The Equifax Hack

Every now and then, there is a data breach that is such a watershed moment it changes peoples’ perspectives on cyber events. The first was ChoicePoint in 2005. One of the country’s first and largest data aggregation companies sold personal data on 163,000 people to an alleged crime ring engaging in identity theft.

The second was the 2013 Target breach involving the theft of credit card and personal data on 110 million Americans. And the third was this September, when Equifax, one of the country’s largest credit bureaus, announced that data on 143 million people had been stolen, including names, addresses, Social Security numbers and birthdates. The theft also involved 209,000 credit card numbers and 182,000 credit dispute documents.

Although there were plenty of major cyber incidents in between these events—such as the multi-pronged attack on Sony in 2014—ChoicePoint and Target rang alarm bells and moved the needle on the cyber-security market. We can expect the same from the Equifax incident.

The Equifax breach finally may advance federal legislation regarding breach notification and spur other regulatory agencies, such as the Securities and Exchange Commission (which recently announced, it too, was breached), to mandate certain activities in cyber-security programs and reporting on cyber attacks.

Like a tsunami, insurance markets will be affected by resulting claims and increased risk and compliance costs flowing from the breach and any forthcoming regulatory actions.

The Equifax breach particularly highlights the risks associated with unauthorized access to large databases of personally identifiable information (PII) and the impact these breaches can have on ordinary individuals whose data may be used in fraudulent schemes, identity theft, or other crimes. The ugly truth underlying all of these incidents is not how much money it costs the company that was breached; it is how much it costs everyday people who have to keep their jobs and personal lives intact while trying to clear their credit report and resolve claims for accounts or loans they did not apply for.

A 2013 Bureau of Justice Statistics report found that identity theft cost victims $24.7 billion in 2012—more than all other property claims combined. More recently, the 2017 Identity Fraud Study released by Javelin Strategy & Research said 15.4 million people were identify fraud victims in 2016, an all-time high, with losses of $16 billion. Now, with identity theft protection as a popular employee benefit, expect increased claims on behalf of individuals if the Equifax data are used for nefarious purposes.

A little-known aspect of the whole data breach lifecycle is the role the credit bureaus have played and how breach notification has boosted their business. When any company’s PII is breached, it has to hire one of the three major credit bureaus—Equifax, TransUnion or Experian—to send out required notifications to the people whose data have been compromised because they are the only organizations with current contact information for everyone, including former employees who may be living elsewhere. Depending on the size of the breach, the fees charged by the credit bureaus for this notification service can be sizeable. But Equifax is spared this expense; it can simply send its own notifications.

The cost savings in notification, however, will do little to offset Equifax’s legal bills. The company already faces at least 23 potential class action lawsuits. The Federal Trade Commission has confirmed it is investigating the breach. New York Attorney General Eric Schneiderman says he is investigating the incident. Two congressional committees have announced hearings. The Senate Finance Committee has asked the company to respond to a request for information. And the Massachusetts attorney general has filed a lawsuit against the company for failure to protect consumers’ PII.

The Equifax breach appears likely to affect the company’s bottom line. Credit bureaus have built up quite a business selling identity theft services, such as credit monitoring and alerts, credit score reporting and lost wallet assistance. They used to refuse to put a permanent fraud alert or a credit freeze on accounts until state breach laws required them to do so. Why? The more breaches there were, the more money they made. In fact, Equifax CEO Richard Smith made his mark at the company by focusing on acquiring new sources of personal data, such as employment records, and on mining and selling various data reports. This strategy added employers and insurance companies to the firm’s client list and revenue to its financial statements.

The impact of the Equifax breach, however, will not be limited to the company and affected individuals. The incident also will cost businesses and the federal government. The information stolen in the Equifax breach is the precise information that is used in the authentication procedures of financial institutions, the Social Security Administration, and the Centers for Medicare & Medicaid Services.

“One important impact of a breach of this size is that it can be a systemic shock to established procedures of authentication,” says Paul Bond, co-leader of ReedSmith’s Information Technology, Privacy & Data Security Group. Indeed, banks and lending institutions are reportedly examining their authentication procedures and reconsidering doing business with Equifax.

The Wall Street Journal reported Equifax’s 2015-16 lobbying disclosure forms indicate the company spent more than its counterparts in lobbying Congress to limit liability regarding “data security breach notification” and “cybersecurity threat information sharing”—perhaps in anticipation that such a breach could occur. In addition, Equifax made political contributions to 13 members of the Financial Services Committee in the 2016 elections and lobbied to trim the power of regulators. This now will likely have a snapback effect as legislators and regulators feel the pressure to take action to protect individuals whose data was not adequately protected and was disclosed in the breach.

Equifax struggled to be forthcoming with information about the breach to assist companies using its services or individuals whose data had been stolen. It delayed announcing the breach for six weeks after it was discovered, and its lack of transparency will likely prove to be a costly mistake for Equifax and everyone affected.

Equifax is certain to remain in the cross hairs for some time to come, and insurance agents and brokers need to stay informed and prepared to help clients with claims and questions.

Westby is CEO of Global Cyber Risk. westby@globalcyberrisk.com