In one of the most significant data breaches ever, on September 7, 2017, Equifax, one of the major U.S. credit reporting agencies, announced that hackers exploited a U.S. website application vulnerability in May, gaining access to the personal data of some 143 million people. The response from federal and state agencies, Congress, industry, and private litigants has been swift, and in an unusual move, the Federal Trade Commission (FTC) publicly disclosed that it opened an investigation. In addition, in the days following the attack, critics argued that Equifax could have prevented the breach. They allege that the company knew about the vulnerability in its Apache Struts web application in March, when a patch was made available, but failed to update and secure its system. News also emerged that Equifax experienced a breach of its human resources and payroll system one year ago. The company announced that the chief executive officer retired today, less than three weeks after the breach was reported.
The bad news for Equifax keeps getting worse. Several Equifax executives reportedly sold off nearly $2 million in company stock shortly after the breach occurred. The timing of the sales, when the public wasn't informed of the attack until six weeks later, has raised further questions about the company's response. And, while Equifax established a website in response to the breach so consumers could register for assistance, media outlets reported on an array of problems when customers tried to freeze their credit. Reports also indicate that the company's social media team directed consumers to a dummy site set up by a security researcher. According to the researcher, the use of a generic URL indicates that Equifax was insufficiently prepared to respond to a breach (the company's website is equifaxsecurity2017.com, while the researcher's site was securityequifax207.com).
Reaction has been strong, and continues to gain momentum. A business coalition that includes the National Retail Federation and nine other associations sent a letter to congressional leaders on September 12, 2017, urging prompt action on federal data breach legislation. The FTC's probe comes shortly after Acting Chair Maureen Ohlhausen received a letter from Sen. Mark Warner urging an investigation intoEquifax's data security practices. Senator Warner expressed special concern about the "number of security lapses, including in the days following Equifax's disclosure of the breach, that potentially indicate a pattern of security failings," and its inadequate customer service response. A bipartisan group of 12 senators also sent a letter to the heads of the FTC, Department of Justice, and Securities and Exchange Commission, calling for an investigation into the sale of stocks by Equifax executives after the breach occurred.
Other members of Congress have also reacted strongly to the breach. For example, Senate Minority Leader Chuck Schumer (D-NY) described the Equifax breach as "one of the most egregious examples of corporate malfeasance since Enron." Schumer called for the company's CEO and board to step down unless they take five specific steps to correct the situation.
Several bills are either in the works or have been introduced:
- Sen. Mark Warner (D-VA) is working to revive an earlier data breach notification bill.
- Rep. Ted Lieu (D-CA) is preparing two bills in response to the Equifax breach. One would create minimum data security standards for credit reporting agencies, and the other would bar companies from forcing victims of data breaches into arbitration.
- Sens. Ed Markey (D-MA), Richard Blumenthal (D-CN), Sheldon Whitehouse (D-RI) and Al Franken (D-MN) introduced a bill (S. 1815) that would require data brokers that sell sensitive information to develop comprehensive privacy and security programs, direct the FTC to write new security rules for data brokers, and let consumers access information that data brokers store about them to correct any inaccuracies.
- Sen. Ron Wyden (D-OR) introduced a bill (S. 1810) that would give consumers the ability to freeze and unfreeze their credit at no charge.
- Rep. Jim Himes (D-CN) introduced a bill (H.R. 3766) that would require credit agencies to let anyone request a security freeze after a breach and let those whose information was compromised request unlimited freezes.
- Sens. Elizabeth Warren (D-MA) and Brian Schatz (D-HI) introduced legislation (S. 1816) requiring data brokers to freeze consumers credit reports free of charge and restrict their ability to profit from data during the freeze, while also enabling consumers to access their credit reports for free.
In addition, several congressional committees have announced that they will hold hearings on the Equifax, although no dates have been scheduled.
At the state level, several class action lawsuits have been filed, and some state attorneys general (AGs) have weighed in. Massachusetts AG Maura Healey is the first AG to file a lawsuit against the company. Earlier, New York AG Eric Schneiderman required Equifax to confirm that consumers who elect to enroll in the company's free credit monitoring and identify theft protection products being offered in connection with the breach will not be required to waive their legal right to a class action lawsuit and submit to mandatory arbitration.
As data breaches continue to take center stage, FTC Acting Chairman Ohlhausen recently addressed the Federal Communications Bar Association and delved into the issue of consumer injury caused by privacy violations and data security lapses. Ohlhausen discussed as examples recent FTC enforcement actions against Uber, TaxSlayer, and Lenovo, and three cases enforcing companies' obligations under the EU-US Privacy Shield agreement
Among the injuries alleged in FTC enforcement cases involving data security lapses are deception that undermines consumer choices, financial harm, health and safety injury,unwarranted intrusion, and reputational harm, although Ohlhausen stressed that not all of these types, standing alone, would justify FTC enforcement action. Ohlhausen closed her remarks by announcing a workshop to be held on December 12, 2017, designed to bring stakeholders together to explore the issues of consumer injury stemming from data breaches. Topics include:
- How to better identify the different types of injury to consumers and businesses from privacy and data security incidents;
- Developing frameworks for quantitatively measuring such injuries and estimating the risk of their occurrence;
- Improving the FTC's understanding of how consumers and businesses weigh injuries and risks when evaluating the tradeoffs to sharing, collecting, storing, and using information; and
- Better informing the FTC's case selection and enforcement choices.
The FTC will post additional information about the event shortly. In the meantime, the fallout from the Equifax breach will continue to garner attention and to influence the public policy debate about security standards, the role of credit reporting agencies, and how to evaluate potential injury or harm from a breach.