Summer Danzeisen

Equifax Breach Highlights Regulatory Gaps in Data Privacy Protection

In a spectacular blow to data privacy, Equifax announced on September 7 that hackers had breached their database, exposing the sensitive personal information of 143 million people over the course of nearly two months.1 Even more troubling, Equifax purportedly learned about the breach in late July, waiting over a month to notify consumers of the threat to their financial security.2 The attack has reinvigorated discussion of the importance of legal and regulatory safeguards to protect individuals from the dangers inherent in the large-scale storage of their private data.

According to the Federal Trade Commission, hackers accessed people’s names, social security numbers, birth dates, and addresses.3 For a subset of those affected, hackers went even further, accessing individuals’ driver’s license numbers, credit card numbers, and credit dispute documents.4 Equifax believes the hack occurred between mid-May and the end of July, meaning this data has been in unknown hands for potentially several months.5 In the wake of the attack, identity theft, is a very real concern and consumers need to be proactive in taking steps to monitor their credit and accounts to minimize negative ramifications.

Such a massive data breach certainly invites the inquiry: how could this have happened? The answer to that question casts an even greater shadow on Equifax’s management of personal data. The vulnerability exploited by hackers lied in the Apache Struts enterprise software employed by Equifax.6 Soon after the breach was announced, however, the Apache Software Foundation released a statement revealing that the vulnerability had been disclosed back in March, well in advance of the breach, with simple instructions on how to correct the problem.7 Apparently ignoring this advice, Equifax failed to take steps to update their software, a move which would have prevented hackers from gaining access to the sensitive data Equifax had been entrusted to protect.8

Investigations and legal action abound in the aftermath of the breach announcement. Attorneys General in over thirty states have launched probes into the incident and several lawsuits seeking class action status have been filed.9 Additional scrutiny surrounds reports that three Equifax executives sold over $1.7 million in Equifax stock after the company learned of the breach but prior to the company’s notification of consumers.10 Thirty-seven senators signed letters sent to the Federal Trade Commission and Securities and Exchange Commission urging the agencies to investigate if those sales violated insider trading laws.11

The gravity of this massive data breach has sat in stark contrast to the availability of adequate remedies and consequences. Equifax has amassed one of the most extensive and comprehensive databases of consumer financial data but operates outside the legal and regulatory oversight that helps bolster data protection in the banking system.12 Banks face constant monitoring and audits mandated by regulation to ensure data security.13 Nonbank entities, however, including credit reporting agencies like Equifax, fall into a so-called regulatory “gray area,” facing legal scrutiny only after something has gone wrong.14 This lack of oversight, coupled with an inadequacy of regulatory sanctions for security mismanagement, perpetuates a consequence-free environment that fails to incentivize prioritization of data security.15 The Federal Trade Commission, the principal regulator charged with data privacy enforcement, lacks the authority to impose large fines for violations.16 Equifax, meanwhile, reported $3.1 billion in revenue last year, a financial position invulnerable to the paltry penalties regulatory bodies are currently authorized to impose.17 The regulatory weakness this breach highlights, however, encompasses more than just the inability to manage credit agencies like Equifax. In an age of big data, entities from financial institutions to technology companies to government organizations have aggregated and stored mass quantities of sensitive, personal information.18 These big data stores face minimal regulatory constraints such that while the scale of damage for data breach is extensive, the punishment for breach is inconsequential.19 Several bills are already circulating that seek to help consumers monitor and protect their credit moving forward, but such efforts, much like the current state of regulatory data protection, are largely inadequate.20 In the future, legislative efforts to heighten regulatory oversight and meaningfully enforce standards for data security may provide the only solution to safeguard sensitive private data.

The Federal Trade Commission has recommended several steps consumers can take to protect themselves following a data breach.21 Consumers should check credit reports for accounts they do not recognize and should be sure to monitor their existing credit card and bank accounts for unusual activity.22

Equifax is currently offering consumers one year of free credit monitoring, but consumers ought not to misunderstand this threat as a short-term problem.23 Much of the personal data exposed in this breach, such as social security numbers, is long-term identifying information constituting a threat with no ascertainable expiration date.24

GLTR Staff Member; Georgetown Law, J.D. expected 2019; Georgia Institute of Technology, B.S. 2010. ©2018, Summer Danzeisen.