SUMMARY

Equifax, one of the three major consumer credit reporting agencies in the United States, disclosed yesterday that hackers had breached its security systems and stolen information relating to as many as 134 million American consumers. The data the hackers accessed included consumers’ names, birth dates, addresses, Social Security numbers and driver’s license numbers. In addition, credit card numbers belonging to 209,000 people were taken, along with documents used in credit card disputes relating to 182,000 people. Equifax said that the breach had taken place between the middle of May and July of this year and it discovered the breach on July 29. It engaged an independent cybersecurity firm to conduct a forensic review to determine the scope of the breach.

Equifax has set up a website for consumers to use to determine whether the breach affected their data: 
https://www.equifaxsecurity2017.com. Through the site, individuals can also enroll in free Equifax credit monitoring through a product it calls TrustedID Premier. Consumers should be aware that enrollment in TrustedID Premier requires the enrollee to agree to an arbitration provision whereby they waive the right to sue Equifax in court or join any class action against Equifax relating to the TrustedID Premier service, although it is unclear if this also would apply to claims arising from the breach itself. New York’s Attorney General, Eric Schneiderman, tweeted on Friday morning that his staff had directed Equifax to remove the arbitration provision from the enrollment agreement, but as of midday, it was still in place. Free enrollment in the product only lasts for a year, so individuals will need to cancel their enrollment to prevent being charged for the service thereafter. It is possible to determine whether an individual’s data was accessed without enrolling in TrustedID Premier, but doing so requires a consumer to provide Equifax with a partial Social Security number.  

It appears possible for hackers to use the data from Equifax to open credit accounts, obtain loans, make unauthorized purchases or access third-party accounts (such as cell phone or cable providers) belonging to the affected people. Equifax and consumer advocates are urging individuals to monitor their credit and bank accounts for any unauthorized activity. It may take time for hackers to put the stolen data to use, so consumers will have to keep monitoring their accounts indefinitely. Individuals can also set up fraud alerts through Equifax and the other two major credit reporting agencies, Experian and TransUnion. 
 
This is not the first time Equifax has been hacked. Last year, hackers obtained tax and salary data for an unidentified number of individuals through an Equifax website. And in 2013, it announced that hackers had accessed the personal information of four high-profile individuals (whom it did not identify) after a Russian website posted personal information relating to figures such as Michelle Obama, Joe Biden, Jay-Z, Beyonce, and Paris Hilton.
 
The most effective step consumers can take to prevent unauthorized use of their data is to freeze their credit, which can be accomplished through a number of methods, including Equifax’s TrustedID Premier service and through Experian and TransUnion. The U.S. Federal Trade Commission has a comprehensive website that details how consumers can freeze their credit and otherwise address the risks of identity theft: http://bit.ly/2wO7m29. Doing so prevents the opening of any accounts or the origination of any loans based on the individual’s data. Of course, that may not be a practical step for people who have near-term plans to get financing or loans. The FTC also has a FAQ discussing credit freezes, which is accessible at http://bit.ly/2bnWHOs.
 
Companies who deal with Equifax should consider their own security posture in light of this breach, and should consider whether they may have their own notification obligations to consumers if they have supplied information to Equifax that is included in the breach. All companies who handle personal information need to remain vigilant about cybersecurity issues and ensure that they have policies and procedures in place to detect and respond to security incidents in a timely manner.