BizTech Law Blog
In September 2017, credit reporting agency Equifax announced that personal information for over 140 million U.S. consumers was potentially compromised. Equifax’s forensic investigations have put the number closer to 145.5 million. The compromised data includes names, social security numbers, birth dates, addresses, driver’s license numbers and even credit card numbers. Within a matter of weeks after the breach, Equifax’s CEO, Richard Smith, announced he was stepping down. It soon became clear that Equifax’s troubles were just beginning.
Equifax initially set up a website where consumers could go check if their information had been compromised. However, the website ran into a host of issues. First, many news stories reported that the website was not giving clear responses. Second, a web developer made a fake Equifax site and Equifax linked to it. The fake site was taken down within a day. The fake site’s creator stated the purpose was to illustrate how dangerously easy it was to impersonate Equifax’s site. Third, the Equifax site initially included an arbitration clause, which forced people who used the site to waive their right to a class action lawsuit. Due to public outrage, Equifax has since removed the arbitration clause. Finally, Equifax’s site was maliciously manipulated, as users of the site were redirected to download fraudulent Adobe Flash updates. When the updates were clicked, users’ computers were infected with adware. Even worse the adware was only detectible by 3 of the 65 antivirus providers. Equifax appears to have resolved the issue and is currently placing the blame on a third party vendor.
Days after Equifax announced the breach, Equifax was awarded a $7.25 million “taxpayer identity” contract with the Internal Revenue Service (IRS). After the malware attack, the IRS temporarily suspended the contract. Earlier this week the Government Accountability Office (GAO) rejected Equifax’s bid.
In early October, Equifax’s former CEO, Richard Smith, formally testified before Congress. While testifying, information came to light that the Department of Homeland Security had warned Equifax to fix any vulnerabilities in their software. Equifax failed to do so and the breach occurred later that month. Furthermore, Smith was questioned about several stock sales by high ranking executives that occurred shortly before the breach was announced. Equifax’s stock has also been affected by the breach. Since news of the breach, Equifax’s stock is down around 23%. Equifax is under investigation from multiple authorities. The Department of Justice (DOJ) opened a criminal investigation into possible insider trading at Equifax. The Consumer Financial Protection Bureau, the Federal Trade Commission (FTC) and 35 state attorneys general, including Michigan’s Attorney General Bill Schuette, have opened inquiries into the breach. Furthermore, Equifax may be facing consumer lawsuits. The plaintiff’s bar initiated a class action lawsuit on behalf of the affected consumers shortly after the breach was announced. More class action lawsuits are expected to arise as news about the breach continues to be revealed.
Previous posts have addressed steps consumers can take in response to the threat of identity theft. Additionally, businesses should implement and evaluate an incident response plan to avoid Equifax’s missteps.
If you have questions or concerns regarding identity theft or a breach response plan please contact a Foster Swift Business & Corporate attorney.
