DATA BREACH

Margaret A. Reetz Partner [email protected] Gregory S. Mantych Associate Mendes & Mount LLP, New York Equifax data breach: this one may not go unnoticed As the dust starts to settle on the Equifax data breach, in which nearly half of the US population’s personal data was potentially compromised, Margaret Reetz and Gregory Mantych, of Mendes & Mount LLP, provide their analysis of the breach and the wide-ranging impact.

There are hacking incidents and then there This figure had to be revised upward pieces of open source code, it comes are hacking incidents. The statistics so far: to 145.5 million3. Finally, the figure was with no warranties of any kind, including revised to include consumers outside anything to do with security. The flaw • Impacted consumers: 145.5 million the US, although Equifax reports that in this code reportedly dates back to US; 15.5 million UK; 100,000 Canada. there is no evidence that the attackers March 20179. Accordingly, regulators are • Lawsuits: two US states; two US cities; accessed databases located outside the now arguing that it was incumbent upon hundreds of class actions filed. US (15.2 million British consumers were Equifax - and any company that uses • Congressional hearings: four. impacted, and close to 700,000 of those Apache Struts (and presumably any open • Management changes: one CEO will receive notifications from Equifax with source code) - to assess whether it is retired; two technology ofcers out. ofers of its own and another third party’s appropriate and sufciently secure for • Regulator investigations: at least risk mitigation tools; 100,000 Canadian the company’s purpose, noting that the two federal; over 38 states. consumers likewise were impacted)4. software should have been updated to secure against known vulnerabilities10. The personal data of nearly half of the US The credit reporting bureaus typically population was potentially impacted as a act to collect, compile and report on For its part, Equifax still has not result of a breach at the credit reporting consumer information in the form of provided specific evidence regarding company, Equifax. Such numbers are credit reports5. Ordinarily, credit reports the cause of the breach but written staggering, particularly considering are used by financial services entities statements in support of the former that around a quarter of the population (banks, credit card issuers) to support the CEO’s congressional testimony confirm consists of minors, whose sensitive data issuance of mortgages, auto loans, credit some of the events. Former CEO Richard hopefully would not have been submitted cards and private student loans. They also Smith has testified that the failure to to the credit agencies. Was the handling may be used as a form of background patch a two month old bug was among of data and the response by Equifax a check: rental housing, setting auto and the chief failures that caused the breach. case study in what not to do? With such a homeowner’s insurance policy premiums Although a patch for the code execution large portion of the electorate at risk, and and even in certain employee hiring flaw was available during the first week regulators ready to pounce, are lawmakers situations6. Thus, the influence and impact of March 2017, Equifax administrators did not far behind? Should the entire on consumers’ lives is enormous. This also not apply it until 29 July, when Equifax mechanism be scrapped in favour of a explains how it is that one entity would first learned of the breach. In fact, an model not reliant on traditional identifiers? have access to and control over such a email that directed administrators to large swathe of consumers’ sensitive data. patch the critical vulnerability in the There will be, and have been, proposals open source application framework was for new regulations but it remains to be Equifax reported that the data breach not followed11. In his testimony, Smith seen whether there is the right mix of resulted when “criminals exploited a blamed a single unnamed IT employee. support and momentum for any one or US website application vulnerability,” Equifax reports that its forensics more measures. While cyber security is Apache Struts CVE-2017-56387. Apache vendor (Mandiant) has completed its not a ‘top-of-mind’ concern for American Struts is a piece of computer code used investigation (as of the first week of consumers, the sheer magnitude of this for creating web applications. Equifax October 2017) so, for now, this appears incident and how the company responded reportedly used Apache Struts in to be the extent of Equifax’s account12. will not soon leave regulators’ memories1. whole or in part to create, support and/ or operate its Dispute Portal8. Apache Public relations miscues Initial reports Struts is an ‘open source code,’ free The initial response by Equifax was Equifax, one of the three US credit and available for anyone to download, neither reassuring nor orderly. The reporting bureaus, initially announced install, or integrate into their systems and announcements directed consumers on 7 September 2017 that it had sufered is used by Fortune 100 to provide web to a link on the Equifax website and a cyber security incident impacting applications in Java, powering front and then instructed the consumer to approximately 143 million US consumers2. back-end applications. Like many other enter the last six digits of their Social

4 CYBER SECURITY PRACTITIONER In the near and long term, there will be continued scrutiny from security analysts about Equifax’s capabilities to manage data.

