Best Practices For Protecting Your Information From The Equifax Hack

Last week's revelation of a massive data leak at Equifax--one of the country's three main consumer credit bureaus--has so many ramifications for so many stakeholders it's difficult to know where to begin.

There are cautionary lessons for businesses about cyber-security, further evidence for policy-makers about our increasing vulnerability to institutional hacking, and—one would expect—regulatory and legal implications for Equifax and its rivals.  But the concern that probably comes to mind first for almost everyone—because it impacts nearly everyone—is the ramifications for consumers impacted by the breach.

What Consumers Should Know About the Equifax Hack and How to Protect Your Information 

So just what are consumers to make of this situation?  And how can they protect themselves?

Consumers have been warned for years to guard personal information like social security numbers and birthdates very carefully and to disclose that data only to trusted, verified sources.  While identity theft has become an issue of increasing concern and has impacted all segments of society, savvy consumers could at least take comfort that by following best practices, they were minimizing the risk of their personal information getting into the wrong hands. 

The thing that is so frustrating, so scary, about the Equifax breach is that no matter what practices you followed, no matter how careful you’ve been, your information has almost certainly been compromised. 

The Federal Trade Commission (FTC)--the federal agency charged with oversight of the credit bureaus, including Equifax—has confirmed that 143 million American consumers were impacted by the breach. "If you have a credit report,” the FTC warns in a September 8th post to its website by Division of Consumer & Business Education attorney Seena Gressin, “there's a good chance that [your] . . . sensitive personal information was exposed in the data breach [at Equifax].”  The full post can be read here: https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do    

Federal Trade Commission's Recommendations to "Help Protect Your Information From Being Misused"

The FTC recommends several steps to “help protect your information from being misused.”  First, it suggests that consumers find out if their personal information has been exposed by visiting the Equifax website and clicking on the “Potential Impact” tab (available here: https://www.equifaxsecurity2017.com/potential-impact/ ).  In order for Equifax to give a determination, however, the consumer must enter his/her last name and the last 6-digits of his/her social security number. 

The public comment section of the FTC website reflects understandable frustration and trepidation over this requirement.  A fairly typical post complains: “you [are] asking us to reveal even more than the last four digits of our SS number by sending them to [Equifax’s] (Supposedly) hacked servers.”  Another notes: “If I know the State you were issued your SS card I will know your 9 digit SS#... why do you need the last 6” (This comment is likely referring to the fact Social Security numbers issued before 2011 used an “Area Number” based on the state of residence of the applicant, for the first three numbers.  Numbers assigned since June 25, 2011, have been issued under a process the Social Security Administration calls “SSN randomization,” in which the first three numbers are assigned at random and have no link to geography). 

This reaction is quite understandable, and even laudable to the extent that it demonstrates that awareness efforts about keeping social security numbers secure have been successful.  Given the extent of the breach, it would not be unreasonable for a consumer skeptical of sending further data to Equifax to simply assume his/her data has been compromised and proceed to the next steps.  (Consumers who would like to avail themselves of Equifax’s “potential impact” service should certainly be careful to make sure that they are on the legitimate Equifax website, and that they are only sending information from a secure computer over an encrypted network connection.  The FTC offers helpful tips on these computer best-practices here https://www.consumer.ftc.gov/articles/0009-computer-security and here https://www.consumer.ftc.gov/articles/0014-tips-using-public-wi-fi-networks.  Personal identifying information should never be sent over public Wi-Fi.)

What You Should Watch Out For and What You Should NOT Do

Consumers also need to be extra cautious about phishing scams in the aftermath of the breach, as fraudsters may try to capitalize on concerns about the leak to coax information out of nervous consumers.  Consumers should take note: Equifax will not call you (unless you call and leave them a message requesting a call back) so do not give out personal information to any unsolicited caller or emailer purporting to be from a credit bureau or the government.  Similarly, your bank or credit card issuer will never contact you and ask for personal identifying information like birth dates and social security numbers.   

The FTC also notes that consumers can get free credit report monitoring from Equifax for one year.  This, similarly, has received a chilly response in the public comments section.  The move is seen as insufficient (“they charge a fee for me to put a credit freeze on my account” and “we only get 1 year free?  My SSN stays with me forever so why don’t I get protection forever?”), inappropriate (“monitoring comes with no way to opt out of marketing for that year”), hard to access (“I tried enrolling in equifax’s [sic] protection program, and I have to wait until 9/13 to enroll”) and self-serving (“the fine print for the Premier credit monitoring service offered by Equifax states that in accepting their offer, you waiver the right to participate in any class-action lawsuit brought against them in this matter”). 

