Equifax breach will spark regulatory scrutiny of credit reporting industry

Credit Report

8 September 2017. By Mike Swift and Xiumei Dong.

The data breach of credit reporting agency Equifax exposed the personal information of about 143 million people, a fraction of the more than 1 billion Yahoo accounts breached last year. So at first glance, Equifax might seem to be a smaller problem.

That would be an incorrect assumption.

Because of the sensitivity of the data exposed — the hackers' haul included Social Security numbers, driver's license numbers and credit card numbers — there is good reason to think the Equifax breach will turn out to be more serious and damaging than the previous breaches of Yahoo, the retail chain Target and health insurer Anthem.

The regulatory and litigation impact, not just for Equifax but potentially for the entire consumer credit rating industry, is already significant. It is too soon to know what the impact will be on consumers, who face the threat of identity theft and other fraud if their Social Security numbers and other identifying documents are sold to fraudsters on the dark web.

Within hours of the breach being revealed Thursday, class-action litigation had been filed against Equifax in federal courts in multiple states, litigation likely to be consolidated at some point by the US Judicial Panel for Multidistrict Litigation. A suit filed in US District Court in Atlanta, the headquarters of Equifax, noted that "Equifax executives sold at least $1.8 million worth of shares before the public disclosure of the breach."

Members of Congress have already announced hearings, and at least four state attorneys general have launched investigations. In Congress, the breach sparked renewed calls for a national data breach law to replace the existing patchwork of 48 separate state data breach laws.

Equifax will face intense scrutiny from regulators and plaintiffs' attorneys about the quality of its cyber-defenses and why hackers were able to evade those defenses for more than two months, extracting data on nearly half the population of the United States before they were detected. The company will have to satisfy regulators about the delay between the time it learned it had been breached on July 29 and public revelation of the news on September 7.

But the regulatory and legislative spotlight also likely will broaden beyond just Equifax to possible changes in laws governing the consumer credit rating industry.

The Equifax breach "raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans," said Senator Mark Warner, a Virginia Democrat who is cofounder of the Senate Cybersecurity Caucus.

Regulatory Scrutiny

Equifax faces tens of millions of dollars in legal fees to defend itself, even if regulators and courts ultimately determine that it violated no laws. One member of Congress on Friday called for Equifax to abandon its forced arbitration clauses in its terms of use, which may block breach victims from pursuing claims against the company in court.

While Equifax said it believes no personal information was exposed for consumers outside the United States, it did acknowledge there were attempts to access the information of consumers in the United Kingdom and Canada. As a result, the company's regulatory headaches will extend to those countries.

The breach drew the attention of the attorneys general of New York, Illinois, Connecticut and Pennsylvania — several of the most active states for data breach investigations.

Connecticut and Illinois, for example, led the investigation of the Target data breach in 2013. That investigation concluded earlier this year with the largest multi-state settlement of a data breach investigation to date, with the retailer agreeing to pay $18.5 million to settle claims that its substandard security led to a data breach that exposed the payment card data of about 41 million people.

A spokeswoman for the US Federal Trade Commission, citing agency policy, declined to say whether the enforcer had launched an investigation. However, it is almost unthinkable that the FTC would not investigate.

Litigation

Consumers have brought at least two proposed class-actions against Equifax, alleging the company was negligent in failing to protect consumer information from the data breach. Other suits are likely to follow.

Oregon residents Mary McHill and Brook Reinhard are seeking up to $70 billion in damages from Equifax in a suit filed Thursday in Portland. "In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect Ms. McHill and Mr. Reinhard's information from unauthorized access by hackers," the plaintiffs said in the complaint.

And in Equifax's home state, Georgia, two plaintiffs claimed Equifax could have prevented the data breach and that it failed to timely notify the consumers. "Equifax had the resources to prevent a breach, but neglected to adequately invest in data security, despite the growing number of well-publicized data breaches," the complaint said.

The Georgia lawsuit accuses Equifax of negligently failing to properly secure and safeguard consumers' personally identifiable information, thereby violating the US Fair Credit Reporting Act and Georgia's Fair Business Practices Act.

Anthem recently agreed to pay a record $115 million to settle litigation over a data breach that affected about 80 million subscribers. But while the Anthem breach led to a record litigation settlement, and the Target case led to a record state settlement, the facts in the Equifax breach suggest the potential for an even bigger exposure for the credit rating agency.

In the Anthem case, hackers operating from China broke through the health insurer's defenses, remained inside undetected for months, and ultimately stole Social Security numbers and other personal information, an expert report for the plaintiffs said. In the Target breach, about 110 million consumers were affected, but the most damaging information stolen was credit card data.

The Equifax breach would appear to include elements of both of those breaches, with the company acknowledging that hackers had access to its systems for a prolonged period, allowing them to steal credit card information as in the Target breach, as well as Social Security numbers as in the Anthem breach.

The Equifax breach also affected more people. It "has potentially exposed sensitive personal information of nearly everyone with a credit report, and my office intends to get to the bottom of how and why this massive hack occurred," said New York Attorney General Eric Schneiderman.

Privacy report