register for the free monitoring, but gave the wrong link, sending them to a site that did not belong to Equifax at all, thereby opening up the possibility that these consumers could be breached again. Equifax even managed to make the accusation of insider trading by its executives – three executives sold approximately $2 million of stock after the company became aware of the breach but before it was publicly announced – into a worse PR nightmare by pointing out that $2 million represented only a small portion of the relevant executives’ holdings, a statement that further inflamed consumers who did not think $2 million was pocket change.
To learn more about what companies can do to prepare and respond to data breaches, please contact Seth Berman.
To learn more about what individuals can do to protect themselves from identity theft in light of the Equifax breach, please look at our prior Nutter client alert on that subject, which can be found here.
This advisory was prepared by Seth Berman, a member of Nutter's Litigation Department. For more information, please contact Seth or your Nutter attorney at 617.439.2000.
This advisory is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.