The date was September 7, 2017. That’s when Equifax revealed that, between the months of May and July of 2017, hackers entered into Equifax’s network to steal private information about its consumers in one of the largest data breaches in U.S. history. This information included personal identification information such as names and addresses, phone numbers, social security numbers, driver’s license numbers, and more than 200,000 credit card numbers of American consumers. The result was a massive impact to a staggering 145.5 million Americans by October 2017.
That figure increased last week when Equifax said its ongoing analysis of data stolen in last year’s incident revealed that another approximately 2.4 million U.S. consumers had their names and partial driver’s license information stolen. These consumers were not in the previously identified affected population discussed in the company’s prior disclosures about the incident. This information was partial because, in the vast majority of cases, it did not include consumers’ home addresses, or their respective driver’s license states, dates of issuance, or expiration dates.
“This is not about newly discovered stolen data,” said Paulino do Rego Barros, Jr., Interim Chief Executive Officer in a company press release. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”
The impact on Equifax has been considerable. The company has gone on record as saying they’ve spent $87.5 million in the investigation, including offering affected consumers a free year’s worth of credit monitoring. Lawsuits and Congressional investigations have been launched. The activities of the credit reporting agencies are being scrutinized.
Even more significant, the ramifications of the breach of one of the country’s top three credit reporting agencies could affect individuals and businesses for decades to come.
The sad thing is that this all could have all been prevented.
Two months prior to the hacker attack, Equifax was informed by US-CERT, the cybersecurity division of the U.S. Department of Homeland Security, that the open-sourced software Equifax used to design its web applications was flawed and could be easily accessed. Equifax’s security department reportedly acted to identify and patch the problem, but it was not enough to keep information for hundreds of millions of Americans from being put at risk.
As we enter 2018, employers should be focused on what they should be doing to ensure they don’t suffer a similar cyber breach. While the national ramifications for many businesses may be negligible, the effect on our customers and employees could be significant. That alone should make cybersecurity a top priority for any business in 2018.
One of the concerns organization have is about financial data, and rightly so. However, the threat to HR-related data is just as great and could have serious business impacts.
Here are some items to consider for 2018:
Conduct a SOC 2 Audit, and Make Sure Your Vendors Are, Too
If you have not conducted a SOC 2 audit, you should be. This informs customers about what service organization controls that your organization has in place to demonstrate that your business is taking cybersecurity seriously. SOC 2 reports provide businesses the ability to tell their customers how they are addressing their cybersecurity efforts. Businesses write their own controls based on which requirements, such as security, availability, processing integrity, confidentiality and/or privacy, apply to their business. Then an SOC 2 audit is completed, providing the auditor’s opinion on how the organization’s internal controls address the SOC 2 requirements. The end result should be a recognized opinion that the data provider can be trusted as a secure hosting company. While SOC 2 audits are usually focused on financial data, these audits also can be tailored to other internal data, such as HR data. Make sure that all of the data that your company seeks to protect from such cyberattacks is addressed. This includes a full review of security measures, rectifying any potential flaws immediately, and understanding what to do in the face of an attack.
Make Sure You Are Using Protected Vendors
Each organization should look at its vendors with access to sensitive information to see if they also have conducted SOC 2 audits. This will demonstrate their commitment to protecting your data. For instance, employee information digitally stored as part of retirement plans are a possible cybersecurity threat to both the plan’s participant and beneficiaries. Conduct an evaluation of the extent of the data security measures implemented by your plan sponsor. Make sure that contracts with plan service provider contracts fully address data security and provide appropriate indemnities to the plan, plan participants, and plan beneficiaries in the event of loss due to a security breach.
Collect Only the Data You Need
As your company gathers information for hiring processes, ask for only what is necessary. If you don’t actually need the data, don’t ask for it. For instance, it has already been stated under the Equal Employment Opportunity Commission mandates that credit reports are only necessary for specific roles. Many states and some municipalities ban asking questions about past salary or convictions. As a result, employers need to consider what information is offered as part of background checks from third-party vendors, and whether it is necessary for the hiring process. Information collected and stored on company computers or in the cloud can potentially be compromised. Don’t add to the potential problem by storing information that is not necessary.