The Equifax Data Breach: A Compliance Lesson in Disguise

The Equifax Data Breach: A Compliance Lesson in Disguise
By now, the immensity of the Equifax data breach has started to sink into our collective consciousness ... 142 million consumers, half of all Americans, have been adversely affected by the complete failure of Equifax to safeguard their nonpublic personal information (NPI). Keep in mind that those 143 million consumers are going to be adversely affected by the Equifax data breach for the rest of their lives!
So what does this mean for automotive dealerships? This is a compliance lesson, writ large, for all of the world to see. More specifically, this is an example of a compliance failure, the size and scope of which we have never seen before. Whether or not Equifax will survive this catastrophic event remains to be seen. Multiple class actions have been filed alleging the failure of Equifax to comply with the Fair Credit Reporting Act (FCRA), the failure of Equifax to comply with state data breach laws and negligence by reason of its failure, after previous security incidents, to take reasonable action under the circumstances. The dollar exposure of Equifax in these class actions will certainly be in the millions of dollars.
Facts reported in the news indicate that it took Equifax 143 days to discover the data breach and 40 days after the discovery of the breach to notify the affected individuals. State laws vary, but data breach notification acts typically require notice “without unreasonable delay” or “whenever it becomes aware” of the data breach or similar language. Undoubtedly, the length of the delay here was unreasonable and did not occur as soon as Equifax was aware of the data breach and Equifax will suffer the consequences.
In particular, the computer application that the hackers took advantage of was patched approximately two months before the Equifax attack occurred, and notice of this was available on the National Vulnerability database. This episode points to the inescapable conclusion that Equifax did not have a robust data security program in place (e.g. no regular checking for software/application updates, no regular monitoring of published vulnerabilities) and, certainly, had no plan of action for the possibility that a security event could occur (e.g. 40-day delay to figure out what to do).
A complete compliance management system (CMS) would require policies and procedures, training, audit and complaint management and would bring, at a minimum, a double failsafe approach to compliance —first via policies, then via training and, if both of those failed, through audit.
On the dealership floor, the impact of one in two customers suffering the consequences of this monumental data breach will be significant. In response to the Equifax data breach, many consumers have implemented credit freezes and/or have placed a fraud alert on their file. (Does your CMS address credit freezes and fraud alerts?)
If the hackers have gained access to the consumer’s credit information, then there is the possibility of unauthorized charges on the consumers account which will need to be investigated and there will be an increased urgency to ensure that the consumer is actually the person they represent themselves to be. This means compliance with the Red Flags Rule will become even more critical.
What is the takeaway here? Implementation of a complete CMS will be even more critical to protect your customers and reputation. Going forward, fraud prevention and consumer protection will need even added attention from dealerships to avoid being dragged down with Equifax into the failed compliance whirlpool — or is it a cesspool?
DISCLAIMER: Content provided in this article is intended for informational purposes only and should not be construed as legal advice and should not be relied upon or acted upon without specific legal advice based upon your particular situation, jurisdiction and circumstances. No attorney-client relationship is being created by your review or use of this material. © 2017 Robert J. Wilson
More Industry

Luxe N.C. Dealerships Change Hands
A collection of Italian and English brand franchises were handed off to the owner’s friend in the business and include the Carolinas’ only Ferrari retail stores.
Read More →
Exposure Drives Interest in Chinese Cars
At a recent demonstration, consumers had the chance to ride in a Chinese-branded vehicle, a firsthand experience that improved their perceptions and purchase intent.
Read More →
Automotive Consumers Sink Further in Debt
Most financing metrics hit records in the second quarter as more buyers locked themselves into long terms and high monthly payments.
Read More →
Agent Advocate
Rob Mancuso, who comes from a long line of auto dealers, values general agents’ place in the industry and makes a case for them taking an even bigger seat at the table.
Read More →
Driving Under Distraction
Though consumers gave higher marks to new vehicles in JD Power’s most recent initial-quality poll, high-tech interference worsened, pointing to craving for simplicity.
Read More →
Affordable New Cars a Thing of the Past
More than one out of five new vehicles sell for more than $60,000, according to Edmunds. That's up 7% compared to prepandemic 2019.
Read More →
State Follows Federal Warning on Auto Ads
The Massachusetts attorney general cautioned the state’s automotive dealers to be upfront with the consuming public about their vehicle prices or risk punishment.
Read More →
Consumer Outlook on the Rise
Younger generations are feeling more positive about their financial futures and current affordability pressures than older generations, according to recent TransUnion data.
Read More →
Pennsylvania Dealership Under New Retailers
The sale of the Chrysler Dodge Jeep Ram store puts a family auto group on a leaner path as first-time dealers take the helm.
Read More →
Battery Storage Takes Priority Over EVs
U.S. automakers are prioritizing battery energy stationary storage over electric-vehicle production as the consumer demand for EVs lags the rest of the world.
Read More →