The Equifax data breach, also known as the Equifax hack, in which highly sensitive personal information of approximately 50% of all Americans was compromised, is fascinating from a legal standpoint for a variety of reasons.
It will likely take years to fully understand what happened, what measures Equifax did or did not have in place to prevent the breach, exactly what Equifax did in the immediate aftermath of learning of the hack, and the extent of damages and harm to the 143 million or so individuals whose data was stolen.
We know that multiple states’ attorneys generals are conducting investigations, including the New York State Attorney General’s office, the FTC has instituted an investigation, quite a bit of noise is being made about the fact that three company insiders sold $1.5 million of company shares shortly after the breach but prior to Equifax publicly disclosing it (which will likely lead to at least some additional regulatory or perhaps congressional inquiries), thousands of individuals have filed small claims law suits against Equifax thanks to a chatbot, which streamlines the process for individuals to file such actions, and more than twenty class action law suits have been filed, with plaintiffs’ attorneys in the first filed case stating that they will seek an eye popping $70 billion in damages.
So, Equifax’s legal team will have its hands full for a while.
Lessons Learned from the Equifax Hack
What interests me about this case so much is that it touches upon and provides lessons, or at least will provide lessons as we learn more, about both preventative cybersecurity measures and reactive measures in the case of an actual breach and the developing web of regulations dealing with both of those items.
Earlier this year, I wrote a blog post that discussed the increasing focus of FINRA and the SEC on cybersecurity enforcement actions against covered entities. This trend is certainly continuing and recent statements and publications by the SEC have made clear that cybersecurity will continue to be a, if not the, major focus of the Commission moving forward. Specifically, earlier this Summer, Steven Peiken, the co-director of the Division of Enforcement, gave an interview in which he stated that “The greatest threat to our markets right now is the cyber threat.” And in August, the Office of Compliance Inspections and Examinations (OICE) of the SEC, as part of its Cybersecurity 2 Initiative, released the findings of its examination of the cybersecurity practices of 75 broker dealers, investment advisors, and investment firms. Among other things, the OICE’s findings included a list of suggested best practices and identified certain common deficiencies in cybersecurity plans/implementation at the examined firms. 1
What Companies Do After a Breach
Another aspect of cybersecurity regulations, which has been brought sharply into focus in the Equifax case, is aimed at what a company does after it learns of a breach. While the SEC and FINRA regulations are focused on preventing data breaches, much of the work currently being done at the state level addresses the steps that companies must take following a breach (the New York State Department of Financial Services Cyber Security Regulations 2, enacted March of this year and which many think will become a model for other states to follow, address both preventative and remedial issues).
While keeping data safe is of course paramount, the inherent fallibility of current cyber security measures means that what companies do after a breach is at least as important as what they do to prevent one. In short, it is impossible to secure data with certainty and all companies, and particularly those holding sensitive personal information (like Equifax), should assume that they will be hacked and have a plan in place for how they will respond when that happens.
Various state and federal regulators will continue to adopt rules and regulations addressing what a company needs to do following a breach, but this will likely be a moving target for some time, if not indefinitely. In the meantime companies big and small that hold customers’ personal data need to have plans in place for what they will do in the aftermath of a breach, which conform to the specific regulatory requirements that those companies are governed by and which make business and customer relations sense.
We do not yet know what Equifax could have done to prevent the hack or at least mitigate the risk of a hack. But, it is already clear that the company’s response to the hack was lacking, to put it mildly. Equifax did not notify customers until well after learning about the hack. It then communicated poorly regarding what it was offering to customers to help protect them and the terms of that offer. And it has been largely unable or unavailable to answer questions from individual customers and media outlets about what happened and what it was doing about it. This response has had the impact of making a very bad situation worse and bringing more regulatory and legal scrutiny on a company that was already going to face a lot of it.
As I noted above, we will continue to learn lessons from this case as more and more information is uncovered, but in the immediate aftermath, we have a clear reminder that a big part of compliance planning and execution is to do no harm. Sometimes plans do not work – they may not be executed properly, or were insufficient in the first place, or maybe a company did everything right but something still went wrong – and bad things happen. Companies, particularly in the area of cybersecurity, need to have a plan for that eventuality so that they can prevent a bad business and legal situation from becoming worse.