A two-part analysis and action plan
Part One: There Oughta Be a Law!
By Russ Schrader, General Counsel and Chief Privacy Officer
Equifax had a data breach. Although it’s already caused the CEO to resign, the average American adult doesn’t care. Big box stores have names consumers know, and they’ve seen lots of breach notices. Customers know a merchant breach is the bank’s or credit card issuer’s problem. They don’t pay for fraudulent charges, thanks to regulations and “zero liability” policies. One call, new new cards come, and we all carry on.
Half of those American adults should. And it’s a wake-up call for the other half.
This 2-part blog is for consumers, businesspeople, and politicos. The first part gives context and speculation on how the breach will play out in the courts, Congress, agencies, and state legislatures. The second part has advice for consumers, but especially for analysts and businesses trying to take informed action.
Starters to Know. Equifax is one of the Big Three credit bureaus, which means that you aren’t their customer. YOU are the Equifax product. Their business is knowing as much as they can about you. If you are in the unlucky one-half, crooks now have your financial identity. They know your name, address, birthday, SSN, and part of your credit history. Now they can takeover your accounts, open new accounts in your name, file fake tax returns, change addresses, and reset passwords. It’s your problem. It’s not one you may even know you have, know how to fix or even be able to fix—new SSNs are few and far between. As a kicker, the US Government uses Equifax for some identity verification programs, so integrity of those systems is also at risk.
Breaches are tricky to pull off and even more difficult to retrace and evaluate. Generally, much of what you hear in the beginning is wrong. It takes time to distinguish databases breached, data accessed, the data exfiltrated for illegal use.
So far, it looks like this breach was possible because Equifax didn’t follow one of the first rules of data security—keep software patches up to date. The Chief Information Officer and Chief Security Officer have retired, and more departures are likely to come. This is parallel to other breaches. Others didn’t follow another of the basic rules—know your vendors and control their access—and senior execs are gone.
PART ONE: Here’s what the government and the courts are doing about it, and how I think it will play out in the next few years:
Class Action lawsuits. Both the plaintiffs and defense bars have honed their skills here. An actual trial and appeal would be interesting to lawyers and law schools. For example, going through a traditional tort analysis, what duty does Equifax have to the entity that provided the data to Equifax (banks, insurance companies, employers) and what duty does Equifax owe to the consumer data subject (who has no idea who Equifax is)? Is there proximate cause for damages when there have been so many breaches of the same data from other sources? And what are the damages in a privacy case when there is no actual identity theft or out-of-pocket expenses? The real trial and appeal all the way up is not going to happen.
Don’t expect Equifax to roll the dice with a jury when it can write a check in three or four years. This year one retailer paid $18.5 million to 47 states. Last year another paid $19.5 million for a class action settlement. But those were breaches at endpoints of data like account numbers.
Instead, look at the Anthem insurance breach. That breach—like Equifax—involved names, birthdates, SSNs, addresses, and medical IDs. This is data that could be (but Anthem claims have not been) used in all the ways Equifax data could be used. Last month a judge gave preliminary approval for a record $115 million settlement. Anthem’s breach was of 78 million individuals (vs 143 million people reported by Equifax). It included up to $38 million in attorneys’ fees. Expect a larger 9-figure settlement in the Equifax case.
State Investigations. New York, California, Massachusetts, and Illinois are usually the first to announce investigations of a breach and lawsuits, and others then join in. This is already underway. Expect settlements in a couple of years. New York, in particular, has cybersecurity requirements for financial services companies which may be a separate ground.
Federal investigations. These will be broad and long.
- FTC under both its section 5 Unfair or Deceptive Acts of Practices and its Fair Credit Reporting Act jurisdictions. This has been the default federal investigator of data breaches. And it just announced that in December it is holding a hearing on five different types of consumer injury in information breaches—new grounds for the plaintiffs bar as well.
