Follow ACC Docket Online:  

This Week in Privacy: Were You a Victim of the Equifax Breach?

"This Week in Privacy” is a new column for in-house counsel who need advice in the privacy and cybersecurity sectors. K Royal is a director at TrustArc. To have your legal privacy questions answered, email with “This Week in Privacy" in the subject line.

Q:  I am sure I am a victim of the Equifax breach, but how would I know for sure and what would I do? As an employer, is there anything I should tell my employees?

A: With over 143 Million individuals impacted, it is likely that you or someone you know is impacted by this breach. Equifax has launched a website to check your chances. Enter the last 6 of your SSN and last name. It will tell you if your information is believed to have been compromised and if so, directs you straight to their system to sign up for free monitoring. Once you complete that step, you will get an on-screen confirmation that your information has been received and is being processed. Then:
“You will receive an email with a link to finalize your enrollment and activate your product. Please be patient. Due to the high volume of requests, emails may be delayed. If you have not received your email within a few days, please check your spam and junk folders.”
However, Equifax will not call you to alert you. By data breach notification requirements, if over a certain number of people are impacted, generally a thousand or 2000, the company can elect alternative means of notification, which can generally include notice to public media. Given the news on this and the action Equifax has taken, pretty much everyone has received notice.

Signing up on their phone process is proving to be unwieldy and not successful. Signing up online seems to be hit-and-miss with the eligibility site (whether you are impacted or not) and provides inconsistent responses. Assume you are impacted and decide whether to sign up. It apparently should take some time to get confirmation of sign up, and I do not have it yet after 20 minutes or so.

So, freeze your accounts where possible. Pull credit reports to check what is on there. There are free credit reports allowed once per year from each credit bureau and permitted if you were turned down for a job, home, or loan based on a credit report. It’s generally a good idea to simply pull one every four months. However, use all available avenues to review what is on your report and make sure it is clean. Using services like Credit Karma, that show you what is on your report and how many inquiries you have is also good. To be thorough, you can also pull the reports on your kids’ social security numbers to see if someone has misappropriated their numbers.

As for your employees, like any emergency, you want to get the right information in their hands. You may have no obligation to do this, but their peace of mind means better productivity — and if they do find fraud, they will have a lot of stress ahead. Perhaps your company has Legal Shield as a benefit available to your employees. It’s like health care, but for legal matters — employees pay a small premium, generally less than US$10 a month, and have lawyers on call when there is a need.

There are also scammers who claim to be Equifax calling you for notification and ask for verification information. Remember: Equifax won’t call you. There is also a fake website, purportedly just designed to see if Equifax would catch it. Once entered, it’s clear that the website is fake to demonstrate that Equifax was still not taking appropriate steps.

Moral of the story: You must be aware of what is happening with your own credit health, and when there is a problem, you must be proactive and take reasonable measures to address it.

About the Author

K Royal is a technology columnist for, and director at TrustArc. @heartofprivacykroyal

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.