As news around the world has reported, the Equifax data breach from mid-May through July resulted in the exposure of sensitive personal information of more than 143 million American consumers. Although this may not be the largest data breach ever, it has been regarded as one of the most significant breaches because of the sensitive information at risk: social security numbers, drivers’ license numbers, addresses, and more.
The Federal Trade Commission (FTC) confirmed this month that it is “actively investigating” the data breach due to the “intense public interest and potential impact” of the breach. The breach is also being investigated by the Department of Justice, Consumer Financial Protection Bureau, and the Securities and Exchange Commission. The investigations were the result of action by multiple senators and legislative committees highlighting the severity of the breach and the deficiencies of Equifax’s response, as well as threats by several states to bring suit against Equifax.
Senator Mark Warner (D-Va) sent a detailed letter to the acting head of the FTC calling for the investigation, and calling for the agency to scrutinize Equifax for the security lapses and its poor handling of customer service after the breach was disclosed. Specifically, Sen. Warner has stated: “The hack was awful but then [Equifax’s] response to the hack continued to show [Equifax’s] incompetence. This should be a new impetus to move.”
The investigations are expected to involve the alleged errors by Equifax leading up to the breach and in handling the breach. In addition to the company’s alleged cyber vulnerabilities which led to the breach, the investigations will also include potential insider trading by Equifax executives more than a month before the breach was made public and ambiguous language in Equifax’s Terms of Service, purporting to waive a consumer’s right to sue the service.
Most importantly, the FTC’s investigation of the Equifax breach could provide momentum for Congress to act on federal data privacy legislation. Although this legislation has been long pushed for by advocates and elected officials, the efforts have proved unsuccessful in recent years. Sen. Mark Warner has stated that he is working on efforts to pass a data breach notification law requiring companies to notify customers about a breach within a certain narrow time frame. Given the scope of the breach, and Equifax’s response, this may be the final straw to prompt a definitive reaction from Washington.