- CFPB will be the bigger player. It has jurisdiction under Dodd-Frank, UDAAP (unfair, deceptive or abusive acts or practices) and FCRA authorities. But they have a bigger stick than the FTC: the strong ties between Equifax and the banks that feed and use consumer data every minute. The CFPB and its activist Director Richard Cordray will go directly after the financial institutions as well, under GLBA. Banks are “furnishers” of data under the FCRA, and Equifax is a key vendor of theirs for credit reporting and underwriting. The CFPB may argue the banks did not appropriately examine and supervise a vendor receiving some of their most sensitive information. Cordray’s tenure will end before the case reaches conclusion, and the President’s choice of a replacement will be interesting. This means the CFPB will act fast and hard.
- SEC. They have Reg SCI (Regulation Systems Compliance) standards that may have been violated, but the interesting part is $1.8 million in stock sales by senior execs, including the CFO, shortly after the breach was discovered but not made public. The execs deny knowledge of the breach, and the Department of Justice has a U.S. Attorney in Atlanta investigating. The fact that the SEC’s own EDGAR system has been hacked won’t buy any sympathy on the stock sales.
- Homeland Security and FBI. The amount of sensitive data compromised might be used to facilitate physical attacks against infrastructure or systemically important businesses, as well as blackmail and identity theft of high-profile individuals. Expect detailed investigations and countermeasures that may not become public. Investigation of what government approvals and clearance levels are based in Equifax data will also cause changes.
Congress. Is this the Big One? Will the Equifax breach do what major retailers, Anthem, and 500 million compromised records at Yahoo could not do—get Congress to pass legislation? The answer: No. At least not yet.
Congress will have multiple hearings, bills, taskforces, GAO studies, and others. The Equifax CEO goes to the Senate on October 3rd and to the House the next day. Congress will do everything they’ve done before in hearings, like asking whether executives “are guilty of insider trading, ignorance of their company’s flaws, or both.”
National breach notice and cybersecurity standards will be proposed again. The same arguments will be trotted out to oppose the bills:
- States have handled it (in a piecemeal, inconsistent fashion)
- Congress won’t add much without the politically difficult federal preemption
- Press creates the Walk of Shame since there isn’t much consumers can do when they get the notices
- No point in legislating technical standards that will be quickly outdated
- Banks and zero liability have already handled most consumer fraud; and
- Plenty of agencies already doing the job.
The last one is the real issue. Which agency should fix it—the FTC or the CFPB?
The FTC could get specific, enhanced specific powers. But the FTC already is a skeleton at the top. Three of the five Commissioner slots are vacant. By law, two vacancies must be filled Republicans and the other one a Democrat. These require Senate approval, which may be problematic, even if the President actually proposed names.
The more effective way is to use the agency tasked with oversight of the FCRA and banks: the CFPB. But there is no love lost between the Administration, the Republicans, and the CFPB. (Google or Bing “Trump and Cordray.”) Even if relations improve with a new Director after Cordray leaves, both parties will be reluctant to have Congress reopen the FCRA and Dodd-Frank. Their concern is that what begins as a targeted fix (such as applying banks’ cybersecurity requirements to credit reporting agencies, banning fees for freezes, granting unlimited access to reports, and at a stretch offering an opt-in or opt-out to consumers) will turn into an excuse for major financial reform that drags on for a couple years. Look for the CFPB to push its authority and definitions against banks as the key to get more power over credit reporting agencies than the FCRA currently provides.
State Legislation. The real action to watch is state legislation. The FCRA has federal preemption for inconsistent provisions, but activist states will likely step in and try to do what federal legislation might. They will end up in a series of lawsuits regarding the extent of the preemption and whether their laws are “supplemental” or “inconsistent” and whether they are UDAP consumer protection or related to credit reporting. The new laws will be called “consumer protection” or “cybersecurity” to avoid preemption claims. Again, these will take years and likely end in settlements.
In Part Two of this blog “The Equifax Data Breach—What’s Next for Government, Business, and Consumers?” I will outline the implications for businesses and consumers and the actions they should take, as well as trends that will accelerate now that half of American adults have had their financial identities breached.
DISCLAIMER: The views expressed here are those of the author and not those of any current or former client or employer.
©2017 by Russ Schrader, all rights reserved