Natalie Luppold CPA, CISA, CITP
On July 29, 2017, Equifax discovered suspicious network traffic. After an investigation, Equifax determined that a website application vulnerability granted unauthorized access to sensitive data from May 13 through July 30. On September 7, 2017, Equifax publically announced the breach of 143 million Americans’ personally identifiable customer information through a nationwide press release. This was later increased to 145.5 million individuals. Consumer information accessed includes names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed. This is the most severe security breach to date and it will impact financial institutions in multiple areas.
New account opening: As consumer needs and preferences have changed, digital account opening and onboarding is more prevalent. A 2017 study published by the Digital Banking Report indicates that 66% of financial institutions offer online account opening and an additional 31% plan to implement the process within one year. The Equifax data breach heightens the risk of fraudulent account openings because information provided by credit reporting agencies is used to verify identities.
Customer Authentication: This incident may call into question the dependence on consumer data for authentication. The data that is currently used is historical and cannot be changed. Financial institutions will need to strengthen authentication for both new accounts as well as changes to current accounts. Typical authentication should be replaced with more personalized information known only to the consumer. Financial institutions will bear the costs of updating their systems and contacting customers in an environment where consumers are increasingly reluctant to provide additional information.
Legal Implications and Accountability: There are several pending lawsuits, but Equifax is currently only offering consumers one year of identity theft protection and credit file monitoring even through a consumer could be impacted by the data breach for the rest of their life. Due to the large impact of this breach, it is possible that stronger data-security laws and tougher penalties will be put in place to protect consumer information which could impact financial institutions in the future. On November 27, 2017 the Independent Community Bankers of America filed a lawsuit against Equifax noting, in part “While consumers are ultimately protected from most fraud loss arising from this incident, Plaintiffs and the Class are not, as they bear the primary responsibility for reimbursing customers for fraudulent charges or other transactions, fraudulently opened loans and deposit accounts, covering the costs of issuing new payment cards for customers to use and implementing new customer authentication procedures. Additionally, Plaintiffs and the Class will suffer financial losses whenever an identity is stolen and used to falsely establish credit or a depositaccount, or access an existing customer’s account. This certainly impending risk will continue into the foreseeable future, and will require Plaintiffs and the Class to incur significant costs and expenses in order to reduce and mitigate it.”
Regulatory Changes: Equifax is a third party for the majority of financial institutions. Regulators will likely examine this relationship more closely and possibly make changes to Vendor Management controls. Additional areas that may be impacted include the Bank Secrecy Act Customer Identification Program, Gramm-Leach-Bliley Act, Regulation P: Privacy of Consumer Financial Information, and the Fair and Accurate Credit Transactions Act Red Flag Rule. As changes are made, financial institutions will need to update their policies and procedures and train staff impacted by the changes.