Published By Janet Gershen-Siegel at October 18, 2017
There has been a lot going on, so here is your 2017 Equifax data breach update.
As you have undoubtedly heard, during the first week in September, credit reporting agency Equifax reported a data breach which compromised the data of some 143 million Americans. Furthermore, a good 209,000 Americans also had their credit card numbers stolen. The breach affected residents in the UK and Canada as well.
It took a while to get the international numbers. But the Toronto Globe and Mail reports that Equifax Canada says there are a good 100,000 Canadian citizens who are also affected. The Globe and Mail also notes that the Canadian privacy watchdog is investigating the breach. And they are not alone.
On September 15, Business Insider reported that two of the executives at Equifax had retired. They are the company’s Chief Security Officer, Susan Mauldin, and its Chief Information Officer, David Webb. Interestingly enough, while the retirements were of the people who were most likely closest to the breach and should have known about it (and reported it far earlier), neither of them were the three executives who dumped more than one million dollars in Equifax stock a few days after the discovery of the breach.
And then on September 26th, the New York Times reported that the Equifax CEO, Richard Smith, would retire. He has been replaced, albeit only on a temporary basis, by Paulino do Rego Barros Jr, the head of the company’s Asia-Pacific region. Equifax is now conducting a search for a replacement CEO, as many potential candidates were considered as tainted by the scandal. This included Joseph Loughran, Equifax’s president of United States information solutions, one of the people who dumped their stocks.
Furthermore, the Board of Directors took the rare step of saying they could retroactively reclassify Smith as having been fired for cause. Currently, Smith receives over $18 million in pension benefits and he holds $20.8 million in stock awards, plus $23.6 million in Equifax stock. These are the perks of being a part of a large company’s C-suite. A firing for cause would likely mean he would be forced to repay or forego some of that compensation.
If Smith is on the receiving end of a lawsuit and loses, then the Board may very well change its records and say they fired him for cause. And speaking of Equifax lawsuits …
On September 12th, Senators Orrin Hatch (the Finance Committee Chair) and Ron Wyden (the ranking Democrat on that committee) wrote to Equifax demanding answers, including a detailed timeline of the breach, its discovery, and the stock dumps, according to UPI.
On September 13th, Senator Mark Warner asked for the Federal Trade Commission to start investigating the hack. Warner’s open letter was to the Acting Chairman of the FTC, Maureen Ohlhausen. He noted that the Fair Credit Reporting Act requires all credit reporting bureaus (such as Experian, Dun & Bradstreet, and TransUnion) zealously protect consumer confidentiality and privacy. Warner said the scope of the breach, along with the sensitivity of the stolen data, raised ‘serious questions’ about whether Equifax had been living up to its obligations under the FCRA.
On September 19th, Massachusetts Attorney General Maura Healey filed the first enforcement action. The Attorney General’s Consumer Protection Division is handling the matter. They allege:
On September 20th, Info Security reported that small businesses, using the services of the Doss Firm of Marietta, Georgia, have sued in a class action. The complainthas been filed in the US District Court for the North District of the Atlanta division.The name of that case is O’Dell Properties, LLC, O’Dell & O’Neal, P.C., Jellie Donuts, LLC, et. al. v. Equifax, Inc. Attorney Jason Doss noted that it was a kind of double whammy for small business owners. Not only are their personal and business credit accounts potentially breached, thereby affecting their ability to get credit cards, they are also, likely, going to be affected when trying to get loans, including from the SBA.
The suit seeks legal fees plus damages for time spent monitoring financial accounts for any signs of identity theft or other criminal issues. But don’t expect a big payout from class action suits. Bloomberg estimates perhaps a $200 million payout when all is said and done. This would provide consumers with the miniscule comfort of a $1 reward for their damages.The O’Dell Properties case won’t go away any time soon.
As you might imagine, unless you are a named plaintiff in the class action suit, you are probably not going to see a lot of cash no matter how the case goes. However, there are going to be Congressional hearings. Smith is already scheduled to appear in front of the Senate Banking Committee on October 4th. It should make for interesting television if nothing else.
Will there also be an investigation and a civil or criminal case for insider trading? We don’t know that yet. Stay tuned, as there is undoubtedly more to come as the Senate and lawyers start to turn over rocks to expose what’s underneath.