Most remember the headlines on Sept. 7, 2017, when Equifax announced that a massive data breach had exposed the personally identifiable information of more than 147 million consumers. To compensate those affected by the data breach, a class-action lawsuit was filed in November 2017, and just recently concluded.
On Jan. 13, 2020, US District Judge Thomas W. Thrash Jr. approved a settlement to resolve the class action suit, describing the settlement as “the largest and most comprehensive recovery in a data breach in U.S. history.” Equifax will pay $380.5 million into an initial settlement fund to cover class benefits, attorney fees, expenses, administrative costs and more. Equifax has also agreed, if necessary, to pay an additional $125 million to satisfy claims and settle out-of-pocket expenses. As of last month, about 15 million people had filed a claim, and 3.3 million consumers had submitted claims for ongoing credit monitoring at a retail value of about $6 billion. The credit giant has also agreed to invest at least $1 billion in upgrades to its data security and privacy protocols.
While Jan. 22, 2020 was the deadline for joining the class action suit, affected consumers can request compensation for time spent recovering from related fraud between Jan. 23, 2020 and Jan. 22, 2024, at a maximum rate of $25 per hour up to 20 total hours. Those who do not file a claim can still receive free identity protection services and free credit reports – up to six per year through 2026 via the Equifax website.
The eye-popping numbers of this settlement serve as a real-world example of why cybersecurity and data privacy are such critical pain points for companies today. Now, more than ever, organizations need to invest in cybersecurity in order to prepare for the inevitable. Here are a few of the ways ADCG has talked about building resilience:
- Updating Legacy Systems: In its 2019 Network Security Report, IT management platform Spiceworks names outdated legacy systems as one of the biggest threats to corporate cybersecurity. At Equifax for example, unpatched vulnerability in open-source webserver was powering a decades-old web application that allowed consumers to check their credit rating. The same open-source web server played an outsized role in the Capital One breach as well.
- Investing in Employee Training: Studies show that prioritizing ongoing cybersecurity awareness training is a valuable tool for stopping breaches. Human error is the leading cause of data breaches. Investing the time and money required to bring employees up-to-speed on cybersecurity and data privacy compliance best practices will save time and money in the long run, and prevent reputational damage.
- Practicing Good Cybersecurity Hygiene: Simply put, employees should not be using “1234” as a password. Computer usage should be restricted to business purposes, and access to inappropriate websites should be blocked. Employees should be prohibited from using unapproved software on business computers and trained to avoid storing personal information on company laptops.
- Creating a Plan for Continuity and Recovery: All organizations should have a plan in place for conducting operations when computers and vital technology are offline or under attack. ADCG’s Carlos Solari writes: “There are many detailed questions that need to be asked, but the general objective should be about how to continue to serve your customers and keep your business alive while your IT systems are down and in recovery. This means thinking about how employees will work without vital technology. It means answering who, what when, where and how.”
More data privacy laws are on the horizon, with steeper fines and more potential for legal recourse by consumers. By making the necessary preparations now, businesses can respond agilely to the ever-evolving threat landscape, and avoid calamity in the future.