Trusting your vendors: The Equifax fallout part 1
Posted on 09/14/2017 at 12:00 AM by Jesse Johnston
Fallout from the Equifax breach is still unfolding. Already there has been a lawsuit filed by consumers, alleging Equifax did not do enough to protect their sensitive data. Equifax is trying to help consumers who may have been affected through a credit monitoring service. New York’s Attorney General has opened an investigation into the breach. And Equifax’s forensic investigation to uncover exactly how the information was hacked is ongoing.
It appears that hackers allegedly accessed consumer information through a vulnerability in an application, but Equifax does not yet know which application it was. Forbes has reported that the vulnerability was accessed on one of Equifax’s U.S. based web-servers.
Equifax provides many services besides credit reporting. They have a service known as “Insights” which has been marketed to financial institutions, background checks for “resident and tenant” screening, and an Equifax “Verification” for pre-employment issues. Chances are good that your business has either used Equifax as a third party vendor or your business has contracted with a vendor who has used Equifax as a sub-contractor. The credit reporting agencies have been described as the “plumbing” of our financial system, and the remedy may not be as simple as withholding our business.
The Monday morning quarterback might be quick to point out Equifax’s alleged oversights: it was in not patching where patching was required, and they should have been tipped off by recent breaches of their system. However, this data breach provides a reminder to all of us—no matter the business in which we operate—that we have the power and obligation to protect ourselves through the agreements we sign with our third party vendors. Part II of this blog will discuss some contract provisions you must consider for your third party vendor contracts. Part III will address how to ensure that your vendor’s vendors are going to protect your customer’s data.
There is no doubt that blame will be widely-placed in the weeks and months to come. We will all be closely watching and learning. In the meantime, start thinking about your third party vendors because your business can negotiate vendor agreements that are developed to help keep your business from these crosshairs.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
- Jesse Johnston
Categories: Jesse Johnston, Cybersecurity Law, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.