Effective April 1, 2019, the AmTrust Workplace website for your Employment Practices Liability (EPLI) coverage written with your Package, BOP or Workers' Compensation policies is being updated to a new name, AmTrust Employment Risk Solutions, and a new URL, AmTrust.EmploymentRiskSolutions.com. Your existing user credentials will remain in effect and can be used to log in to the new site. Please contact The McCalmon Group, Inc., platform administrators, 888-712-7667, if you have any trouble with registration.

AmTrust Workplace
print   email   Share

Lessons Learned From The Equifax Data Breach

Equifax will pay between $575 million and $700 million to settle all claims related to the data breach it experienced in 2017. Plaintiffs include the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories.

The FTC alleged that the credit reporting company failed to take basic steps to "secure the massive amount of personal information stored on its network." The FTC also accused Equifax of violating the Gramm-Leach-Bliley Act.

Equifax learned of a critical security vulnerability affecting its ACIS database in March 2017. According to the FTC, although Equifax's security team ordered the vulnerabilities be patched, the organization did not follow up to check that employees carried out the order.

In July 2017, Equifax learned that the database had not been patched when its security team detected suspicious traffic on the network. An investigation found that multiple hackers exploited the ACIS vulnerability to breach Equifax's network, access an unsecured file with administrative credentials in plain text, and then steal vast amounts of consumer personal information.

The hackers stole at least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and expiration dates.

As part of the settlement, Equifax will pay $300 million to provide credit monitoring services to those affected by the 2017 breach. This fund will reimburse victims who purchased credit or identity monitoring services from Equifax or had other out-of-pocket expenses because of the breach. If $300 million does not cover the reimbursements, Equifax agreed to add $125 million to the fund.

Beginning in 2020, Equifax will provide all U.S. consumers six free credit reports annually for seven years. Equifax must also improve its data security in the future.

Equifax will pay civil penalties in the amount of $175 million to 48 states and two territories and $100 million to the CFPB. "Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach" ftc.gov (Jul. 22, 2019).


According to the chairman of the FTC, "companies that profit from personal information have an extra responsibility to protect and secure that data." If your organization uses or stores customer data for any reason, you must implement strong cybersecurity protections and practices to keep that data secure.

The complaint against Equifax accused it of failing to do the following: 1. implement a policy to ensure that security vulnerabilities are patched; 2. segment its database servers to block access to other parts of the network in the event of a breach; 3. install robust intrusion detection protections for its legacy databases; and 4. encrypt network credentials and passwords, as well as Social Security numbers and other sensitive consumer information.

However, the most important issue was that someone failed to follow through with patching the system, and no one checked their work.

Avoid committing these mistakes in your organization. Segment your database servers and install strong cybersecurity protections. Require IT and other employees to immediately install updates whenever they are available. Have a policy requiring encryption of all sensitive information, such as administrative credentials and customer personal data.


The settlement that Equifax agreed to requires it to take the following cybersecurity measures: 1. designate an employee to oversee the information security program; 2. conduct annual assessments of internal and external security risks and implement safeguards to address potential risks; 3. test and monitor the effectiveness of the security safeguards;

4. ensure service providers that access personal information stored by Equifax also implement adequate safeguards to protect such data; and 5. have a third-party assess its information security program every two years.

All organizations that collect and store customers' personal information should consider the above practices.

Finally, your opinion is important to us. Please complete the opinion survey:

Are you a new user?

Register Here


Retrieve Password

Recent News

Cybercriminals Target Seniors: What Employers Should Know

With cybercriminals stealing $40 billion annually from seniors, everyone needs to know how to protect themselves and the older adults they know. We examine. Read More

Drive-By Downloads: A New Way For Malware To Infect Your Phone Or Computer

Some malware requires no action on your part to infect your device. Learn how to protect yourself from this type of attack. Read More

Worm Risks Highlight The Need For Fast Patching

A million computers remain vulnerable to the BlueKeep flaw, even though Microsoft released a patch. Read why you must keep devices updated, and what can happen if you don't. Read More

Recent Articles

Cybercriminals Target Seniors: What Employers Should Know

With cybercriminals stealing $40 billion annually from seniors, everyone needs to know how to protect themselves and the older adults they know. We examine. Read More

Managing Hearing-Impaired Employees: Avoiding ADA Risk

The EEOC settles a disability discrimination lawsuit with a large retailer who refused to provide reasonable accommodations to deaf employees. We examine. Read More

Fraud In Procurement: Criminal And Civil Exposures

An ex-CEO is charged with four counts of making false statements to obtain government benefits. Learn about the statutes that regulate the risk. Read More