Page 22 - 3Q 2017 Reporter
P. 22

The Equifax Data Breach and


                                           Your Bank




          by Silvia Garcia Maggio, CRCM, Associate General Counsel for Compliance Alliance


            At the beginning of September, it was discovered       Next, the bank should contact Equifax and attempt
        the credit reporting agency Equifax had been           to determine whether any of its customers are affected
        breached via a cyberattack that lasted from mid-May    in order to monitor accounts for suspicious activity.
        through its discovery by Equifax at the end of July.   Some banks are choosing to offer or provide resources
        The Compliance Alliance hotline has had numerous       for credit monitoring , which are great ideas.
        questions from our members asking for more                 Finally, banks should take this opportunity to give
        information on what happened, what’s required in light   new consideration to what third parties and vendors
        of this major breach, and what banks should be doing
                                                               they provide sensitive customer information to – as
        to assist their customers.
                                                               we’ve seen with this breach, no third party is risk-free
            First: What exactly happened? On July 29, 2017,    or above a risk assessment. As this is Equifax’s second
        Equifax discovered that there had been a major data    breach, it’s worthwhile to consider whether the risk of
        breach of their systems amounting to 143 million       continuing to report to this agency is acceptable to the
        Americans (in addition to Canadian and UK citizens)    bank, in addition to any other third parties the bank
        who had their personal data exposed during this        communicates with.
        cyberattack. Equifax issued a press release on
                                                                   Another question we’ve been getting is what
        September 7th detailing the breach in order to notify   resources are available for concerned customers who’d
        potential victims. The breadth of the exposure includes   like to know more about what they can do to inform and
        not just names and social security numbers but also    protect themselves. Equifax has put out a variety of
        birth dates, addresses, driver’s license numbers,      FAQs and the FTC has put out a great resource about
        credit card numbers, and dispute documents. While
                                                               what steps can consumers can take in light of this
        the exposure of credit card numbers and dispute        breach (https://www.consumer.ftc.gov/blog/2017/09/
        documents was smaller than the other information       equifax-data-breach-what-do). In addition, Compliance
        items, that amount of exposed non-public personal      Alliance has a variety of regulatory and consumer
        information is extensive. With the ongoing issues      compliance resources for banks, including our IT toolkit
        related identity theft and cyber security we’ve seen in
                                                               and Red Flags tools.
        the last few years (e.g., Target and Home Depot), this
        last breach leaves community banks who already feel
        the onus of information security responsibilities, with a   Silvia Garcia Maggio, CRCM
        new, very real concern.                                Associate General Counsel
            One of our  most frequently asked questions        Silvia Garcia Maggio serves as an Associate General
        related to the breach is whether banks are required    Counsel for Compliance Alliance. After graduating
        to give notice to their customers as they would be     from The University of Texas School of Law in 2011,
        required to do if their own systems were breached. The  Silvia began her career in real property and foreclosure
        short answer is no – there’s no specific requirement to   law. Employed by a national mortgage servicer
        give a notice to your customers as the breach was not   since 2012, Silvia worked on the OCC independent
        of the bank’s systems. That being said, there are plenty  foreclosure audit and in compliance for Enterprise Risk
        of things banks can do to help mitigate and prevent    Management, gaining a multitude of experience dealing
        identity theft in light of this breach. First, we suggest   with multi-state and federal banking regulations. Silvia
        giving a blanket notice to customers of this breach and   started with Compliance Alliance in March of 2014.
        how it may impact them. Again, this is not a required   Silvia is part of our team of attorneys who assist
        notice but the best defense against customer identity   CA members with a wide-range of regulatory and
        theft is awareness and vigilance.  Of course, the bank   compliance inquiries. Over the past year, Silvia has
        should also be utilizing its red flags program to ensure   developed and implemented the C/A Minute videos,
        any changes in customers’ information actually comes   a series of short, compliance training and refresher
        from customers, as well as using both the Red Flags    videos that leverage the frequently asked questions
        Program and CIP processes to ensure the validity       from the Compliance Alliance hotline. In addition, Silvia
        and veracity of new customers and their identifying    regularly presents on a number of compliance topics at
        information.                                           regulatory schools and conferences nation-wide.


                                                             19
        Third QuarTer 2017                                                                           IllInoIs RepoRteR
   17   18   19   20   21   22   23   24   25   26   27