Security Number. The process did not Ofce filed suit against Equifax as of 19 “This may be the most harmful go well. Once entered, consumers September 2017 seeking civil penalties, attack on a company’s personal received a notification that their data disgorgement of profits, restitution, costs information the world has ever seen,” was potentially compromised and that and attorney’s fees, citing that state’s - Rep. Jeb Hensarling, Texas. they should check back with Equifax, Consumer Protection Act and breach without further explanation13. notification law17. The Massachusetts’ “That looks like we’re giving Lindsay Attorney General specifically alleges Lohan the key to the minibar. I don’t pay Also, there was the delay in divulging that Equifax failed to give timely notice. extra at a restaurant to prevent a waitress the breach. Equifax became aware of the Governor Andrew M Cuomo of New York from spitting in my food (in reaction to intrusion on 29 July 2017 but it did not announced a “new action” to direct the the prospect that Equifax could make issue its press release until 7 September. State’s Department of Financial Services money from consumers rushing to get To add insult to injury for consumers, one to issue new regulations requiring credit identity theft protection products),” remedy ofered was to request a credit reporting agencies to register with the - Sen. John Kennedy, Louisiana. freeze from the very same, apparently Department in accordance with the at risk, credit reporting bureaus - at a State’s “first-in-the-nation cybersecurity There are a few bills that have cost14. Some reporting suggests that standard18.” Presumably, the State is been introduced in the immediate the rollout was hurried, due to forces looking to make it clear that the New aftermath. Senator Elizabeth Warren of outside of the control of Equifax15. York State Department of Financial Massachusetts introduced a measure Services should have oversight and that would force the credit bureaus to In the near and long term, there will be enforcement for such agencies19. eliminate fees for credit freezes and to continued scrutiny from security analysts In addition, the cities of Chicago and San streamline the entire process. Some about the company’s capabilities to Francisco have filed their own actions20. commentators feel that the situation adds manage data. The actual web portal for insult to injury that a consumer is forced handling credit report disputes used Congressional hearing and response to use the very same credit bureaus that a platform that commentators say is To date, there have been four hearings have drawn such critical scrutiny to put vulnerable in its own right. Equifax took where legislators were unrestrained, a ‘freeze’ on their credit files. The efect that down but confidence is not at an animated and almost coarse in their of the freeze, also known as a security all-time high for their ongoing practices statements and questions to the former freeze, restricts access to a consumer’s and standards16. Finally, in what may CEO of Equifax, Richard Smith (these credit report, thus making it difcult for be an ‘irony-deficient’ environment, hearings were held by: the House a thief to open up a new unauthorised the website banner taglines still read: Energy & Commerce Committee account in that consumer’s name (certain ‘Equifax is a global information solutions (Digital and Consumer Protection entities may still have access)21. company that uses trusted unique Subcommittee); the House Financial data, innovative analytics, technology Services Committee; the Senate Banking, Other senators have introduced the and industry expertise to power Housing, and Urban Afairs Committee; draft Data Broker Accountability and organizations and individuals around the and the Senate Judiciary Committee Transparency Act to hold the data broker world by transforming knowledge into (Privacy Technology and the Law industry accountable for breaches. insights that help make more informed Subcommittee)). There was no shortage This Act would allow consumers to business and personal decisions.’ of analogies, outrage and theatrics, correct their information as shown in resulting in something of a quote-fest: certain reports and allow consumers Investigations and litigation to restrict brokers from using, sharing States react first “Because of this breach, consumers will or selling their personal information The states of Massachusetts and New York spend the rest of their lives worrying about for marketing purposes. Such brokers wasted no time in pursuing actions and credit history. But Equifax will be just fine would also be subject to enhanced remedies on behalf of their constituents. [and] it could actually come out ahead!” - requirements with respect to security, The Massachusetts Attorney General’s Sen. Elizabeth Warren, Massachusetts. privacy and breach notifications22.

