Channel | Industry

The Equifax Data Breach: A Compliance Lesson in Disguise

The failures that put 143 million Americans’ credit at risk would be equally embarrassing for your dealer clients.
By: Robert J. Wilson

The Equifax Data Breach: A Compliance Lesson in Disguise

By now, the immensity of the Equifax data breach has started to sink into our collective consciousness … 142 million consumers, half of all Americans, have been adversely affected by the complete failure of Equifax to safeguard their nonpublic personal information (NPI). Keep in mind that those 143 million consumers are going to be adversely affected by the Equifax data breach for the rest of their lives!

So what does this mean for automotive dealerships? This is a compliance lesson, writ large, for all of the world to see. More specifically, this is an example of a compliance failure, the size and scope of which we have never seen before. Whether or not Equifax will survive this catastrophic event remains to be seen. Multiple class actions have been filed alleging the failure of Equifax to comply with the Fair Credit Reporting Act (FCRA), the failure of Equifax to comply with state data breach laws and negligence by reason of its failure, after previous security incidents, to take reasonable action under the circumstances. The dollar exposure of Equifax in these class actions will certainly be in the millions of dollars.

Facts reported in the news indicate that it took Equifax 143 days to discover the data breach and 40 days after the discovery of the breach to notify the affected individuals. State laws vary, but data breach notification acts typically require notice “without unreasonable delay” or “whenever it becomes aware” of the data breach or similar language. Undoubtedly, the length of the delay here was unreasonable and did not occur as soon as Equifax was aware of the data breach and Equifax will suffer the consequences.

In particular, the computer application that the hackers took advantage of was patched approximately two months before the Equifax attack occurred, and notice of this was available on the National Vulnerability database. This episode points to the inescapable conclusion that Equifax did not have a robust data security program in place (e.g. no regular checking for software/application updates, no regular monitoring of published vulnerabilities) and, certainly, had no plan of action for the possibility that a security event could occur (e.g. 40-day delay to figure out what to do).

A complete compliance management system (CMS) would require policies and procedures, training, audit and complaint management and would bring, at a minimum, a double failsafe approach to compliance —first via policies, then via training and, if both of those failed, through audit.

On the dealership floor, the impact of one in two customers suffering the consequences of this monumental data breach will be significant. In response to the Equifax data breach, many consumers have implemented credit freezes and/or have placed a fraud alert on their file. (Does your CMS address credit freezes and fraud alerts?)

If the hackers have gained access to the consumer’s credit information, then there is the possibility of unauthorized charges on the consumers account which will need to be investigated and there will be an increased urgency to ensure that the consumer is actually the person they represent themselves to be. This means compliance with the Red Flags Rule will become even more critical.

What is the takeaway here? Implementation of a complete CMS will be even more critical to protect your customers and reputation. Going forward, fraud prevention and consumer protection will need even added attention from dealerships to avoid being dragged down with Equifax into the failed compliance whirlpool — or is it a cesspool?

DISCLAIMER: Content provided in this article is intended for informational purposes only and should not be construed as legal advice and should not be relied upon or acted upon without specific legal advice based upon your particular situation, jurisdiction and circumstances. No attorney-client relationship is being created by your review or use of this material. © 2017 Robert J. Wilson

This article was written by:

- has written 13 posts on Agent Entrepreneur.

Robert J. Wilson, Esquire (Bob) is a Philadelphia lawyer and is General Counsel for ARMD Resource Group. Bob is the principal of Wilson Law Firm and has over 30 years of experience both as a counselor and as a litigator in State and Federal Courts. Risk management, problem solving and dispute resolution are his core competencies. Bob’s practice is largely in the consumer finance space and he regularly consults with Lenders and contributes articles on various compliance related issues.

Contact the author

The views expressed by the authors and those providing comments are theirs alone, and do not necessarily reflect the views of Agent Entrepreneur or any employee thereof.

Leave a Reply