As is now widely reported, Equifax, a consumer credit reporting agency, suffered a data breach of staggering proportion. In the race to fully comprehend the ramifications of this breach, it’s worthwhile to consider what specific legal requirements Equifax must comply with when it comes to maintaining the secrecy of sensitive personal information. One law that creates such requirements is the Gramm-Leach-Bliley Act (GLBA).
Enacted in 1999, the GLBA created two requirements for financial institutions, known as the Privacy Rule, which governs the types of notice a financial institution must give to consumers, opportunities to opt-out from the services provided, and not disclosing sensitive information to non-affiliated third parties, and the Safeguard Rule, which governs the administrative, technical, and physical security of sensitive personal information that the financial institution collects about its customers. GLBA requires that financial institutions:
Given that it was a data breach that occurred, real concerns exist as to whether Equifax complied with the Safeguard Rule, specifically whether it provided sufficient technical security for the sensitive information it held. Ars Technica reported that the vulnerability that was exploited in this incident was discovered and disclosed to the public in March, 2017. However, the breach occurred in May, 2017, two months after disclosure of the vulnerability. While addressing the vulnerability was described as “labor intensive and difficult,” that does not absolve Equifax from their statutory obligation to correct a known flaw in their data security apparatus. Indeed, as it was individual’s names, Social Security numbers, addresses, and birth dates that were accessed, Equifax’s dereliction has given criminals all that is needed to cause immense financial harm to those impacted by this breach. Since the Federal Trade Commission has already announced that an investigation into the breach is underway, we can expect additional details to come to light about Equifax’s failures.
This incident underscores the importance of maintaining a high level of IT security integrity and complying with applicable laws. Consulting with an attorney to ensure such compliance can help you avoid a fate similar to Equifax.
Many small businesses are required to report their beneficial ownership information (BOI) to the Financial…
A new addition to the family is an incredible blessing. With this precious gift comes…
Trademark protection is designed to secure a business asset that is unique to your business…
So … you are purchasing a home or other piece of residential real estate in…
Litigation can be a lengthy, costly, and emotionally draining process. As an attorney who practices…
Imagine this scenario: there is a certain corporation with 400 business units. Each business unit…