Just weeks after it was announced, the Equifax data breach has already resulted in multiple class action lawsuits, state attorneys general actions, and a renewed call to pass uniform, national data breach legislation.
On Sept. 7, the credit reporting company disclosed that up to 143 million Americans had their personal information—including names, Social Security numbers, birth dates, addresses and driver’s license numbers—revealed when hackers gained unauthorized access between May and July 2017.
The fallout has been fast, furious and continuing. Multiple putative class actions have already been filed across the country (so far), with a pair of consumers in Oregon seeking “fair compensation” to ensure that those harmed by the breach will not be out of pocket for costs such as credit repair and monitoring services.
State attorneys general are on the case as well, with Massachusetts AG Maura Healey indicating her intent to file suit based on allegations that Equifax failed to maintain appropriate safeguards to protect personal information. “In all our years investigating data breaches, this may be the most brazen failure to protect consumer data we have ever seen,” she said in a statement. Similar sentiments—and legal intent—were shared by AGs in New York and Pennsylvania.
Lawmakers also took up the mantle. A bipartisan group of 36 senators sent a letter to the Department of Justice (DOJ), the Securities and Exchange Commission and the Federal Trade Commission (FTC) requesting an investigation into not just the breach but stock sales as well, as three company executives sold nearly $2 million worth of shares in Equifax after the company learned of the breach but before the news was made public.
Legislators have used the breach as a chance to revive the idea of national data breach notification legislation that would forgo the current patchwork of state laws for a single, uniform standard. “The hack was awful but then their response to the hack continued to show their incompetence,” Sen. Mark Warner (D-Va.) told The Washington Post. “This should be a new impetus to move.”
Equifax has been the subject of other activity on the Hill, with multiple hearings addressing the breach already scheduled and several bills in the works, including one from Sens. Ron Wyden (D-Ore.) and Jim Himes (D-Conn.) that would provide consumers with the ability to freeze and unfreeze their credit at no cost, as well as others that would amend the Fair Credit Reporting Act.
Demonstrating just how significant the call for action has become, the FTC actually confirmed that it is investigating the data breach—an unheard-of move by the agency. “The FTC typically does not comment on ongoing investigations,” Peter Kaplan, the agency’s acting director of public affairs, said in a statement. “However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.”
Not to be outdone, both the DOJ and the Consumer Financial Protection Bureau have said they are also looking into the breach.
To read the complaint in McHill v. Equifax, Inc., click here.
Why it matters: The Equifax hack is believed to be one of the largest data breaches ever disclosed, and the reaction has been commensurate from private citizens, state and federal regulators, and lawmakers. As the fallout continues, the potential remains for additional oversight of the industry and data breach notification legislation.