Last week there was yet another massive data breach of an ostensible industry bastion – Atlanta-based credit bureau Equifax – resulting in the loss of the personally-identifiable information of over 143 million people in the United States. For perspective, the entire U.S. population is currently around 325 million, of which approximately three-quarters are over age 18. Doing some rough math, nearly 60% of U.S. adults may now be at risk of identity theft due to the Equifax information security incident.
The data accessed and stolen from Equifax’s systems includes some of the most sensitive pieces of information, including names, social security numbers, birth dates, addresses, driver’s license numbers, and credit card numbers. With the ubiquity of data residing in, and flowing through, the cloud, consumers hold what they believe to be a reasonable expectation that their personal information will be safeguarded and protected from theft, especially by large, trusted, established companies like Equifax. Data controllers and processors act as though they understand those expectations, and consequently attempt to put systems in place with the hope that the controls associated with those systems are enough to secure their databases. Yet, significant breaches the likes of the ones associated with Equifax, Yahoo, Anthem, Home Depot, Target, LinkedIn, and Heartland continue to pile up.
Equifax will face immeasurable detrimental reputational and financial fallout associated with its failure to prevent this latest breach, including extraordinary negative PR, eroded trust, and a drop in stock price with a related decrease in shareholder value. Recent studies indicate that the average per-record cost to a company suffering a data breach in the U.S. in 2017 is down slightly from prior years; however, the average number of records stolen per incident continues to rise. Analysts have estimated Equifax’s gross costs relating to this latest incident will be $300 to $325 million. Some examples of the types of costs associated with data breaches like this latest one are: customer churn, those relating to detection, escalation and notification of the breach such as investigations, forensic analyses, audits, crisis management, communications with the board of directors, notification of victims, IT systems-related costs, legal expenses, and costs associated with the resolution of lawsuits and other claims. In accordance with reporting and remediation requirements under applicable state and federal laws relating to data breaches, Equifax must now send written notifications to every individual affected by its security lapse, as well as provide free identity theft prevention services to those impacted. Showing some credibility, Equifax stated that it will provide free credit monitoring services for a year, to not just the persons affected, and not only where states’ laws require it, but to anyone in the U.S. who wants those services. You can enroll in the free credit monitoring program Equifax is offering here: https://trustedidpremier.com/eligibility/eligibility.html
What can company leaders learn from this breach?
If you are a CEO, CTO, CIO, GC or another executive of a company that receives, processes and stores confidential and sensitive information, or if you are otherwise responsible for the security of that information at your company, what can you do to prevent hackers from gaining access to your organization’s systems and stealing information? Unfortunately, perfect cyber-security doesn’t exist, and no outright prevention of system breaches is guaranteed. However, in addition to having adequate IT systems in place that minimize vulnerabilities as much as possible, from a legal perspective, there are some things you can do to mitigate associated risks, such as:
- Include effective and robust data privacy and security-related provisions in your agreements with your vendors and service providers containing clauses that, among other things:
- address restrictions on use and disclosure of information, as well as mandate destruction or return of information within certain timeframes;
- obligate the service provider to implement and maintain certain levels of data security that are vetted with your organization’s IT security personnel and consultants;
- give your organization the rights to perform audits of the vendor’s systems, IT security programs, and compliance with applicable laws, and to obtain security standards audit reports on the vendor’s systems; and
- obligate the vendor to respond to data security breaches and issue notices about them.
- Ensure that your company maintains and abides by an up-to-date privacy policy that complies with applicable laws.
- Investigate what it would take for your company to carry applicable cyber insurance, and then secure it.
- Implement internal policies and provide regular training for all employees and contractors with respect to information security to ensure that your company stays vigilant at every level of prevention.
Don’t hesitate to let us know if you have any questions about this alert, would like assistance with your organization’s vendor and service provider agreements and/or its applicable policies, or if your organization is the victim of a data security breach. Morningstar Law Group attorneys have experience with all the foregoing and are ready to help. Please feel free to contact Richard Caira at rcaira@morningstarlawgroup.com, Jennifer Van Doren at jvandoren@morningstarlawgroup.com, Kip Johnson at kjohnson@morningstarlawgroup.com, Randy Whitmeyer at rwhitmeyer@morningstarlawgroup.com, or Chris Jackson at cjackson@morningstarlawgroup.com.