Clearly, if you are a banker, you can rest assured that the data breach at Equifax affecting 143 million consumers was not your fault. So why do you have a dog in this fight? The problem for banks is not what they did, or what they did not do, but rather what steps they might neglect in dealing with the aftermath of the Equifax breach.
The reason is straightforward: Those 143 million consumers whose personal information was stolen are not Equifax’s customers, they are yours. Equifax is your vendor and you provided it with highly sensitive information that, if compromised, could cause significant harm to the very customers who trusted you with it. It was your responsibility, through rigorous due diligence and vendor management, to ensure that this information was protected and, like it or not, it is now your responsibility to help your customers deal with this potentially damaging situation.
Banks may or may not have a legal responsibility to address this situation. However, if I were a board member of a bank that shared customer information with Equifax, I would certainly be asking tough questions right now and demanding thorough and documented answers. What agreements do we have in place with both the credit bureaus and our customers in terms of which party has liability in a breach of a credit reporting agency? What documentation did we rely on to evaluate and approve Equifax’s security procedures? Was our systems assessment thorough or cursory? It is imperative that management and the board quickly get the answers to these questions and others to determine the extent of any legal liability.continue reading »