Page 22 - 3Q 2017 Reporter
P. 22
The Equifax Data Breach and
Your Bank
by Silvia Garcia Maggio, CRCM, Associate General Counsel for Compliance Alliance
At the beginning of September, it was discovered Next, the bank should contact Equifax and attempt
the credit reporting agency Equifax had been to determine whether any of its customers are affected
breached via a cyberattack that lasted from mid-May in order to monitor accounts for suspicious activity.
through its discovery by Equifax at the end of July. Some banks are choosing to offer or provide resources
The Compliance Alliance hotline has had numerous for credit monitoring , which are great ideas.
questions from our members asking for more Finally, banks should take this opportunity to give
information on what happened, what’s required in light new consideration to what third parties and vendors
of this major breach, and what banks should be doing
they provide sensitive customer information to – as
to assist their customers.
we’ve seen with this breach, no third party is risk-free
First: What exactly happened? On July 29, 2017, or above a risk assessment. As this is Equifax’s second
Equifax discovered that there had been a major data breach, it’s worthwhile to consider whether the risk of
breach of their systems amounting to 143 million continuing to report to this agency is acceptable to the
Americans (in addition to Canadian and UK citizens) bank, in addition to any other third parties the bank
who had their personal data exposed during this communicates with.
cyberattack. Equifax issued a press release on
Another question we’ve been getting is what
September 7th detailing the breach in order to notify resources are available for concerned customers who’d
potential victims. The breadth of the exposure includes like to know more about what they can do to inform and
not just names and social security numbers but also protect themselves. Equifax has put out a variety of
birth dates, addresses, driver’s license numbers, FAQs and the FTC has put out a great resource about
credit card numbers, and dispute documents. While
what steps can consumers can take in light of this
the exposure of credit card numbers and dispute breach (https://www.consumer.ftc.gov/blog/2017/09/
documents was smaller than the other information equifax-data-breach-what-do). In addition, Compliance
items, that amount of exposed non-public personal Alliance has a variety of regulatory and consumer
information is extensive. With the ongoing issues compliance resources for banks, including our IT toolkit
related identity theft and cyber security we’ve seen in
and Red Flags tools.
the last few years (e.g., Target and Home Depot), this
last breach leaves community banks who already feel
the onus of information security responsibilities, with a Silvia Garcia Maggio, CRCM
new, very real concern. Associate General Counsel
One of our most frequently asked questions Silvia Garcia Maggio serves as an Associate General
related to the breach is whether banks are required Counsel for Compliance Alliance. After graduating
to give notice to their customers as they would be from The University of Texas School of Law in 2011,
required to do if their own systems were breached. The Silvia began her career in real property and foreclosure
short answer is no – there’s no specific requirement to law. Employed by a national mortgage servicer
give a notice to your customers as the breach was not since 2012, Silvia worked on the OCC independent
of the bank’s systems. That being said, there are plenty foreclosure audit and in compliance for Enterprise Risk
of things banks can do to help mitigate and prevent Management, gaining a multitude of experience dealing
identity theft in light of this breach. First, we suggest with multi-state and federal banking regulations. Silvia
giving a blanket notice to customers of this breach and started with Compliance Alliance in March of 2014.
how it may impact them. Again, this is not a required Silvia is part of our team of attorneys who assist
notice but the best defense against customer identity CA members with a wide-range of regulatory and
theft is awareness and vigilance. Of course, the bank compliance inquiries. Over the past year, Silvia has
should also be utilizing its red flags program to ensure developed and implemented the C/A Minute videos,
any changes in customers’ information actually comes a series of short, compliance training and refresher
from customers, as well as using both the Red Flags videos that leverage the frequently asked questions
Program and CIP processes to ensure the validity from the Compliance Alliance hotline. In addition, Silvia
and veracity of new customers and their identifying regularly presents on a number of compliance topics at
information. regulatory schools and conferences nation-wide.
19
Third QuarTer 2017 IllInoIs RepoRteR