Equifax and the Increasing Role of State Attorneys General in Data Privacy Regulation and Enforcement

By Will Quick

In June of this year, Alex Pearce and Sean Fernandes wrote on this blog about the increasing role of state AGs in data security enforcement actions.  Boy were they right!

Just a month later, on July 22, 2019, the attorneys general of fifty U.S. states and territories, including North Carolina, the Federal Trade Commission (FTC), and the Consumer Financial Protection Bureau (CFPB) announced a settlement with Equifax, Inc., following what has been reported as the largest-ever breach of consumer data in the U.S.[1]

The Equifax Breach

In September 2017, Equifax, one of the “big three” consumer reporting agencies, announced a data breach affecting more than 147 million consumers—a number that represents nearly half of the population of the United States.  The information reportedly exposed included consumers’ names, social security numbers, dates of birth, addresses, credit card numbers, and driver’s license numbers.

Attorneys general from the across the U.S. moved quickly to organize a coalition to undertake a multi-state investigation of the breach in conjunction with federal regulators.  The investigation found that Equifax had failed to implement adequate security measures to protect consumers’ sensitive personal information.[2]

According to regulators, Equifax was aware of a critical vulnerability in its software that handles inquiries from consumers about their personal credit data.  Despite this knowledge, Equifax neglected to apply internally recommended patches.  The company’s security team did not discover the failure to patch the vulnerability until three months later, by which time multiple hackers are reported to have exploited the vulnerability to gain entry to Equifax’s network. Once into the network, the hackers had virtually unfettered access to consumers’ sensitive personal information because Equifax apparently stored consumer information, including Social Security Numbers, in plain text.

Meanwhile, according to the FTC complaint filed in the matter, Equifax’s privacy policy at the time of the breach claimed that the company “limited access to consumers’ personal information and implemented ‘reasonable physical, technical and procedural safeguards’ to protect consumer data.”  The FTC also alleged that Equifax violated the FTC’s prohibition against unfair and deceptive trade practices, as well as the Gramm-Leach-Bliley Act.

The Settlement Agreement

Pursuant to the terms of the Final Judgment and Consent Decree (the “Settlement Agreement”), the consumer reporting agency will pay at least $575 million and up to $700 million arising from a 2017 data breach alleged to have affected over 147 million consumers nationwide.

The Settlement Agreement includes approximately $175 million to be paid out to and divided amongst the attorneys general of the states that joined in the multi-state coalition investigating the breach for payment of penalties.  North Carolina’s share of this penalty payment was announced by Attorney General Josh Stein to be $4,563,223.03.

Additionally, a restitution fund for affected consumers has been set up as part of the settlement.  The fund has a maximum cap of $425 million, with $300 million dedicated to consumer redress and an additional $125 million becoming available if the initial amount is exhausted.

The fund has received significant attention in past weeks because a $125 general cash payout option under the Settlement Agreement appears to have been oversold and under-funded.  It turns out that of the total amount going into the restitution fund, only $31 million was set aside for this general cash payout.[3]  Given the initial response and amount available, it appears that individuals signing up to receive the cash payout will receive substantially less than $125.  Indeed the claims website, which is being run by Settlement Administrator JND, contains the following disclaimer:  “Based on the number of potentially valid claims that have been submitted to date, payments for time spent and alternative compensation of up to $125 likely will be substantially lowered and will be distributed on a proportional basis if the settlement becomes final.”

For individuals who actually purchased credit or identity monitoring services from Equifax and/or paid other identifiable out-of-pocket expenses directly resulting from the 2017 data breach, there are specific funds to pay back those individuals.  Proof of these expenditures must be provided through the claims website in order to be eligible to receive these additional funds.  As a result, the number of individuals likely eligible to receive these funds is expected to be much lower than those claiming the general cash payout.

While the general cash payout option will be limited by the number responding and the funds earmarked for affected individuals only available to a relatively small number who took self-protection measures following the breach, the credit monitoring and identify theft insurance measures under the Settlement Agreement are noteworthy and likely more valuable to a consumer than a payout in any event.  Adult consumers are eligible to receive up to ten (10) years and affected minors up to eighteen (18) years of free credit monitoring and related services, including credit reporting and identity theft insurance.  In this time of seemingly near constant announcements of new breaches, having these services is highly recommended.

Equifax will also provide all affected consumers with six free credit reports each year for seven years.  These will be provided on top of the one free annual credit report currently provided by Equifax and the other two national credit reporting agencies to all persons.

