The report also criticizes Equifax for not properly saving records of internal conversations about the breach. Employees used an internal chat service called Microsoft Lync, which was set to not preserve conversations. Although this is a typical data retention practice, companies often adopt different standards surrounding events that may lead to legal action, specifically enacting a “legal hold” on any employee conversations about the incident.
“During its investigation, the Subcommittee learned that Equifax employees conducted substantive discussions of the discovery and mitigation of the data breach using Microsoft Lync, an instant messaging product,” the report says. “After discovering the data breach on July 29, 2017, Equifax did not issue a legal hold for related documents until August 22, 2017. Despite the legal hold, Equifax did not change the default setting on the Lync platform and begin archiving chats until September 15, 2017.”