What employers can learn from the Equifax data breach

What employers can learn from the Equifax data breach

The recent Equifax data breach has potentially compromised the personal data of some 143 million Americans–or half the U.S. adult population.

In what is thought to be the largest-recorded cyber breach ever, the names, birth dates, addresses, and Social Security and driver’s license numbers of consumers were compromised by unauthorized individuals. Some credit card information may also have been breached.

It wasn’t the first massive cyber attack we’ve seen. The Kaiser Foundation Health Plan, Inc., Home Depot, Target, Sony, Anthem, and even the U.S. Office of Personnel have found their data compromised in recent years. Some of that data involved sensitive employee information.

Costly lawsuits

Increasingly, these data breaches are exposing employers to costly lawsuits. In the case of the Kaiser Foundation, employee data was exposed when a hard drive containing personal information was sold at a thrift store. California’s Attorney General filed suit against Kaiser, alleging the foundation violated the state’s breach notification law by not notifying affected employees immediately after the breach was discovered. Without admitting guilt, Kaiser settled in 2014 for $150,000 in penalties and costs and agreed to implement new security policies.

Sony faced several lawsuits after hackers got into the company’s data in 2014. The breach allegedly compromised the personally identifiable information for thousands of employees, including names, Social Security numbers, birth dates, addresses, salary information, medical documents, and passport and visa information. In 2016, the company reached a multimillion-dollar agreement to settle a class action lawsuit.

What can employers do to address cyber risk?

There are proactive steps an employer can take to protect the private information of employees. Here are some of them:

  • Encrypt sensitive employee data
  • Conduct frequent cyber risk audits and act promptly to address any security vulnerabilities uncovered
  • Ensure that software, firewalls, and virus protection programs are kept current
  • Limit employee access to sensitive data to only those whose roles require such access
  • Provide cybersecurity training to all employees and create policies and strategies to mitigate, if not eliminate, breaches
  • Consider cybersecurity insurance, which may help cover costs related to business interruption, reputational damage, expenses related to managing a breach, as well as data and property destruction
  • Become familiar with cybersecurity laws in the states where you conduct business—and recognize that the laws can vary from state to state

Also, reconsider approaches to employee passwords, PIN numbers, and password reset requests. Often, all one need do to reset a password is answer a knowledge-based question such as “What was name of the first street you lived on?” or “What’s the name of your favorite pet?” The first can be answered by a Zillow search; the second by an online scan of a user’s Facebook or Twitter account. The use of one-time tokens sent via e-mail or a device in conjunction with the use of strong passwords can be effective.

The bottom line: When it comes to cyber risk, a proactive approach is the best policy.

back to top

Brian D. George, Esq., is compliance manager of the Verisk Analytics iiX unit, a premier provider of motor vehicle reports (MVRs) and preemployment screening services. His areas of specialty include FCRA, DPPA, HIPAA, COPPA and GLB legislation; information security and privacy (NIST, SOC, FISMA, ISO); and consumer reports and background checks. He holds CIPM and CIPP/US certifications from the IAPP and is also NAPBS FCRA certified. He has a bachelor’s degree in political science from Texas A&M University and received his law degree from Thurgood Marshall School of Law.

FOR MORE INFORMATION