Published By Janet Gershen-Siegel at September 12th, 2017
As the news continues to come out from the Equifax data breach, one thing is for certain in a sea of uncertainty – a lot of people are going to be affected.
There are about 240 million adults in the United States, as of the date of writing this blog post. Equifax estimates their data breach affected some 143 million persons, although some of those people were citizens of the UK and Canada. In addition, it is possible that a fraction of those affected are under the age of 18 although that figure is probably not too high (consider that a 17-year-old girl might get her first gas card but it’s highly, highly unlikely that a 5 year old even knows what credit is).
Therefore, if we operate under the assumption that about 140 million of the people affected are American adults, then the breach is affecting about 58% of all of the adults in the United States. Hence the prudent assumption is that you are in that group.
Furthermore, the Equifax site itself seems unreliable. Security news and investigation website Krebs on Security reports that some people got different answers from the Equifax website (with respect to whether they were on the affected list of people or not) if they switched from a desktop to the mobile version of that site. Still others did not get a yes or no answer at all; instead, they were just offered credit monitoring. Plus many sites reported that you could enter random names and numbers and the site would return an answer.
Equifax had numerous issues with the breach, not the least of which has been its handling of the matter.
A few days ago, Equifax had fine print on its credit monitoring sign up page, telling concerned consumers that by clicking to get free credit monitoring for one year, they were also automatically forfeiting their rights to sue the company for damages sustained due to the breach. This understandably caused an outrage, and the company dialed it back, saying that now there is no waiver of a right to sue.
And a good thing, too, as a waiver of the right to sue (called a ‘covenant not to sue’) is disliked by virtually every judge out there. Covenants not to sue are interpreted strictly if they are permitted at all, and they are more likely to be allowed if the following conditions apply:
Neither circumstance applies here. The attempts at forcing forfeitures were hard to spot and the company did not spell out that anyone selecting the years’ worth of free credit monitoring was giving up anything or paying any sort of hidden charges, monetary or otherwise. Furthermore, the parties were not on an equal footing at all, with the waiver being presented as a ‘take it or leave it’ proposition.
Technology news provider Ars Technica determined that the EquifaxSecurity2017 started off as a regular old WordPress blog, and did not have enterprise-level security – something which should have been a given, considering the breach and the fact that the site was holding names and Social Security numbers. Plus the domain name isn’t even registered to Equifax – it’s registered to a company called Mark Monitor. Krebs on Security had reported that the site was initially registered to Edelman PR. Therefore, it is safe to presume that the registration of this site changed hands in less than three days.
Beyond the question of possible insider trading (more on that in a moment), Krebs on Security also noted that the equihax.com domain was purchased and registered on September 5, 2017 (two days before the breach was announced publicly) by one Brandon Schondorfer. Why was that domain purchased? This happens as a proactive measure when a company is about to announce bad news. For all of the companies which never claimed their company name + sucks.com, this can be a smart move. However, here the timing is suspect.
But the company was right about one thing – people are using the equihax term– as a hashtag on Twitter. As you might expect, Twitter is not being kind about this.
Oh yes, they went there. Powerhouse New York City law firm Bronstein, Gewirtz & Grossman, LLC is investigating whether Equifax or its employees possibly violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934. The really important parts are Section 10(b) (5), which is about fraudulent business practices, and Section 20(a), the insider trading law.
Will the Bronstein firm take the case? That’s not known yet. However, the firm handles class actions suits regularly, so any suit may very well turn out to be a rather large class action suit.
I mentioned some things you can do yesterday, but here are more. It is becoming clear that putting a credit freeze on your account is the best way to go. A credit freeze means that every time someone (including you) wants to open up another credit account or get a loan, you need to use your PIN to temporarily unlock your account. Obviously, you don’t unlock for thieves (duh!). Keep your PINs safe and secret, of course. You can take off the freeze permanently if you want to, and some of the services allow you to preemptively remove a freeze on a credit inquiry, which you might want to do if you’re buying a car or the like and know which company will be making the inquiry.
Credit freezes do not prevent identity theft, but they do make life harder for thieves. And with so many accounts to choose from, being frustrated and slowed down by your credit freezes might be enough for a thief to move onto the next of 143 million names on his or list.
Or not. According to the New York Times, possible uses for this data are not just credit cards obtained fraudulently, but also people going to the emergency room and using your medical benefits, or thieves submitting a tax return for you on January 2 (and not out of the goodness of their hearts) to steal your refund.
Starting a credit freeze due to the Equifax breach is easy but it will take a bit of time. Plus all of these services are overwhelmed right now. Be patient.
All of these steps were fast; the entire process, including printing forms (and even changing ink cartridges) took me maybe an hour and a half.
We will continue to monitor this story, just like you should be monitoring your credit scores. Stay tuned!