-by Valerie Jones
Credit reporting company Equifax knew about the breach of their systems, but before they announced it:
- “Huge opportunity” to sell data fraud protection, said CEO in August
- Execs sold stock just before announcement of breach in September
- Hired firm to lobby for reduced penalties for companies found violating one of the federal laws protecting consumers, the Fair Credit Reporting Act (FCRA)
Equifax after the breach was announced on September 7:
- Directed consumers to fake site for information
- Charged consumers to freeze their credit reports until "howls of protest" forced them to stop, five days later
- CEO steps down effective immediately (September 26), following Chief Information Officer and Chief Security Officer earlier in the month.
Watch the former CEO testify before the Senate Banking Committee October 4:
Read more below, but first because I need a break from the can't-get-worse-but-it-just-did news:
A few helpful tips from Matt and Maht, the interns in charge of Equifax's tech security. (They went to college.) https://t.co/D4Gjt6QHpr— Shouts & Murmurs (@tnyshouts) September 21, 2017
Levity aside: When the news hit early September that credit reporting company Equifax failed to announce a breach of the credit and financial information from May to July of this year, angry consumers and politicians denounced the company.
October 3 update: Read "Lawmakers grill former Equifax CEO on breach response."
U.S. senator on Equifax hack: 'Somebody needs to go to jail' https://t.co/PDsSBMWs7r— FOX Business (@FoxBusiness) September 17, 2017
Capitalism (cap•i•tal•ism): Equifax harvests public data, profits from it, then charges $ to freeze accounts after a security breach.— Justin McCarthy ???? (@jaymac1893) September 23, 2017
Wait. So @equifax wants you to pay extra for hacking protection when they can't protect themselves from being hacked?— terrycrews (@terrycrews) September 23, 2017
Equifax knew of the hack since late July, yet waited until September 7 to reveal the breach, potentially affecting more than half the U.S. adult population, 143 million. On October 2, Equifax indicated another 2.5 million might be affected. Consumers are at risk for identity theft, as social security, drivers license and credit account numbers, passwords, income, addresses, birthdates, and other identifying information could be readily available and on the black market (lately called deep web or dark market) for sale to thieves worldwide. Oh, and on September 21, we learned the hackers got payroll and W-2 information, too.
Read our blog post: The Equifax data breach and you
On the front page of the Wall Street Journal September 22, the article “Hack Upends Equifax CEO” reports Richard Smith told an audience in August that data fraud is a “huge opportunity for the credit reporting company, to sell consumers more services. Smith’s comments were recorded on video at a University of Georgia’s Terry College of Business breakfast meeting. After much criticism and calls for investigation, Smith resigned effective September 26 and testified before the Senate Banking Committee. Watch excerpts from the testimony here and the full hearing here. The Wall Street Journal has this: "Senators Rip Credit Reporting Model in Wake of Equifax Breach."
Also in August, three Equifax executive sold $1.8M in stock. The company says they didn’t know about the breach first identified on July 29, according to reports by the National Law Journal and Bloomberg news.
“The trades avoided the price plummet that followed the credit bureau’s public disclosure of one of the largest data breaches in U.S. history” according the Journal.
There have been many errors on my credit report over the years, so my confidence in the reporting agencies was pretty low to begin with. Starting with trying to correct errors that somehow ended up on my report- I’ve never lived in Massachusetts, nor had a T-Mobile cell phone.
Add to that the research and programming on consumer credit/consumer protection topics we’ve conducted and covered on ALJ over the years and I just knew we were in for more trouble than the news of the breach initially indicated.
The breach has shaken the trust of the public and lenders in the ability of one of the country’s largest credit-reporting companies to safely store and manage consumers’ data” Two Top Equifax Executives to Retire, WSJ, Sat/Sun September 16/17, 2017.
Equifax, Inc. announced they noticed “suspicious network traffic” on July 29. A first attempt at a fix was met with more “suspicious traffic” the next day.
The credit reporting agency blamed the breach on the Apache Struts software that created the vulnerability hackers used to access the data. Equifax says a “patch” was applied but security experts say the update was performed late, incorrectly or wasn’t enough. Read more on the aptly-titled WIRED magazine article "Equifax Officially Has No Excuse."
Consumers were told by the company to go to data breach information website www.equifaxsecurity2017.com and enter their last name and Social Security numbers, the last few. There you could see if you were potentially exposed, though data safety experts claim even that website was vulnerable and possibly hacked. In yet another forehead-smacking instance, Equifax was directing consumers to a fake site, here in 3 separate tweets as seen on NPR.org September 21.
And this from The Hill:
If consumers actually did get to the “right” website and were informed their data might be at risk, Equifax offered a free, one-year credit monitoring service, their own “Trusted ID Premier.” Initially, the fine print indicated your only recourse should you want to pursue legal action (possibly participate in a class action) was forced arbitration. The American Bar Association and New York Attorney General Eric Schneiderman reported that on September 12 after pressure from legislators and the public, Equifax removed the arbitration clause.
Law.com (Before breach, lobbied to limit class-action damages) and The Washington Post (Before the breach, Equifax sought to limit exposure to lawsuits) report Equifax, months before the breach, hired a lobbying firm to reduce penalties for companies found violating one of the federal laws protecting consumers, the Fair Credit Reporting Act (FCRA). The FCRA requires agencies that furnish credit reports to “maintain reasonable procedures” to avoid identity theft and give consumers access to their credit records. The law offers per-violation damages that could be easier to prove than actual damages, but according to the WSJ is "little tested in the area of data-breach litigation."