A Cecile Park Media Publication | October 2017 5 DATA BREACH

continued

Regulatory and criminal investigations The class allegations are as to be Conclusion The Federal Trade Commission expected: “[t]his action arises from one of When the dust settles (‘FTC’) has opened a probe into these the largest data security breaches ever Some commentators are less than events23. It also issued a statement: to occur in the United States. As a result sanguine about the prospects of “The FTC typically does not comment […] millions of individuals whose sensitive significant legislative accomplishments, on ongoing investigations. However, personal data was made accessible now even following what seems to be the in light of the intense public interest face substantial risk of further injury from granddaddy of all breaches29. There and the potential impact of this identity theft, credit and reputational remains a great deal of confusion about matter, I can confirm that FTC staf is harm, false tax claims or even extortion26.” the stranglehold that the credit reporting investigating the Equifax data breach24.” bureaus have over the consumer Plaintifs allege that the “website Equifax financial system and the best approach Three Equifax executives were permitted set up and directed consumers to use to to insure the integrity of the system. to sell more than $1.8 million worth of check whether their Confidential Personal Other commentators are looking at the stock in the days following the 29 July Information had been compromised entire infrastructure to see whether discovery of the breach. Reportedly, was itself fraught with security risks27.” technological advances can resolve the executives that sold the stock had The causes of action include alleged some basic issues. For instance, some not been informed of the breach at the violations of the Fair Credit Reporting advocates suggest replacing the reliance time. The Department of Justice has now Act, breach of fiduciary duty, negligence, on the use of social security numbers opened an investigation into these trades. breach of contract, invasion of privacy as an identifier and moving toward and unfair practices violations. biometrics or a blockchain equivalent. The Attorney Generals from 38 states sent a letter to Experian and TransUnion urging It looks like a consolidated action is One system touted is in use in Estonia, them to stop charging fees for credit likely headed to the Northern District where the country has created a digital freezes and fees to lift or temporarily lift of Georgia28. Plaintifs’ counsel have identification system30. For the time credit fees, in light of the Equifax breach. filed motions to transfer to the Federal being, it is more likely that regulators This is also leading these Attorney District Court in Atlanta, to be heard in certain states like Massachusetts, Generals to draft legislation to ban or before the Judicial Panel on Multi-District Illinois, New York and California will put restrict fees for credit freezes (seven Litigation. Not only does Equifax maintain a great deal of pressure on all of the states already have similar legislation)25. its headquarters in Atlanta, Georgia credit bureaus to force higher security but plaintifs’ counsel notes in their standards, if not significant improvements Class actions filed motion that two other major data breach to the responses to such incidents. Not surprisingly, hundreds of class matters were handled there i.e. Home Market forces ultimately may also prove action lawsuits have been filed. Depot and Arby’s Restaurant Group. to be a greater influencer in this sector.