Requirements for Improved Privacy and Security Measures

In addition to the measures to assist consumers specifically affected by the breach, Equifax must put in place updated privacy and date security practices moving forward that include, inter alia:

• Implementation of a comprehensive information security program, “to protect the confidentiality, integrity, and availability” of personal information stored on Equifax’s network;
• Improved internal safeguards and controls for the handling of consumer data, including encryption of personal information transmitted or stored on Equifax networks;
• Measures to protect consumers against having their data used by or sold to third parties for advertising purposes;
• Numerous technical specifications and requirements, including, inter alia, network patch management and updating, network segmentation protocols, risk-based penetration testing, heightened account access and password controls, and automated vulnerability and exposure monitoring;
• Biennial security assessments performed by an independent third party; and
• Specific reporting, compliance monitoring, and record-keeping requirements.

The Regulatory Response to the Equifax Breach

Moreover, the Equifax breach has had an impact on the regulatory landscape in the past year and a half as lawmakers have introduced and, in some cases, enacted legislation that attempts to curb the type of behavior that lead to the Equifax breach and to protect consumers in the wake of future incidents.

For example, in late July, New York Governor Andrew Cuomo signed Senate Bill 3582 regulating consumer reporting agencies.[4]  The New York law requires consumer credit reporting agencies to provide identity theft prevention and mitigation services to consumers who are affected by a security breach at a credit reporting agency for up to five years free of charge.

A similar measure that would have required a consumer reporting agency to provide four years of identity theft prevention and mitigation services was included in the NC Identity Theft Protect Act amendment that Attorney General Josh Stein and Representative Jason Saine proposed earlier this year as House Bill 904.[5]  In addition, the proposed legislation further limits instances in which a consumer reporting agency may charge a fee to a consumer to place a security freeze on their accounts following a breach and requires greater coordination between the agencies when a consumer requests a freeze from one agency.  It appears at this point that House Bill 904 will not see the state House or Senate floors in the current legislative cycle.  All indications, however, are that the legislation will be back again in the 2020 cycle.

It is not just state legislators who are reportedly looking at measures to protect consumers and expand their rights in the wake of the Equifax settlement.  As recently reported by Bloomberg Law, Congresswoman Katie Porter (D-CA) has announced plans to introduce legislation that would give consumers the right to bring private lawsuits against consumer reporting agencies following data breaches under the Fair Credit Report Act.[6]  The proposed bill would put in place a reasonable data security standard that would have been violated in a breach like that seen with Equifax.  While it has been difficult for federal lawmakers to coalesce behind any single national data privacy proposal, the large impact and widespread frustration over the Equifax breach may just be enough to see this proposal through to adoption.

Key Points and Takeaways From the Equifax Breach and Settlement

The recent multistate settlement between Equifax, federal regulators, and the AG’s of nearly every U.S. state and territory comes approximately fifteen years after California became the first state to require notification of and protections for its residents following a data breach, one year after Alabama became the 50th and final state to enact such a law, and less than six months before the effective date of the watershed California Consumer Privacy Act (CCPA), which introduces consumer privacy rights similar to the European Union’s sweeping General Data Protection Regulation and is the most comprehensive and far-reaching piece of state-initiated data privacy legislation since California passed the first data breach notification law in 2003.[7]

While the CCPA is groundbreaking in scope—particularly as it relates to the definition of “personal information” and the consumer disclosure requirements—the enforcement power is still mostly centralized with the California Attorney General, as opposed to being given to consumers themselves through a private right of action.[8]

California’s Attorney General has, for several years, said that his office does not have the resources to enforce the array of potential CCPA violations—for example, a claim that a company failed to disclose a sale of a consumer’s personal information.[9]  It will be interesting, however, in the wake of settlements like the one with Equifax to see how the California Attorney General actually utilizes his offices’ power once it becomes effective on July 1, 2020.

Moreover, regulators in other states are likely to have new tools in their arsenal for protecting consumer privacy in the coming years.  This past year several other state legisltures, including New York and Washington, have considered comprehensive consumer privacy measures.  The proposals differ, but they all portend increased authority for regulators to scrutinize the privacy and security practices of organizations of all sorts that collect and process a consumer’s personal information.

What seems certain in the wake of the Equifax breach and settlement is that companies of all types—not just consumer reporting agencies—should expect to be held accountable for their data privacy practices.  When those practices fall short, they should expect to incur substantial costs in dealing with regulators during breach investigations and in litigation.  It is important now, more than ever, that companies and their counsel keep abreast of the rapidly evolving legislative and regulatory landscape, and understand the policies and enforcement tools available to regulators and enforcement authorities—particularly state attorneys general.