Posted: October 16th, 2017
By: Emily Marcum *| Staff Writer
Cybersecurity is not the next frontier for most businesses; in fact, it’s more or less the only game in town. Over the last decade, the phrase “cybersecurity” has echoed in boardrooms, courtrooms, and living rooms like never before. What was once intellectual chatter, has become a “fact of life for corporations and governments.” According to U.S. President, Donald Trump, “Cyber theft is the fastest growing crime in the United States by far.” So, it is no surprise that consumers were recently greeted with yet another disappointing headline concerning Equifax’s massive data breach.
Equifax, one of the three major consumer credit reporting agencies, recently reported that hackers gained access to data which potentially compromised the sensitive information of 143 million American consumers. The hack is amongst the largest ever recorded, causing Equifax stock to fall 18 percent, their biggest one-day drop in 16 years. Consumers may think that they are in the clear because they have never used Equifax’s services, but unfortunately for consumers, they could still be at risk. Equifax collects a great deal of consumer information from third-parties, such as credit card companies, banks, mortgage lenders, and any other entity that extends credit. Therefore, it is extremely likely Equifax has collected sensitive information on you, even if you have never directly used Equifax’s services.
The sensitive information that was compromised as a result of the breach includes: names, addresses, birth dates, credit card numbers, social security numbers, and driver’s license numbers. Consequently, hackers now hold all the information necessary to impersonate consumers with lenders, creditors and service providers. The Equifax breach is unique because credit reporting agencies are who consumers normally call for help after they have been hacked, for services like credit monitoring and identity theft protection. Because of the nature of its business and the hypersensitive information stolen, Equifax has been labeled as one of the most severe security breaches to date. Avivah Litan, a fraud analyst for Gartner, a leading technological research company, stated, “On a scale of 1 to 10 in terms of risk to consumers, this is a 10.” Unfortunately for consumers, they are still waiting to find out whether they are a victim of this data breach.
Consumers are unhappy for obvious reasons, but the poor handling of the situation and sketchy acts by top executives have made a bad situation even worse. Equifax Chief Financial Officer, John Gamble, sold $1.8 million shares of Equifax stock before the breach had become public knowledge. Gamble and several other top executives are being investigated by the Department of Justice for violating insider trading laws. In addition to the criminal investigation by the Department of Justice, consumers have filed countless class action lawsuits, and the Federal Trade Commission is investigating Equifax for unfair and deceptive trade practices.
Consumers hoping to make some quick cash by filing class action lawsuits face numerous obstacles. First, because Equifax collects much of its data through third parties, Equifax will likely argue that they do not owe a duty to the consumer because they lacked a direct relationship. Instead, Equifax could argue that it only owes a duty to its corporate customers from whom they collected the consumer information. Second, consumers will likely struggle to prove that they suffered an actual financial harm from the breach. This is a recurring problem for victims of data breaches. Circuits are split over whether a risk of future harm is enough to satisfy Article III standing requirements. Thus, it is unclear whether consumers will be successful in their recovery efforts. For now, consumers should focus on doing whatever they can to protect themselves from identity theft, and businesses should reevaluate whether they are doing everything in their power to prevent a similar hack.
Emily Marcum is a third-year law student at Wake Forest University School of Law. She graduated from the University of South Carolina, where she received her degree in political science with a minor in business administration. Upon graduation, Emily plans to stay in the Carolinas in hopes of working for a business’s general counsel or compliance team.