A landmark incident has occurred in this country and it has affected millions of people. Richard Smith, CEO of Equifax is living the nightmare that haunts many administrators these days, especially if they are responsible for the security of people’s Personal Identifiable Information (PII). Not only is he getting criticized for one of the biggest breaches in US history at 143 million records, but also for the delay in notification, for the possible impropriety of executives selling stock before the news broke, and for not having in place a standard set of practices to follow in the event of a breach. After all, being in the business they are in, they should have assumed they would at some point be a target and be prepared for the reality. If they thought they were, they grossly underestimated their vulnerability and the expectation of the public.
The idea that there are trolls out there poking around for easy access to information is becoming all too real for many people. All businesses and organizations, whether they are large or small, need to take a look at their security. Encryption is a buzz word now and it seems everyone is getting “encrypted,” but encryption doesn’t solve all hacking problems. In the Equifax case it was a software flaw, but the easiest way to get into a company or organization is through its people. Email campaigns, hundreds at a time and done relentlessly will at some point find a weak point. One click by an overworked, stressed or just distracted employee and they are in. The breach, by design, may not be detected for weeks or months.
Whether large or small, there are a few things that need to be implemented when a business experiences a breach:
1. Unlike Equifax, notify customers/clients immediately. Even if all the facts are not known. The law states that unless law enforcement specifically says not to, businesses are under obligation to notify any customers/clients whose information has been compromised. Cybersecurity experts say the sooner the better.
2. Customers/Clients must be informed of what was compromised, i.e. Name. Social Security number, Driver’s license number, birth date, etc. Whatever was taken needs to be revealed.
3. Explain what is being done about the breach.
4. Outline how people can contact the owner or representatives with questions about the breach. Will there be an 800 number, a special web site? Equifax has set up a website to check if someone’s information is in jeopardy, www.equifaxsecurity2017.com Once there, click the Potential Impact tab. Put in last name and the last six digits of the social security number to check. This has proven to be problematic in that people have been putting in information like Bunny as the last name and 123456 as the last six and getting an answer. That combination of information shouldn’t reveal anything. Note: the language stating that by entering information the user waives their right to sue Equifax has been removed.
5. Explain how the breach occurred.
6. List recommendations of what customers/clients can do.
7. To be helpful, include the contact information for each of the credit monitoring agencies. Kind of a strange item when one of those credit monitoring agencies is now the problem.
With 143 million, that’s 44% of the American population, records compromised, this should be a wake-up call for all of us. Yes, Equifax is big, but big means that if they are vulnerable than so is everyone else. Again, thieves don’t discriminate, they go wherever they can from the comfort of their couch and that couch can be anywhere in the world. A business is not safe because it is small. Business owners need a plan. They need to think through what they would do. Public trust and the integrity of the business is at stake. A breach is like any other emergency and it should be treated as such. Be prepared because in an emergency it’s difficult to find the clarity we need to act in the best interests of our customers/clients and our business.
Lori Lawson is an ID Shield specialist and LegalShield Director. Her company, New Line Associates is located here in Oceanside and she has been a Chamber member for over ten years. Visit their website at newlineassociates.com. Email her at firstname.lastname@example.org for a free, no obligation consultation.