Council Foundation Logo Leaders Edge

September 8, 2017

Credit reporting firm Equifax announced yesterday a massive cybersecurity breach, compromising sensitive personal and credit information of 143 million American consumers – nearly half the country.


After checking the status of your identity, Equifax then offers the option to enroll in a “TrustedID Premier” credit monitoring service. A recent TechCrunch article explains that in agreeing to the terms of service, the user is waving their rights to bring a class action lawsuit against Equifax.

Equifax, one of the three major consumer credit reporting agencies, said hackers accessed company data including social security and driver’s license numbers between mid-May and July. The company said credit card numbers for 209,000 U.S. customers were also exposed in the breach.

Bloomberg reported that three top executives sold nearly $1.8 million in stock shortly after the firm initially discovered the breach. Interestingly, the company insisted that those executives were unaware of the breach when they made the sale.

“This is about as bad as it gets,” said Pamela Dixon, executive director of the World Privacy Forum, a nonprofit research group. “If you have a credit report, chances are you may be in this breach. The chances are much better than 50 percent.” Avivah Litan, a fraud analyst at Gatner, described the breach as a “10 out of 10” in terms of severity. While recent breaches such as the two Yahoo announced in 2016 were larger in size, totaling nearly 500 million users, the Equifax attack is far worse due to the nature of the breach, which compromised “the keys that unlock consumers’ medical histories, bank accounts and employee accounts,” according to a New York Times article.

While the total damage of the breach is unknown at this point, total costs will likely reach hundreds of millions of dollars, or potentially higher, when all is said and done.

The data breach also highlights the need for a uniform federal standard for reporting data breaches, a position The Council supports.  Currently, 47 unique data breach notification laws exist at the state level. The Council believes a uniform data breach notification law would ease compliance burdens that businesses face in the wake of a breach affecting clients across state lines.

Sen. Mark Warner (D-Va.), a Senate Banking Committee member, has “made disclosure of data breaches a public priority,” according to a recent PoliticoPro article, “calling for new laws for comprehensive data breach notification and, in particular, pressing the SEC to investigate the timing of Yahoo’s disclosure.”

Warner added, “while many have perhaps become accustomed to hearing of a new data breach every few weeks, the scope of this breach…raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies.”

Equifax has created a website,, to help consumers determine whether their data was at risk.