1. According to a Pew Research Center study confirms-apache-struts-flaw-it-failed-to- high as $10,000 dollars per victim per entitled ‘Americans and Cybersecurity,’ 26 patch-was-to-blame-for-data-breach/ day, https://techcrunch.com/2017/09/27/ January 2017, roughly half of Americans do 10. Ibid. san-francisco-sues-equifax-on-behalf-of-15- not trust the federal government or social million-californians-afected-by-the-breach/ media sites to protect their data but, many 11. https://arstechnica.com/information- fail to follow cyber security best practices technology/2017/10/a-series-of-delays-and- 21. https://www.consumer.ftc.gov/ and most do not worry how to secure online major-errors-led-to-massive-equifax-breach/ articles/0497-credit-freeze-faqs passwords, and even if the victim of a major 12. https://www.equifaxsecurity2017.com/ 22. https://iapp.org/news/a/senators-introduce- data breach, they are no more likely to take frequently-asked-questions/ legislation-following-equifax-breach/ additional steps to secure their personal 13. https://www.washingtonpost.com/news/ information. See http://assets.pewresearch.org/ 23. https://www.engadget.com/2017/09/18/equifax- the-switch/wp/2017/09/08/after-data- stock-sales-doj-investigation-insider-trading/ wp-content/uploads/sites/14/2017/01/26102016/ breach-equifax-asks-consumers-for-social- Americans-and-Cyber-Security-final.pdf security-numbers-to-see-if-theyve-been- 24. http://www.reuters.com/article/equifax- 2. www.equifaxsecurity2017.com afected/?utm_term=.5fc6c7c9fe56 cyber-ftc/u-s-ftc-opens-probe-into- massive-equifax-hack-idUSFWN1LV0KN 3. http://fortune.com/2017/10/02/ 14. https://krebsonsecurity.com/2017/09/heres- equifax-credit-breach-total/ what-to-ask-the-former-equifax-ceo/ 25. http://www.illinoisattorneygeneral.gov/ 4. http://www.independent.co.uk/news/business/ 15. Ibid. pressroom/2017_10/20171010b.html news/equifax-cyber-attack-millions-client- 16. https://www.wired.com/story/ 26. Morris v. Equifax Inc. and Equifax Information records-compromised-credit-reporting- equifax-breach-no-excuse/ Services LLC, Case No 3:17-cv-05815-MEJ agency-uk-sensitive-a7993946.html; http:// (Oct. 10, 2017, U.S.D.C. No. Dist. Calif.), p. 3. thehill.com/policy/cybersecurity/354749- 17. G.L. c. 93A; G.L. c.93H; Commonwealth of equifax-says-nearly-700000-uk- Massachusetts v. Equifax, Inc., Case No. 1784- 27. Ibid. at 4. CV-03009 (Superior Court of Massachusetts). consumers-impacted-by-breach 28. http://www.nationallawjournal.com/ 5. http://files.consumerfinance.gov/f/201212_ 18. See, 'Governor Cuomo Announces New Actions id=1202797902499/Lawyers-Begin- cfpb_credit-reporting-white-paper.pdf; the to Protect New Yorkers’ Personal Information Move-to-Corral-Equifax-Class-Suits- three largest nationwide consumer reporting in Wake of Equifax Security Breach,' www. Into-MDLslreturn=20170911104815; The agencies (NCRAs) - Equifax Information Services governor.ny.gov/news, September 18, 2017, consolidated cases are In re Equifax Inc. Press Room. The attack may be linked to nation- LLC (Equifax), TransUnion LLC (TransUnion), and Data Breach Litigation, 2800, U.S. Judicial state actors. See, https://www.bloomberg.com/ Experian Information Solutions Inc. (Experian) Panel on Multi-district Litigation. news/features/2017-09-29/the-equifax-hack- 6. Ibid. has-all-the-hallmarks-of-state-sponsored-pros 29. http://www.pbs.org/newshour/rundown/ 7. Commonwealth of Massachusetts v. Equifax, 19. N.Y. Fin. Serv. L § 102. equifax-breach-congress-unlikely-pass- Inc., Case No. 1784-CV-03009 (Superior Court new-rules-protect-consumer-data/ of Massachusetts, 19 September 2017). 20. http://chicago.cbslocal.com/2017/09/28/ chicago-lawsuit-equifax-data-breach/; 30. http://www.zdnet.com/article/data-breaches- 8. Ibid. at 7. the city’s consumer fraud ordinance was highlight-how-social-security-number-has-to- 9. http://www.zdnet.com/article/equifax- updated in 2012 to allow for penalties as be-phased-out-for-blockchain-biometrics/

6 CYBER SECURITY PRACTITIONER