State banking officials are urging businesses to review their cybersecurity measures in the aftermath of the Equifax data breach.
Equifax revealed earlier this month that a hack of its system this summer potentially compromised sensitive information collected from nearly half of the U.S. population. The breach included data like Social Security numbers, birthdates, addresses and driver’s license information collected by the credit-rating agency.
Much of the legal response to the Equifax hack will come from state rather than federal agencies. State attorneys general throughout the country, including Pennsylvania, have already launched investigations into or lawsuits against the credit-rating agency.
State officials have taken similar actions in other cybersecurity cases, including the 2013 breach of Target Corp.’s credit card system. Pennsylvania won $469,000 in that case, in addition to the $10 million Target is paying out as restitution to an estimated 225,000 customers nationwide.
The Pennsylvania Department of Banking and Securities supervises the financial services industry but is urging all companies, finance-related or not, to scrutinize the safeguards in place for their customers.
For example, businesses should perform due diligence on contracts they have with Equifax and other companies that handle confidential customer information, department Secretary Robin Wiessmann recommended in a news release this week.
“Even if your business does not conduct financial transactions online, stolen information can be used to impersonate, deceive, and steal, potentially devastating both businesses and individuals,” Wiessmann said in the release. “All business leaders must recognize that it is not a question of ‘if’ their organization will be hacked, but ‘when’ – if they have not already been targeted.”
Wiessmann also recommended business ask themselves the following questions:
- Does our business require the use of multifactor authentication for accessing sensitive data?
- How does our business verify the identity of clients? Do we have procedures in place to catch obvious warning signs, such as mismatched dates, address discrepancies and multiple incorrect login attempts?
- Does our business manually verify information, rather than relying solely on electronic documents, which are easier to manipulate?
- How are our employees trained in handling stressful “emergency” calls, so they can expedite assistance without falling into a criminal’s trap?
Businesses can also make use of cyber security resources offered by the Department of Banking and Securities. More information is available on the department’s website, as well as through its Facebook and Twitter pages.