Five Lessons All Companies Can Learn From The Equifax Data Breach

by Coblentz Patch Duffy & Bass

The Equifax data breach has dominated news headlines for weeks, and Equifax will be dealing with the legal and financial fallout from the breach for many years.  While many companies may be relieved not to be in Equifax's position right now, no company is immune to data breaches.  Those who fail to learn key lessons from Equifax's mistakes may find themselves in the next headline.  Accordingly, companies in every industry, and of every size, that maintain any type of sensitive personal data—whether it be of customers, employees, or data maintained on behalf of others—should study the Equifax situation and ensure that they are better prepared for a data breach incident.

1.  Everyone (yes, everyone) will experience a data breach. 

When it comes to data breaches, the question is not if, but when.  This makes the more important question how will you respond?  Data breaches do not only result from malicious hackers or phishing scams.  They can occur when employees inadvertently access and/or mistakenly share personal data.  They can occur when company laptops, flash drives, or even personal phones or tablets that contain company data, are lost or stolen.  These kind of events occur in every company in every industry.  As a result, everyone needs to prepare to respond.  Indeed, the manner in which Equifax handled this most recent data breach—including: (1) the several weeks that elapsed before notifying affected individuals,(2) the executives who sold stock during the period between discovery of the breach and notifying the public, and (3) the company's offer to provide credit monitoring services to affected individuals, but only in exchange for a waiver of certain legal rights against the company—indicates that Equifax was not sufficiently prepared to deal with this kind of a data breach.

Every company should have a basic data breach response plan in place that at a minimum  identifies who (among IT, HR, business operations, public relations, and other personnel) will respond to the breach, what their respective roles will be, and who will be the ultimate contact point and decision-makers with respect to the response.  The plan should also include a timeline and enumerated steps to follow regarding discovering the scope of the breach, investigating the cause, remedying or mitigating the breach, notifying affected individuals, and contacting law enforcement as necessary.  

Because of the widely publicized nature of Equifax's data breach, as well as other recent high-profile data breaches, no company will get a "free pass" or be able to argue that they had no idea a data breach could happen to them.  In effect, these high-profile breaches put everyone on notice that data security must be a priority for all.  Any company that chooses to put its head in the sand, does so at its own (certain) risk.

2.  Act quickly to show affected individuals that you are trying to protect them.

In responding to data breaches, time is of the essence.  Many have criticized Equifax for waiting until early September to notify affected individuals of a data breach it discovered in July.  Most state data breach notification statutes require that a company disclose a data breach "in the most expedient" time possible, without further clarification about what that means.  The minimum amount of time specified under state laws that contain specific time periods for notification is generally either 30 or 45 days from discovery of the breach.

In light of these general standards, Equifax's timing for notification to individuals may not have constituted an improper or unlawful delay as a matter of law.  After all, it takes some time to investigate what happened, confirm what data was breached, and implement remedial measures. And, as a company responding to a data breach, you do not want to rush to publicize inaccurate facts that you later have to correct.  However, as a practical matter, 6 weeks is a lengthy period of time for sensitive personal information to be exposed without notifying affected individuals—and as the response to Equifax shows, many people believe this kind of delay is unreasonable, regardless of the legal standards.  Thus, while a company needs time to investigate the incident and communicate accurate facts to those affected, all companies should seek to notify those whose information has been compromised sooner rather than later.

3.  Take actions that demonstrate that you are genuinely attempting to remedy the problem.

Data breaches happen.  They will continue to happen.  And the public generally understands that not every data breach, especially a hacking attack, can be prevented.  However, when a data breach occurs, affected individuals want to know that the company is doing everything in its power to protect them, not itself.  Equifax added insult to injury when it offered to enroll affected consumers in free credit monitoring services—something required under at least some state data breach laws—only if consumers agreed to waive certain legal rights against the company.  Unsurprisingly, this did not go over well in the court of public opinion.  And, while Equifax has since agreed to provide credit monitoring without these legal restrictions, the reputational damage has already been done.

Ultimately, the legal fallout from any data breach will be what it will be based on the circumstances and whether the company had reasonable protections in place.  But reputational harm may damage the company as much or more than the legal process.  The best thing a company can do in the wake of a breach is to diligently correct its data security weaknesses and work with affected individuals to minimize the scope and harm caused by the breach.

4.  Consider what sensitive personal data you maintain or need to maintain and how to safeguard it.

It is a rare company that holds no sensitive personal data.  While credit reporting companies like Equifax have more sensitive information than most, all companies have some kind of personal data—in the form of customer or employee social security numbers, financial account numbers, or other information—that triggers data breach notification requirements.  All companies should, at a minimum, know the types of personal information they maintain, how and where is it stored, who has access, and whether it is sufficiently secured.  Companies then need to consider: (1) whether they truly need all the personal information they have and (2) whether such personal information can be separated, encrypted, or otherwise safeguarded to minimize the accessibility of such information or its usefulness if improperly accessed or exposed.

5.  Consider cybersecurity insurance and other professional services.

While every company will at some point experience a data breach incident, the potential risk largely depends on the type and volume of sensitive personal data a company maintains.  For those companies where there is a real possibility of significant financial injury if a data breach were to occur, cybersecurity insurance is something to consider.  Many companies elect not to carry cybersecurity insurance because they do not want to pay expensive premiums, they are unsure exactly what the policies will cover, or they are skeptical that they will suffer a significant cybersecurity incident sufficient to justify the cost of insurance.  But the Equifax breach reminds us that data breaches will occur—and likely with increasing frequency in coming years.  Companies with significant risk should analyze whether cybersecurity insurance makes sense for them.

As the Equifax breach shows, especially in the area of cybersecurity, an ounce of prevention is worth a pound of cure.  Companies should work with cybersecurity consultants, attorneys, or other professionals prior to a data breach both to protect against breaches, and to prepare to respond to a breach. Preventative cybersecurity training for employees is key, as human error is responsible for many data breaches.  Companies should ensure that their IT systems are reasonably secured, their personnel are reasonably trained, and their data breach response plan is ready to go for when a data breach occurs.  And it will.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Coblentz Patch Duffy & Bass | Attorney Advertising

Written by:

Coblentz Patch Duffy & Bass

Coblentz Patch Duffy & Bass on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.