Equifax Breach Affected Over 143 Million Americans – Including Over 8 Million New Yorkers
Bureau Of Internet And Technology Discusses AG’s Response At NY State Senate Consumer Protection Hearing
Attorney General Eric T. Schneiderman’s office testified about the massive Equifax data breach at the New York State Senate Consumer Protection Committee Hearing on Identity Theft.
The Attorney General’s Office launched a formal investigation into the Equifax breach earlier this month and issued a number of consumer alerts to protect those impacted. Following conversations with the Attorney General’s office, Equifax has addressed a number of issues – including a delay in notifying consumers of the breach; a forced arbitration clause in their free credit monitoring that has now been removed, and their failure to provide Spanish-language customer service to consumers affected by the breach. Equifax has also agreed to provide consumers the ability to lock and unlock their credit file for life.
Additionally, Attorney General Schneiderman has also sent data security inquiries to Experian and TransUnion, the two other major credit reporting agencies.
Bureau of Internet and Technology Deputy Bureau Chief Clark Russell gave the following testimony:
Good morning Chair Carlucci, Ranking Member Comrie and distinguished members of the Senate Consumer Protection Committee. My name is Clark Russell and I am the Deputy Bureau Chief of the Bureau of Internet and Technology at the New York State Attorney General’s office. The Bureau of Internet and Technology is responsible for protecting consumers and families from existing as well as new and developing online threats. Thank you for the opportunity to provide testimony regarding the challenges we are facing protecting consumers from identity theft.
The Equifax data breach is an unprecedented event. More than 140 million Americans, which is more than half of the adults in this country, including over 8 million New Yorkers, had their most sensitive personal information stolen, placing them all at risk of identity theft and hindering their ability to buy a home, start a business, or get a job. Although I cannot discuss any details today, our office has opened an investigation into exactly what happened. And from the moment we learned of the breach, we have been pressing Equifax on a number of issues – including a delay in notifying consumers of the breach; a forced arbitration clause in their free credit monitoring contracts that they have since removed and their failure to provide Spanish-language customer service to consumers affected by the breach. Following conversations with our office, Equifax has addressed all of those issues and has just agreed to provide consumers the ability to lock and unlock their credit file for life. We have also raised data security questions with the two other major credit bureaus: TransUnion and Experian. We will use all of the tools at our disposal to get to the bottom of the Equifax breach, and ensure that all three credit bureaus take effective steps to protect the sensitive information they possess.
While the Equifax breach is unique in the scale and severity of the information theft, in many ways it is merely an escalation of a disturbing trend that the Attorney General’s Bureau of Internet and Technology has observed over the past several years. Under General Business Law § 899-aa, companies are required to notify consumers and our office of a data breach. As we addressed in a report issued earlier this year, in 2016 the office received 1,300 data breach notices – up 60% from the year before. The main causes of data breaches are hacking, which accounted for 40% of reported data security breaches in 2016, and employee negligence, which accounted for 37% of reported breaches. In recent years, we have received data breach notifications from Home Depot, reporting 56 million credit card numbers disclosed; Target, reporting 40 million credit card numbers disclosed; and Anthem, reporting over 78 million records disclosed including social security numbers.
Unfortunately, when a breach occurs, consumers often have limited options. Credit monitoring helps consumers identify suspicious transactions, but it only alerts the consumer after someone has already stolen her identity. Credit freezes stop wrongdoers from opening a line of credit in a consumer’s name, but a thief can still file for government benefits in the consumer’s name or file a fraudulent tax return.
We all need to do more. Businesses should only collect the information they need to conduct their business, and securely delete and destroy it when it is no longer needed. They should design and implement an information security plan. They should designate a person responsible for the plan and educate and train their employees. Finally, they should continually review their plan and revise it as new threats emerge or their business changes.
Consumers need to stay vigilant. They should create strong passwords for online accounts, and use different passwords for different accounts. They should carefully monitor credit card statements and contact their bank immediately if they see a suspicious transaction. In addition, to avoid computer viruses and online scams, they should avoid opening suspicious email or clicking on suspicious hyperlinks.
The Legislature has an important role to play in protecting consumers from threats as well. New York’s data security laws are in dire need of updating. That is why, for several years, Attorney General Schneiderman has been pushing for a major overhaul of New York’s data security law. At a minimum, the law must be updated to require companies to have “reasonable” security measures, modernize the definition of “private information,” and provide a safe harbor for companies that adopt model data security. I will discuss each of these components in more detail.
The law should require that all entities that collect or store private information have “reasonable” security measures. It may be surprising to learn that there is no statutory law requiring a company to maintain “reasonable data security,” except if it collects Social Security Numbers, or if the company in health care or the financial industry and governed by a specific regulatory framework. The law only requires that a company provide notice to consumers and the New York Attorney General’s office if there is a breach of “private information,” which is generally defined as a person’s name in combination with a Social Security number, driver’s license, or account or credit card number.
The “reasonable” standard is a common legal standard that would take into account the size of the company, the type of information it keeps, and other facts in deciding whether the entity had acted reasonably. A mom-and-pop grocery store should have far different “reasonable” security measures than a multinational credit reporting agency, for instance. For a small business or one that does not collect sensitive personal information, reasonable security measures might only mean purchasing an antivirus program. For larger businesses or those that collect personal information, reasonable security measures might include physical safeguards, such as locks to protect physical areas where information is stored, as well as administrative safeguards, such as assigning responsibility for data security to a particular employee.
In addition, the definition of “private information” in existing law needs to be modernized. For example, it might be shocking to learn that if you maintain a Google Gmail account, and Google gets hacked resulting in the theft of your username and password, Google is not statutorily required to tell you. If a biometric authenticator, such as a fingerprint or a facial scan used to unlock an iPhone, is disclosed to a hacker, Apple is not statutorily required to tell you. This needs to change.
Finally, while the law needs to be updated to protect consumers, we also need to make sure that the law does not unduly burden companies. The law should provide a safe harbor to companies already subject to federal or other New York State data security regulations, and in compliance with those rules, so they will not need to worry about overlapping or conflicting regulations. Similarly, companies that are certified for complying with leading industry data security guidelines should be presumed to have reasonable data security.
Thank you. I am happy to answer your questions.