Compliance Blog

Sep 15, 2017

After the Equifax Epic Data Breach Fail - What Next?

One would have to have been hiding under a rock not to have heard about the massive Equifax data breach.  The credit reporting agency announced last week that a web application flaw exposed 143 million consumer records to hackers including credit card numbers for 209,000 U.S. consumers and what it described as "dispute documents" containing personal information for 182,000 U.S. consumers.   Equifax stated it discovered the intrusion on July 29.  On top of that, three senior executives sold shares worth almost $1.8 million in the days after the discovery on August 1 and August 2, although Equifax indicated the executives "had no knowledge that an intrusion had occurred at the time they sold their shares."  Equifax's response in responding to the situation fell short of expectations.

You fail that much

So what can a credit union do?  

There is no technical federal regulatory requirement for a credit union to notify its members or NCUA of a third party data breach.  A credit union is only required to notify members and NCUA when there has been a direct data breach of the credit union's system maintained by it or its third-party service provider.  That being said, member notification, in any data breach context, may help to mitigate against the risk of fraudulent or unauthorized transactions.  A credit union might also review any contractual agreements with Equifax to see whether and how this situation (arguably, this eventuality) was addressed and whether there are any contractual obligations for either party.

A credit union with a relationship with Equifax could conduct a vendor review if it believes it is appropriate, and question the security surrounding sharing and connections with outside parties. NCUA's Letter to Credit Unions 07-CU-13 and the enclosed Supervisory Letter No. 07-01 might be helpful, as would the Oversight of Third-Party Service Providers section of the Information Security booklet of the Federal Financial Institutions Examination Council's IT Examination Handbook.

What about helping credit union members?

How an individual credit union chooses to serve its members within this context is a business decision.   But a credit union can always provide members with resources such as:

The scale of this breach means that every Social Security Number in the U.S. in conjunction with the associated name must be presumed to be public knowledge.  As a result, security experts are saying a Social Security Number should no longer be used to validate anyone's identity.  In addition it was reported yesterday, Visa and MasterCard are sending confidential alerts to financial institutions across the U.S. this week, warning that more than 200,000 credit cards were stolen from Equifax.  The data was downloaded in "one fell swoop" in mid-May 2017 and the “window of exposure” for the stolen cards was between November 10, 2016, and July 6, 2017.  The breach also impacted an undisclosed number of people in Canada and the United Kingdom but the official list of victim countries may not yet be complete.

The Equifax data breach has already led to the filing of more than 30 lawsuits seeking class-action status. One suit, filed in Portland, Oregon, is demanding up to $70 billion in damages.  Equifax executives can also expect to appear before Congress as a result of the breach.

***

Upcoming NAFCU webcasts:

Regulatory Orders: Getting Out and Staying Out

Tuesday, September 19 | 2:00 p.m. – 3:30 p.m. ET

Achieving Excellence in Consumer Reporting Compliance

Tuesday, September 26 | 2:00 p.m. – 3:30 p.m. ET

How to Detect and Prevent Employee Fraud

Tuesday, October 24 | 2:00 p.m. – 3:30 p.m. ET

About the Author

Shari Pogach, NCCO, NCBSO, Regulatory Paralegal, NAFCU

 Shari Pogach, NCCO, NCBSO, Regulatory Paralegal

Shari R. Pogach, NCCONCBSO, has served as Regulatory Paralegal for NAFCU's Regulatory Compliance and Regulatory Affairs divisions since 2007.

Read full bio