In early September 2017, Equifax, one of three major credit reporting agencies disclosed that personal and financial information for approximately 143 million U.S. consumers was comprised in a data breach. The cybersecurity breach apparently began in May of 2017 and continued until it was detected on July 29, 2107. According to Equifax, the breach compromised names, Social Security numbers, birth dates, addresses, and driver’s license numbers. In addition, credit card information was hacked for more than 200,000 U.S. consumers, and credit report dispute documents that contained personal information for approximately 182,000 was also compromised.
In the wake of this announcement, many employers have wondered whether there is any impact to their organizations, and is there anything they should be doing to support their employees. According the law firm of White and Williams, LLP, here are some steps employers might want to consider taking:
· Confirm whether the company itself is affected by the breach – Some employers use Equifax to conduct background checks, credit checks, or other services. Employers should check to see whether they provided information to Equifax, whether directly or through a vendor, that was potentially compromised by the breach. If information provided was potentially breached, employers could face potential legal exposure and should contact a cybersecurity lawyer for guidance. Employers should also review any contracts with third party vendors to determine how the risk and exposure is handled between the two parties in event of a data breach.
· Convey information provided by Equifax, but do not adopt it – Employers may want to consider sending a communication to employees providing information and guidance regarding the Equifax breach. Equifax has created a dedicated website that provides information regarding the breach, their response efforts, FAQ’s and the ability for individuals to check whether their information was involved in the breach. While supplying this information to employees will be helpful, employers should not provide commentary or endorsement regarding the steps Equifax is taking to respond to this incident.
· Outline proactive steps recommended by the Federal Trade Commission (FTC) – The FTC provides the following guidance for individuals wanting to take proactive steps following a data breach of personal information:
o Check your credit reports from Equifax, Experian, and TransUnion
o Place a credit freeze on your files
o Monitor existing credit card and bank accounts closely
o Place fraud alerts on files if a credit freeze is not instituted
o File taxes early before someone can use your personal information to file on your behalf
Additional information from the FTC on identity theft can be found here.
· Increase informational security – Employers should take steps to educate their employees around protecting the employer’s data systems and any use of personal information. Organizations should have regular, focused sessions with employees to discuss different types of cyber attacks and how they should respond. In particular, employees should pay special attention to ploys often found in social media, blogs, and phishing emails. Employers not only have to consider company issued computers, but also personal mobile devices that connect to the employer’s systems and store employer data that could also be used to inadvertently spread malware.
· Review response plans, information security controls, and insurance – The Equifax breach is a wakeup call for employers that this could happen to any employer of any size. This is a great opportunity for employers to do an information security assessment of their systems to determine where they might be vulnerable. Employees should be trained to recognize an attack and should be aware of the steps they should take if they believe they have witnessed a cyber attack. Companies should assume they will be infiltrated at some point and have well defined and communicated response policies. Employers may also wish to consider purchasing insurance to cover potential cyber incidents.
As the threat of data breaches and other security issues continue to grow, taking active steps to keep personal information safe and secure is critical. HR has a vital part in proactively incorporating data security training into the organization’s onboarding and staffing processes in order to help mitigate ever-growing cybersecurity risks.
Sources: CEB 9/20/2017; White and Williams 9/25/2017