The massive Equifax data breach that compromised 143 million personal records has triggered nearly two dozen class-action lawsuits claiming personal harm to consumers.
But businesses also have cause for concern. Many depend on information from the three major credit bureaus to approve consumer credit and employee security privileges, as well as to verify identifies. The breach compromises the risk analysis and identity verification systems supporting many business operations. When that data is corrupted, it can put those organizations at risk.
In a nutshell: Expect commercial-focused class actions claiming potential harm to businesses and other entities as a result of the breach, in addition to the usual consumer class actions.
Many organizations depend heavily on the data sets collected, stored and managed by Experian, TransUnion and Equifax to assist with things like:
- Credit worthiness. Businesses rely on credit bureau data when granting credit to consumers.
- Identity verification. Employers use the data to vet job candidates.
- Work privileges. Government agencies use it to determine employee security clearances and similar work-related privileges.
Post-breach, businesses must determine if, and to what extent, they can trust the information provided by not just Equifax, but all of the credit bureaus. To determine credit worthiness or verify identities, businesses check their information against known values, such as a consumer’s primary mortgage lender name, the last amount for their car loan payment, or even more mundane information like date of birth, home address or their employer’s name.
The problem is it’s not clear if these details were exposed as part of the breach since, according to Equifax, the records for approximately 180,000 individuals also included information about disputes, which encompassed additional personal data.
And consider this: Equifax is only one of three major credit bureaus. Much of the exposed data is essentially duplicated in the credit files held at the other bureaus, even if they collect that data separately and on their own. That means that the compromise of information at Equifax calls into question corresponding data at the other two main credit bureaus. Businesses can’t simply point their data requests somewhere else, because every data set is now suspect.
Attorneys should be considering what their business clients’ potential risk may be at this point. It will be criticial for them to begin analyzing where risks exist and to develop strategies to mitigate them.
Eduard Goodman is the global privacy officer at CyberScout.