In late July 2017, Equifax, one of the 3 nationwide consumer reporting agencies, discovered that someone had illegally obtained access to personal information for approximately 143 million consumers. The information improperly accessed includes Social Security numbers, birth dates, addresses, and in some cases, driver’s license numbers. In addition, credit card numbers and certain dispute documents were accessed for approximately 209,000 consumers.
Equifax indicates that it has determined how the breach occurred and has taken steps to prevent it from happening again. Equifax indicates that it will send direct mail notices to consumers whose credit card numbers or dispute documents were improperly accessed.
PO Box 740241
Atlanta, GA 30374
PO Box 9554
Allen, TX 75013
PO Box 2000
Chester, PA 19016
The FTC has recommended (https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do?utm_source=slider) many of the same steps suggested by Equifax, including checking the Equifax Impact Portal, checking free annual credit reports, and closely monitoring account statements. Other steps that the FTC recommends for consumers include (a) filing tax returns early (so that an impostor does not file and obtain a refund before the actual consumer can) and (b) considering whether to place either a fraud alert or a credit freeze on his/her credit file.
A fraud alert is a notice on a consumer credit file that warns creditors that the consumer may be an identity theft victim and that the creditor should verify with the consumer that he/she is really seeking any credit requested. A fraud alert lasts 90 days and should be placed through each of the above 3 nationwide consumer reporting agencies, unless one of the agencies indicates that it will communicate a fraud alert to the other agencies (fraud alerts are free).
With a credit freeze, neither the consumer nor any creditors can access the consumer’s credit file to open a new account until the credit file is unfrozen (using a PIN). A credit freeze remains in place until the consumer lifts or permanently removes it (however in some states – but not Maryland – a credit freeze expires after 7 years). Until October 1, 2017, Maryland law permits a fee up to $5 fee every time a consumer implements a credit freeze or temporarily or permanently lifts it (no fee for victims who have reported identity theft to law enforcement). Beginning October 1, 2017, every consumer in Maryland may place a first credit freeze (i.e., the consumer has not previously requested a security freeze from the consumer reporting agency) at no charge. A credit freeze must be placed separately through each of the above 3 nationwide consumer reporting agencies (and separate fees may be charged, if permitted, by each agency).
There is no statutory or regulatory requirement that Maryland businesses notify their employees or customers about the Equifax data breach (unlike if there had been a breach of the business’s electronic data directly or through its third-party service provider). However, notification of employees and customers may help to reduce risk of fraudulent or unauthorized transactions that could affect the business.
Businesses that have direct contractual relationships with Equifax (for example, creditors and landlords) should review those contracts to determine if any contractual obligations are triggered by this data breach.
Because of the vast potential compromise of Social Security numbers, businesses should consider using a different or additional data point to verify an individual’s identity.
Stolen data can remain unused for many years. It may have most value to “bad guys” after consumers and businesses let their guard down. The actions described above should continue to be followed for months and likely years. In addition, this data breach is expected to result in new statutory and regulatory requirements for consumer reporting agencies and, perhaps, for users of consumer reports and to those who furnish information to consumer reporting agencies. Concern about this subject will continue for the foreseeable future.