• Cullen and Dykman LLP Blogs

  • Archives

  • Equifax Data Breach Update: Company Announces Major Shakeup amid Public Backlash

    Equifax has announced that chairman and CEO Richard Smith will retire from the company effective immediately. Paulino do Rego Barros, Jr., President of Equifax’s Asia Pacific division, will act as interim CEO while the company searches for a permanent replacement.  In addition, Mark Fedler, a member of the Equifax board of directors, will take Smith’s place as chairman. The changes come three weeks after the company revealed they suffered a major cyber security breach that exposed the personal information of 143 million consumers.

    Just under three weeks ago, Equifax announced that the company’s Chief Information Officer and Chief Security Officer had both retired. The company went on to state that it had appointed to people from within to fill both roles on an interim basis effective immediately.  Equifax also announced that it hired an independent cyber security firm that has been assisting in conducting a full review to assess the breach.

    Along with the announcement of major personnel changes, Equifax has also revealed more details surrounding the data breach itself. Of note, the company confirmed that the hack was made possible because of a vulnerability in “Apache Struts,” and open-source application framework that Equifax uses for its online dispute web application.  The company also confirmed that this particular vulnerability had been identified by the U.S. Computer Emergency Readiness Team (U.S. CERT) back in March, a full two months before the data breach is believed to have begun.  Equifax had previously stated that the company was aware that a patch existed for the software and even tried to apply it.  This inadequate effort has baffled data security analysts and highlights major flaws in the way Equifax handled data security before the breach.

    Equifax also clarified a number of issues that surfaced surrounding the ways in which the breach has been handled. Equifax definitively stated that the arbitration and class-action waiver clauses included in the Terms of Use for their free credit monitoring service were never intended to apply to the data breach incident.  This announcement comes after many accused the company of attempting to get consumers to waive their legal rights by offering a free service and burying clauses in the Terms of Use.  Equifax also clarified that no credit card information is required to sign up for the service and that users will not automatically be charged after the free year expires.  The company also provided a clearer link on its main website, www.equifax.com, to the website created to specifically deal with the data breach, www.equifaxsecurity2017.com.  The need for a clearer link was necessitated by the creation of a number of phishing sites that attempted to imitate the Equifax site, further underlining Equifax’s continued struggle with cyber security.

    The fallout from the Equifax breach has led analysts to believe that many employers will begin to offer their employees identity-theft protection as part of their voluntary benefits plans. Surveys already indicated that 70 percent of companies planned to offer the benefit by 2018, but the recent Equifax breach has caused many to accelerate that timeline.  Identity-theft protection is a relatively cheap benefit for companies to offer and could help save their employees valuable time that would be otherwise spent addressing identity-theft issues during work hours.

    Institutions are encouraged to review and update their cyber security policies regularly. Employers should also research and consider offering identity-theft protection as part of their benefits packages given the number and wide range of recent major consumer data breaches.

    If you, or your organization, have any questions concerning cybersecurity issues or whether to offer identity-theft protection to your employees, please contact Cynthia A. Augello at 516-357-3753 or via email at caugello@cullenanddykman.com.

    Thank you to Ryan Soebke, a law clerk with Cullen and Dykman LLP, for his assistance with this post.