The Federal Trade Commission, Federal Bureau of Investigation, Consumer Finance Protection Bureau and Congress are investigating the breach; the Department of Justice and Security and Exchange Commission (SEC) are scrutinizing the alleged insider trading among other wrongdoing.
Now that the forced arbitration clause is removed from the optional enrollment in Equifax “Trusted ID Premier,” consumers are not blocked from taking seeking legal remedy. There are currently two potential avenues:
Consumer class action
As of the end of September, more than 100 consumer class actions have been filed across the country so far. The consolidated cases are In re Equifax Inc. Data Breach Litigation, 2800, U.S. Judicial Panel on Multidistrict Litigation. Consumers are included unless they opt out.
These consumer lawsuits seem to be mostly relying on the FCRA. But according to the American Bar Association (ABA), one previous data breach case against credit reporting agency Experian using the law was thrown out by a federal judge, and another matter in the Supreme Court did not conclude favorably for consumers. Other claims are pending.
The legal questions as summarized by the ABA are:
- How the FCRA applies to data hacks, and
- Whether consumers who don’t suffer financial repercussions have standing to sue.
One law firm says the Equifax hack could end up being the largest class action in history, possibly as much as $70 billion.
But what "piece of that pie" would go to consumers? Administering class action lawsuits are costly for law firms up front, but can bring them significant revenue if, and only if, they are successful. So those who begrudge them their fees, know that it's a risk they take and a great amount of work.
That being said, it's not reassuring to read the article "Legal Experts See Room for Deal in Equifax Data Breach Lawsuits" in Insurance Journal. Those quoted in the article say Equifax may end up spending an average of $1 per person for credit monitoring and out of pocket expenses for the 143 million consumers whose data was exposed. That's a far cry from the federal law that "carries damages of as much as $1,000 per violation, plus punitive damages." Many consumers are already out of pocket themselves for credit freezes and signing up for monitoring from other companies (though buyer beware, at least one monitoring service from a well-known company uses data from ... wait for it ... Equifax).
Federal & State actions
Federal lawsuits and complaints by state attorney generals, filed on behalf of consumers, are underway; New York, Pennsylvania and Connection have filed and more will likely file in the days and weeks to come.
At this time, the lawsuits are relying on the FCRA. But according to the ABA, one previous data breach case against credit reporting agency Experian using the law was thrown out by a federal judge, other claims are pending.
The legal questions as summarized by the ABA are:
- How does the FCRA apply to data hacks?
- Do consumers who don’t have their identity stolen (yet) or suffer financial repercussions have standing to sue?
The hurdle for plaintiffs, in most cases, is the requirement that there must be a concrete injury that can be redressed. “But more courts are warming to the idea that even the threat of identity theft—and the aggravation, distress and cost of containing the risk—can cause harm” that gives plaintiffs standing to sue, the article says. A data breach case currently in litigation article involves a health care insurance company; this litigation may end up at the Supreme Court.
Members of Congress were quick to issue sharply worded statements condemning not only the breach but the actions - and inactions - of Equifax.
- Rep. Ted Lieu (D-Ca.) told the Washington Post that he is drafting two bills: one creating minimum data security standards for the credit reporting agencies and the other to bar companies forcing victims into arbitration instead of other legal remedy (think class action).
- Senator Mark Warner (D-Va.) also in the Washington Post says he’s working on a data breach notification bill, requiring companies of all kinds to notify customers with breached information within a narrow timeline.
- The House Financial Services committee is investigating the August 21 “options trading” by the three Equifax Execs.
- The Senate Banking Committee hearing is October 4, former CEO Richard Smith will likely testify despite his resignation on September 26.
There’s something new every day, though there are indications this may be influenced by party politics. Watch the news from all perspectives to learn more.
If you need a little perspective from the Senate Banking hearing with former CEO Smith, check this out:
Monopoly Man's not the consumer's champion here, but maybe our legal system will be. While the DOJ and SEC investigate the insider trading, legal minds are discussing how to best hold Equifax accountable.
Danielle D’Onfro, a lecturer in law at Washington University in St. Louis, provides context in commentary published in the Washington Post.
“Imagine a chemical company accidentally disperses toxic gas over a neighborhood. Instead of telling residents right away, the company waits six weeks, breaking the news only after putting up a crisis-management website. Rather than directly informing everyone affected, the company tells citizens to enter their address online to see if they were in the exposure area.
The company offers a year of health monitoring to those who register within a narrow time window, but has no plan to compensate those whose monitoring reveals bad news. Those who don’t sign up for monitoring on time are on their own.
Now imagine that there is a government official, a judge, who is supposed to help hold the chemical company accountable — and has all of the tools to do so — but this official waits for a different government official, a regulator, to take the lead. Because there are no laws about this exact kind of gas leak, the judge decides that the chemical company doesn’t owe anybody anything.”
D’Onfro concedes that having your financial data comprised may seem less threatening than exposure to toxic gas. But, she says, this breach could cause substantial harm impacting consumers’ lives every day. Buying a house or taking out a home equity or other loan to pay college tuition could be delayed or denied, all due to identity thieves racking up enormous amounts of debt. It could take years for consumers to get their identity back.
More than 50 years ago, D’Onfro points out, the legal system developed the doctrine of “strict products liability,” derived from the tenets of common law. In the evolving economy, it was more difficult to pinpoint if a product, distributor, wholesaler or manufacturer was negligent in a way that caused physical or financial injury.
It was judges who applied the doctrine, by then codified into law, that said in cases where “manufacturers, distributors and sellers are liable for any injury their products cause, regardless of how well-designed the product is or who is ultimately responsible for the harm.”