On September 7, the credit reporting agency Equifax revealed it had experienced a cybersecurity breach in late July that potentially exposed the sensitive personal data of 143 million Americans to unidentified hackers, and the agency said this week that it had suffered another breach in March.
The data exposed in the breach included millions of consumers’ names, birth dates, addresses, Social Security numbers, and in some cases driver’s license numbers. The hackers also obtained 209,000 credit card numbers and documents with personal information used in disputes for 182,000 people. “On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” Avivah Litan, a fraud analyst at Gartner, told the New York Times when the July breach was disclosed earlier this month
With so many people affected, most US organizations likely have victims of the breach among their employees, whose data could be used to steal their identities and commit fraud. Employers that offer 401(k) plans should contact their third-party administrators to ensure that employees are notified of any vulnerabilities in their accounts, Edward McAndrew, an attorney with Ballard Spahr in Philadelphia and former cybercrime prosecutor for the Department of Justice, tells Allen Smith at SHRM:
The TPAs should notify employees to monitor their account statements for fraudulent activity and start using multifactor authentication to access their accounts, McAndrew said. HR shouldn’t provide the notice itself or it will get inundated with questions from employees about Equifax’s breach, he said.
Employers also should be wary of checking credit as a condition for employment, he said. If they do rely on credit checks, “that’s a substantial concern going forward,” he noted. The score might be low because a criminal stole a job applicant’s identifying information, set up loans or credit card accounts using the applicant’s identity, and then did not pay those loans or credit card bills.
IDTheftSecurity.com CEO Robert Siciliano agrees that plan participants should take precautions, but tells Smith that 401(k) plans probably are not more vulnerable because of this data breach, as the information obtained from Equifax would not be enough on its own to access an account. Cybercriminals would have to contact employees via phone or email and con them into providing more sensitive information to do so.
The more salient risk is new-account fraud, in which identity thieves use hacked personal data to open credit cards or take out loans in another person’s name. Employees should be advised to watch out for signs of this kind of fraud, Smith recommends, and trained on how to identify phishing scams. One risk that experts fear from the Equifax breach is a spike in fraudulent tax returns, at a time when the US government is already warning that phishing scams involving employees’ W-2 tax forms are on the rise.
At Lexology, Littler Mendelson attorneys Andrew Epstein, Philip L. Gordon and Zoe M. Argento note that employers likely do not have any legal obligation to respond to the Equifax breach, but “should assume that the same thing could happen to any vendor” they entrust with their employees’ data, such as the third-party administrators of their health insurance or 401(k) plans. In such cases, they point out, employers are legally responsible for responding to a breach, so they recommend that employers “carefully vet the data security policies and procedures of any vendors that will handle data subject to data breach notification laws … [and] consider adding provisions to vendor contracts that pass down the employer’s breach response obligations to the vendor.”
Now is a great time for organizations to review their own cybersecurity and data security procedures. HR has an important role to play in safeguarding companies’ data, both as a common target of cybercriminals and as the main conduit for communicating important information and instilling data security best practices among the workforce.