Legal Bulletins

1. What Happened?

In late July 2017, Equifax, one of the 3 nationwide consumer reporting agencies, discovered that someone had illegally obtained access to personal information for approximately 143 million consumers.  The information improperly accessed includes Social Security numbers, birth dates, addresses, and in some cases, driver’s license numbers.  In addition, credit card numbers and certain dispute documents were accessed for approximately 209,000 consumers.

2. What Is Equifax Doing/What Does Equifax Recommend?

Equifax indicates that it has determined how the breach occurred and has taken steps to prevent it from happening again.  Equifax indicates that it will send direct mail notices to consumers whose credit card numbers or dispute documents were improperly accessed.

GF Pointer: If a consumer receives a mail notice directly from Equifax, it is strongly recommended that the consumer immediately be proactive and take the steps described in this outline.  In addition, the affected credit card accounts should be closed.

• Consumer Impact Portal: Equifax has established a consumer portal to assist consumers in determining if they were impacted by this incident:  www.equifaxsecurity2017.com.  Consumers can visit this website and select “potential impact” and enter last name and last 6 digits of Social Security number.

• Free Credit Monitoring:  Equifax is offering free identity theft protection and credit file monitoring to all U.S. consumers (regardless of impact from this breach) for 1 year.  This is typically a paid Equifax service that provides monitoring for Equifax, Experian, and TransUnion credit reports, copies of a consumer’s Equifax credit report, and the ability to lock and unlock an Equifax credit report.  The service also provides identity theft insurance and periodic scanning of a consumer’s Social Security number (to see if it is listed for sale/access over the Internet).  To obtain this 1 year free service, consumers must complete the enrollment process by November 21, 2017.

GF Pointer:

• Equifax’s terms and conditions for the service initially included an arbitration provision that would have precluded participation in any class actions against Equifax (an arbitration provision has been removed from the related product terms and conditions, even though the acknowledgment language still includes a reference to arbitration).

• Some have argued that enrollment in this service is partially a data-mining exercise by Equifax to expand its marketing data base and to get consumers comfortable with the service so they will then pay for it after year 1.

• Review Account Statements/Check Credit Reports: Equifax recommends that even if consumers do not sign up for the Equifax credit monitoring service, they remain vigilant for incidents of fraud and identify theft by carefully reviewing account statements and ordering a free annual credit report once every 12 months from each of the 3 nationwide consumer reporting agencies.

GF Pointer: A free report can be obtained every 4 months by alternating among each of the 3 credit reporting agencies.

Equifax
PO Box 740241
Atlanta, GA 30374
www.equifax.com
888-766-0008

Experian
PO Box 9554
Allen, TX 75013
www.experian.com
888-397-3742

TransUnion
PO Box 2000
Chester, PA 19016
www.transunion.com
800-680-7289

• Contact Law Enforcement, Federal Trade Commission (FTC), State AG: Equifax also recommends that if a consumer believes he/she is the victim of identity theft, that they immediately contact local law enforcement, the FTC’s Consumer Response Center (www.ftc.gov/idtheft), and the consumer’s State Attorney General (www.naag.org/naag/attorneys-general/whos-my-ag.php). 

3. What Does The FTC Recommend?

The FTC has recommended (https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do?utm_source=slider) many of the same steps suggested by Equifax, including checking the Equifax Impact Portal, checking free annual credit reports, and closely monitoring account statements.  Other steps that the FTC recommends for consumers include (a) filing tax returns early (so that an impostor does not file and obtain a refund before the actual consumer can) and (b) considering whether to place either a fraud alert or a credit freeze on his/her credit file.

A fraud alert is a notice on a consumer credit file that warns creditors that the consumer may be an identity theft victim and that the creditor should verify with the consumer that he/she is really seeking any credit requested.  A fraud alert lasts 90 days and should be placed through each of the above 3 nationwide consumer reporting agencies, unless one of the agencies indicates that it will communicate a fraud alert to the other agencies (fraud alerts are free).

With a credit freeze, neither the consumer nor any creditors can access the consumer’s credit file to open a new account until the credit file is unfrozen (using a PIN).  A credit freeze remains in place until the consumer lifts or permanently removes it (however in some states – but not Maryland – a credit freeze expires after 7 years).  Until October 1, 2017, Maryland law permits a fee up to $5 fee every time a consumer implements a credit freeze or temporarily or permanently lifts it (no fee for victims who have reported identity theft to law enforcement).  Beginning October 1, 2017, every consumer in Maryland may place a first credit freeze (i.e., the consumer has not previously requested a security freeze from the consumer reporting agency) at no charge.  A credit freeze must be placed separately through each of the above 3 nationwide consumer reporting agencies (and separate fees may be charged, if permitted, by each agency).

4. What Should Businesses Do?

There is no statutory or regulatory requirement that Maryland businesses notify their employees or customers about the Equifax data breach (unlike if there had been a breach of the business’s electronic data directly or through its third-party service provider).  However, notification of employees and customers may help to reduce risk of fraudulent or unauthorized transactions that could affect the business.

Businesses that have direct contractual relationships with Equifax (for example, creditors and landlords) should review those contracts to determine if any contractual obligations are triggered by this data breach.

Because of the vast potential compromise of Social Security numbers, businesses should consider using a different or additional data point to verify an individual’s identity.

5. How Long Should Consumers and Businesses Be Concerned?

Stolen data can remain unused for many years.  It may have most value to “bad guys” after consumers and businesses let their guard down.  The actions described above should continue to be followed for months and likely years.  In addition, this data breach is expected to result in new statutory and regulatory requirements for consumer reporting agencies and, perhaps, for users of consumer reports and to those who furnish information to consumer reporting agencies.  Concern about this subject will continue for the foreseeable future.