In a recent Westlaw Journal article, I shared my conviction that the effects from the massive Equifax breach are only beginning to be felt. I believe this breach will have far reaching effects and perhaps change cyber law forever.
“While the Equifax breach isn’t the largest, it will be a precedent-setting case that tests the current limits of an inadequate cybersecurity legal infrastructure. The event has starkly contrasted the interests of consumers in the use of their data versus the interests of companies who profit from the data, and it highlights the meager protections afforded consumers.”
“Equifax: The cyberlaw test case of the century”
Westlaw Journal, Vol. 32, Issue 5
Recent revelations and actions support this view. In early March, Equifax announced that it had “identified another 2.4 million U.S. consumers whose names and driver’s license information were stolen in a data breach last year that affected half the U.S. population,” resulting in even more households being exposed to potentially fraudulent use of their data.
The cumulative impact of the Equifax and OPM breaches make it increasingly difficult to authenticate consumers. The vast amount of information available on individuals from breaches and other sources like Facebook (e.g., recent revelations about both political parties amassing and using its data) is making it impossible to ask authenticating questions whose answers aren’t already available on the Dark Web.
Six months after the Equifax breach, here are a few of its aftershocks:
IRS Unable to Reliably Authenticate Tax Returns
The loudest rumblings are emanating from the IRS. Late last year after the Equifax breach, IRS officials began to realize that a tsunami of tax refund fraud was heading their way. They hastily assembled experts from major companies to brainstorm what the true impact is, and what it will take to recover from the threat.
It turned out to be worse than anticipated. With a new total of 148 million consumers data stolen, virtually every one of the 120 million households in the U.S. is affected. To recover their ability to manage the income tax process reliably, it’s not inconceivable that the IRS will have to find new ways to re-authenticate every taxpayer.
Large and Small Claims Being Filed Against Equifax
Hundreds of class-action lawsuits have been filed against Equifax since the breach and at last count there were 240 such lawsuits. These lawsuits comprise billions of dollars in liability for its board, management, and shareholders and taken together, they represent a real possibility of eventual liquidation, depending on the outcomes in court.
Consumers have been filing against Equifax in small claims courts, and they’re winning. Christian Haigh, founder of finance startup Legalist, said, “I also filed my own lawsuit against Equifax, half expecting to have my case dismissed, and half expecting Equifax to not even show up. In fact, Equifax did appear,” and he won a judgement of $8,000, despite Equifax’s high-powered (and expensive) legal team.
Suppose that 1% of consumers affected by the breach filed and achieved the same result. Equifax would have to pay out almost $12 billion dollars in fines, and the legal fees to fight those claims would be astronomical.
New Equifax-Inspired Regulations Under Consideration
Equifax has come under scrutiny in all fifty states since the breach. Calls were heard in Congress for various actions at the national level, but at they all died on the vine in the first few months. As Munish Walther-Puri recently pointed out in The Hill, “previous milestone breaches have failed to overcome this inertia,” but then he went on to list four potential initiatives that may gain momentum as the pressure builds to take action:
- S. version of GDPR – Without necessarily emulating the punitive measures spelled out in the EU law, one rational approach in the U.S. is to declare consumers to be the owners of their personal data and to give them certain rights which organizations using their data must recognize and respect.
- National breach notification – Rapid notification of breaches is a key way to blunt their negative impact. At present, 48 states have state notification breach laws. Having a national law would ease the reporting burden on organizations while ensuring that uniform data becomes available for rapid action and subsequent analysis.
- FTC fines per record stolen or lost – Empowering the FTC to levy fines against the credit-reporting agencies, based on the number of stolen records, would align penalties with the magnitude of the breach (and perhaps the level of negligence?).
- A national cybersecurity safety board – Some in Congress have called for creating a new oversight agency that would operate like the NTSB. Its role would be to investigate major breaches in order to understand better how to protect against them.
Our regulatory policies and legal infrastructure lag far behind the realities that cyber breaches and their negative effects present to consumers and businesses. The Equifax breach and its continuing aftereffects promise to drive a change in the national mood. Instead of doing the least we can do in the face of hacking, we are now forced to confront a future that promises to destroy lives and businesses if we simply look for a comfortable way out.