These concerns, too, are understandable.  Indeed, one year of credit monitoring, while important, is insufficient for consumers to protect themselves from identity theft.  Monitoring credit reports periodically is an important first step, however, and whether consumers trust Equifax to do that monitoring or not it is important for them to avail themselves of one of the mechanisms for credit monitoring.  Consumers can check all three major credit reports at annualcreditreport.com and at the other bureaus—Experian and Transunion, also offer monitoring services.  Some banks and credit cards also offer credit monitoring to members. 

If consumers do find suspicious activity on their reports they should report it immediately, and place a credit freeze or fraud alert on their accounts.  Fraud alerts prompt the credit bureaus to sends a notice to any would be creditors to take additional steps to verify a consumer’s identity before issuing credit.  The more conservative approach is a credit freeze, which prohibits the credit bureaus from releasing the consumer’s credit report or any information without the express written authorization of the consumer (with some exceptions, which vary by state).  Indeed, even in the absence of suspicious activity, instituting a credit freeze might be prudent, as a “normal” credit report is not an indication that a consumer’s data wasn’t compromised—only that it hasn’t been used (yet) to obtain credit in the consumer’s name.   State-specific instructions on how to freeze consumer credit reports can be obtained here: http://consumersunion.org/research/security-freeze/ .  In most states, there is a fee associated with freezing—and temporarily unfreezing, to take out new credit—a credit report (although, given the current circumstances, some fees are currently being waived).    

Consumers shouldn’t delay in taking these precautions—the data breach began as early as May even though it was only reported publicly last week.  While it strikes many as unfair that they should have to pay anything to safeguard data that was leaked by a third-party institution, consumers really do need to adopt the mindset that they—and not the government or any other third party actor—are the party primarily responsible for their own identity security.  Protecting one’s identity and personal information in an increasingly digital world requires vigilance.  It should be viewed as the cost of doing business in the consumer credit market. 

Consumers should also remember that, although it was a credit bureau that was breached, a would-be identity-thief can wreak havoc beyond fraudulently obtaining consumer credit.  Access to social security numbers, birthdates, and driver’s license numbers can be used to perpetrate many other forms of identity theft, such as obtaining government benefits or employment, filing taxes (in order to obtain the refund check), or obtaining access to bank accounts.  The data breach also included information on hundreds of thousands of credit cards.  Consumers should monitor bank accounts and credit card statements closely, and take advantage of any heightened security features offered by their bank.     

So, consumers are clearly on the losing end of the data breach and have some work to do to protect themselves from the fallout.  But what will the consequences be for Equifax?  The short answer is, it is too soon to know.  Early indications, however, do not look promising for Equifax.  It appears from early reports that the breach was not the result of a technical assault using new, state-of-the-art techniques, but rather access acquired through a vulnerability in a web application that some cyber-security experts are saying should have been secured.  If this turns out to be the case, the legal consequences for Equifax could be quite dire indeed.  The FTC and the Securities and Exchange Commission (SEC), as well as countless state level regulatory agencies, are likely to scrutinize the data breach very thoroughly. 

Regulatory and Political Consequences To Expect Beyond Equifax 

Beyond Equifax, there are likely to be significant regulatory and political consequences for the entire consumer credit industry—and probably for any business that holds personal information of customers or clients.  The New York Post has reported that there has already been a surge in credit card fraud since the breach and upticks in other forms of identity theft are thought to be likely.  Such activity, which many observers expect will be sustained given the amount of compromised data, can be expected to keep regulators and politicians focused on the problem even after the initial media blitz dies down.  Already Capitol Hill-watchers are predicting that the breach will force the GOP-controlled Congress to abandon some of its plans for further financial industry deregulation.  At a minimum, it seems likely that we can expect some new laws or regulations around the protections of sensitive personal information.  Enron’s collapse gave us Sarbanes-Oxley.  The financial crisis yielded Dodd-Frank.  It’s not hard to imagine that the great Equifax data breach of 2017 could lead to a landmark consumer protection bill and a regulatory overhaul of the credit bureaus.  While there is a lot we still don’t know, it will be interesting to see how it all plays out.  But in the meantime, go check your credit report.