Literally everyone should be thinking about suing Equifax
Equifax, a credit-checking company that holds sensitive data belonging to over 140 million, didn't just have one of the worst security breaches in American history, it also handled the situation like a drunk teenager trying to hide the aftermath of particularly destructive house party.
If you're not up to speed, the company found out about the breach on July 29, and waited until the night of September 7 to drop an 8-K, a government filing meant to inform investors of a material event, announcing the matter. In the meantime, the company's CFO managed to sell shares (the stock is currently down 13% post-report). Finally, to add insult to injury, the company asked customers to check whether or not their information had been hacked by entering their social security numbers.
What's more, as one attorney warned, if customers access the site to check if their info was stolen, they may be accidentally agreeing to settle the matter through arbitration, rather than a class action lawsuit.
So again, who should be mad at Equifax? Everyone, and for different reasons. I shall list them here.
As Equifax disclosed in its annual report (emphasis ours):
The Federal Trade Commission Act ("FTC Act") prohibits unfair methods of competition and unfair or deceptive acts or practices. We must comply with the FTC Act when we market our services, such as consumer credit monitoring services offered through our Global Consumer Solutions unit. The security measures we employ to safeguard the personal data of consumers could also be subject to the FTC Act, and failure to safeguard data adequately may subject us to regulatory scrutiny or enforcement action. There is no private right of action under the FTC Act
So someone at the FTC should be working on this lawsuit, and so should Congress. There should be hearings and a survey of the damage, and a bunch of self-righteous anger. Congresswoman Maxine Waters (D-CA) - likely the Congressional heavyweight champion of self-righteous anger - has already started on this, and there's a specific reason why.
"This hack into sensitive information compiled and maintained by Equifax is one of the largest data breaches in our nation's history and someone has to be held accountable," she said. "Given the important role credit scores play in the lives and financial futures of hardworking Americans, Congress must diligently examine the way our credit reporting agencies are operating and impose additional statutory and regulatory reforms to protect the integrity of the country's credit reporting system. I have long advocated for an overhaul of our nation's credit reporting system and I will reintroduce legislation that will enhance consumer protection tools available to minimize harm caused by identity theft."
You see, this isn't just posturing. There is a real need for legislation here. An embarrassing airing of everything that went wrong may be enough to convince regulation-shy Republicans that this need goes beyond ideology to, dare I say it, practicality.
As we were all reminded (or horrified to find out) during the Target data breach, companies don't have to report data breaches as material adverse events.
"Form 8-K does not have an explicit mandatory filing requirement for data breaches (and any financial impact has likely not yet been fully uncovered)," Cynthia Larose, a security expert and attorney at Mintz Levin wrote in Law 360 at the time. "As long as Target includes disclosure of the breach in its upcoming Form 10-K [quarterly filing], it would be difficult for the senator to argue that Target has ignored SEC rules."
Waters and her fellows can work to change that, and they should.
Shareholders and customersThis should be pretty obvious to shareholders, but someone is going to end up investigating this. And when they do they'll want to know who knew what and when. If they find out the CFO was in fact aware of the breach before he sold his shares, then the company should be ready for insider trading suits from the SEC and individual shareholders.
Customers, for their part, aren't waiting for an investigation. Two Oregon residents filed suit against the company on Thursday saying that it was negligent with their information, and that if it had spent more resources on security none of this would've happened.
This is part of what the Financial Services Modernization Act of 1999, or Gramm-Leach-Bliley Act (GLBA) is all about. It regulates how financial services institutions use and safeguard their users' information.
Equifax noted it in its annual report as well:
We are subject to various GLBA provisions, including rules relating to the use or disclosure of the underlying data and rules relating to the physical, administrative and technological protection of non-public personal financial information. Breach of the GLBA can result in civil and/or criminal liability and sanctions by regulatory authorities, such as fines of up to $100,000 per violation and up to five years' imprisonment for individuals. Regulatory enforcement of the GLBA is under the purview of the FTC, the federal prudential banking regulators, the SEC and state attorneys general, acting alone or in concert with each other.
States have added their own legislation to beef up the GLBA regulation, and Oregon is one of them. In fact, the state's legislation says the company must "notify the consumer in the most expeditious manner possible." In this case, given it took Equifax over a month to let us all know about this, that's arguable.
In fact, a lot of this is probably arguable. Have at it, lawyers.