5 Things to Know About the First Wave of Equifax Actions

A major theme in the suits will be how Atlanta-based Equifax, whose entire business as a credit reporting agency is to maintain personal and confidential data on individuals, wasn't prepared for hackers who have hit retailers and health care companies for that same information.

“The product this company trades in is the type of data that thieves want,” says Brian Gudmundson, a partner at Zimmerman Reed in Minneapolis who has served in lead counsel roles in litigation over data breaches at Arby's, Wendy's, Target and Home Depot. “They would certainly have to be under the highest level of security that there could possibly be and yet they seem to be a subject of a breach for a period of time that lasted almost two months and didn't disclose it until a month and a half after they heard of it to the tune of 143 million — half the population of the United States. That's a red flag. That's a huge red flag.”

It's a point that wasn't even lost on Equifax.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” Equifax CEO Richard Smith said in a statement on September 7. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”

The company's own actions have done little to calm the fears of consumers. Meiselas says his firm was getting thousands of calls by the hour after the breach became public. He says Equifax's “horrible response” is “a teaching moment of how not to respond when there is a data breach like this.”

Here are five key takeaways about the Equifax actions in the immediate wake of the breach revelation:

1. What Equifax should have known: What did Equifax know — and when did it know — about its own security risks? “While the events that led to the Equifax breach are now unfolding, early reports suggest that Equifax didn't have proper practices in place and was operating without a cybersecurity vice president until recently,” says Eric Gibbs, a partner at San Francisco's Girard Gibbs who had a lead role in the Anthem data breach litigation.
2. How long it took Equifax to disclose the data breach: The actual breach went on from May to July, but Equifax didn't find out about it until July 29. Then it didn't announce it to the public until September 7. “Waiting a month, or a month and a half, or two or to five months, seems really unreasonable,” Gudmundson says. “This isn't necessarily people's credit cards that people can cancel. This is everything.” Equifax acknowledged that speed was of the essence, noting that it “promptly engaged” a cybersecurity firm and contacted law enforcement authorities once it knew about the breach.
3. How Equifax responded: Most of the 143 million affected by the Equifax breach don't even know the company has their information. To find out, Equifax has provided a website to help consumers sign up to a program called TrustedID Premier. “What Equifax isn't telling people is that it owns TrustedID, and that TrustedID's growth is part of its longer-term business plans,” Gibbs says. By September 8, many consumers had taken to the Internet to complain that they had to provide six digits of their Social Security number and then sign an arbitration agreement in which they agreed to waive their right to participate in a class action. Schneiderman, in a Twitter post, called the language “unacceptable and unenforceable.” Equifax has since clarified on the website that the class action waiver “applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident.”
4. Allegations that executives sold shares: Press reports on NPR and in the Washington Post said three Equifax executives sold nearly $2 million in stock in August. That's just after the company says it became aware of the breach. But Equifax has insisted in a statement that the three executives didn't know about the breach at the time. “That's always highly, highly concerning,” Gudmundson says. “Sometimes, where there's smoke, there's fire. But sometimes, it's something as innocent as school starting and people needing money for college tuition. That's certainly an angle that's worth exploring.”
5. What was stolen: Equifax has insisted that there was “no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.” Although credit card numbers for about 209,000 consumers were accessed, most of the data at risk involved names, Social Security numbers, birth dates and addresses. Many federal judges have ruled that fraudulent charges on one's credit card or other costs are economic injuries that plaintiffs can use to establish standing to sue over data breaches in federal courts — but identity theft isn't one of them. Plaintiffs' lawyers were undeterred, noting that some judges have begun to rule differently. “We obviously believe in the line of cases that says that's a redressable claim and confers standing,” Gudmundson says, “but it's difficult to say how a court might come out.”

*****
Amanda Bronstad writes for The National Law Journal, an ALM sibling of Cybersecurity Law & Strategy. She can be reached at [email protected]. On Twitter: @abronstadlaw.