Categories: Data Privacy

Equifax Breach – Did They Fail to Comply with GLBA?

Equifax Inc. logo. (PRNewsFoto/Equifax Inc.)

As is now widely reported, Equifax, a consumer credit reporting agency, suffered a data breach of staggering proportion. In the race to fully comprehend the ramifications of this breach, it’s worthwhile to consider what specific legal requirements Equifax must comply with when it comes to maintaining the secrecy of sensitive personal information. One law that creates such requirements is the Gramm-Leach-Bliley Act (GLBA).

Enacted in 1999, the GLBA created two requirements for financial institutions, known as the Privacy Rule, which governs the types of notice a financial institution must give to consumers, opportunities to opt-out from the services provided, and not disclosing sensitive information to non-affiliated third parties, and the Safeguard Rule, which governs the administrative, technical, and physical security of sensitive personal information that the financial institution collects about its customers. GLBA requires that financial institutions:

  1. insure the security and confidentiality of customer records and information;
  2. protect against any anticipated threats or hazards to the security or integrity of such records; and
  3. protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

 

Given that it was a data breach that occurred, real concerns exist as to whether Equifax complied with the Safeguard Rule, specifically whether it provided sufficient technical security for the sensitive information it held. Ars Technica reported that the vulnerability that was exploited in this incident was discovered and disclosed to the public in March, 2017. However, the breach occurred in May, 2017, two months after disclosure of the vulnerability. While addressing the vulnerability was described as “labor intensive and difficult,” that does not absolve Equifax from their statutory obligation to correct a known flaw in their data security apparatus. Indeed, as it was individual’s names, Social Security numbers, addresses, and birth dates that were accessed, Equifax’s dereliction has given criminals all that is needed to cause immense financial harm to those impacted by this breach. Since the Federal Trade Commission has already announced that an investigation into the breach is underway, we can expect additional details to come to light about Equifax’s failures.

This incident underscores the importance of maintaining a high level of IT security integrity and complying with applicable laws. Consulting with an attorney to ensure such compliance can help you avoid a fate similar to Equifax.

Recent Posts

Action Required: File Your BOI Report Before January 1, 2025

Many small businesses are required to report their beneficial ownership information (BOI) to the Financial…

4 weeks ago

New Baby on the Way? Let’s Protect Your Bundle of Joy

A new addition to the family is an incredible blessing. With this precious gift comes…

4 weeks ago

Marvel and DC Comic’s “SUPER HERO” Marks Unmasked: How Your Trademark Can Avoid the Same Result

Trademark protection is designed to secure a business asset that is unique to your business…

1 month ago

Homeowners’ and Condominium Owners’ Associations: The Basics

So … you are purchasing a home or other piece of residential real estate in…

3 months ago

Three Easy Ways to Mitigate the Risk of Litigation

Litigation can be a lengthy, costly, and emotionally draining process. As an attorney who practices…

3 months ago

Homeowners’ and Condominium Owners’ Associations: An Introduction

Imagine this scenario: there is a certain corporation with 400 business units.  Each business unit…

3 months ago