News & Publications

Equifax Data Breach: What Are Your Notification Obligations?

Has your organization engaged Equifax to perform credit reports or background checks on potential new hires or others? Have you provided personal information such as Social Security numbers or driver’s license numbers for those individuals? If so, you may be required by state data breach notification laws to provide specific notification to these individuals, and to state law enforcement agencies. Failure to make these notifications may result in significant financial penalties.Has your organization engaged Equifax to perform credit reports or background checks on potential new hires or others? Have you provided personal information such as Social Security numbers or driver’s license numbers for those individuals? If so, you may be required by state data breach notification laws to provide specific notification to these individuals, and to state law enforcement agencies. Failure to make these notifications may result in significant financial penalties.

Forty-eight states have data breach notification laws that require notice of the breach when certain information specified in the statute has been disclosed to unauthorized individuals.  The full extent of the Equifax breach is not yet known, but is believed to comprise dates of birth, Social Security numbers, credit card numbers and other sensitive information on perhaps 140 million people. This is the type of information addressed by many state data breach notification laws.

If your organization engaged Equifax to prepare credit reports or background checks and your organization provided information covered by the statute to Equifax, then Equifax is your vendor and state laws generally create responsibility on the part of the organization for data breaches by its vendors. In addition to notification to the affected individuals, you may also be required to notify the office of the pertinent state attorney general, a state consumer protection agency and, in at least one state (New Jersey), the State Police.

Steps to Consider as a Consumer

If you are concerned with your company’s financial information and/or your own personal information that may have been in Equifax’s possession, you may wish to check with Equifax to ascertain whether your information was among the data that was breached. Please note, though, that many consumers have reported inaccurate responses or less-than-informative responses from Equifax sites. False names and Social Security numbers have resulted in responses stating that the fictional individual’s information was released, while inquiries with true identity information have generated responses such as, “Your information may have been compromised.”  Some who have visited the Equifax websites have reported that they received warnings prompted by the individuals’ security software such as, “Attackers may be trying to steal your information from this website.” It may be some time before the Equifax responses to consumer inquiries can be deemed reliable.

Equifax is offering one year of “free” credit monitoring, though some will be understandably reluctant to have the same organization that lost its data monitor credit and thereby obtain more information. The monitoring comes with strings, in that you must agree to arbitration and not to join a class action, unless you opt out in writing within thirty days of accepting the monitoring service. Instead, you may wish to consider applying for credit monitoring through one of the other organizations offering this service, such as Experian or TransUnion (though there may be a fee for this service). While working through these decisions, we suggest that you closely monitor your accounts.

In addition, it may be worth considering a credit freeze on your credit records. A credit freeze is a tool that lets you restrict access to your credit report, making it more difficult for identity thieves to open new accounts in your name. Please keep in mind, though, that a credit freeze may create difficulties if you apply for additional credit or a home mortgage during the freeze period.

To establish a credit freeze, you should visit each one of the three credit reporting agencies and follow the steps. For your convenience, the links are below:

The requirements of breach notification laws, including timing and content of the notice, vary by state, and federal regulatory provisions regarding notification may be implicated as well, depending upon your industry. The array of credit protection services, and the benefits of and concerns about, them require careful consideration. If we may be of assistance in determining your data breach compliance obligations, questions regarding credit protection or other questions regarding the Equifax breach, please contact Kenneth N. Rashbaum.