Equifax Breach – Did They Fail to Comply with GLBA?

As is now widely reported, Equifax, a consumer credit reporting agency, suffered a data breach of staggering proportion. In the race to fully comprehend the ramifications of this breach, it’s worthwhile to consider what specific legal requirements Equifax must comply with when it comes to maintaining the secrecy of sensitive personal information. One law that creates such requirements is the Gramm-Leach-Bliley Act (GLBA).

Enacted in 1999, the GLBA created two requirements for financial institutions, known as the Privacy Rule, which governs the types of notice a financial institution must give to consumers, opportunities to opt-out from the services provided, and not disclosing sensitive information to non-affiliated third parties, and the Safeguard Rule, which governs the administrative, technical, and physical security of sensitive personal information that the financial institution collects about its customers. GLBA requires that financial institutions:

1. insure the security and confidentiality of customer records and information;
2. protect against any anticipated threats or hazards to the security or integrity of such records; and
3. protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

Given that it was a data breach that occurred, real concerns exist as to whether Equifax complied with the Safeguard Rule, specifically whether it provided sufficient technical security for the sensitive information it held. Ars Technica reported that the vulnerability that was exploited in this incident was discovered and disclosed to the public in March, 2017. However, the breach occurred in May, 2017, two months after disclosure of the vulnerability. While addressing the vulnerability was described as “labor intensive and difficult,” that does not absolve Equifax from their statutory obligation to correct a known flaw in their data security apparatus. Indeed, as it was individual’s names, Social Security numbers, addresses, and birth dates that were accessed, Equifax’s dereliction has given criminals all that is needed to cause immense financial harm to those impacted by this breach. Since the Federal Trade Commission has already announced that an investigation into the breach is underway, we can expect additional details to come to light about Equifax’s failures.

This incident underscores the importance of maintaining a high level of IT security integrity and complying with applicable laws. Consulting with an attorney to ensure such compliance can help you avoid a fate similar to Equifax.