“It is not possible to estimate the amount of loss or range of possible loss.”

Equifax reported that revenue ticked up 4% year-over-year in the third quarter to a less-than expected $835 million and net income plunged 27% to $96 million due to the initial costs related to the most damaging consumer data hack in US history. But it also disclosed in the fine print of its SEC filing just what a legal nightmare it is getting into over what it calls the “cybersecurity incident.”

The “cybersecurity incident” occurred in mid-May, was discovered in July, and was first disclosed on September 7. Its dimensions have since expanded. It compromised the personal-data crown jewels of 145.5 million US consumers, credit card numbers of  209,000 US and Canadian consumers, “certain dispute documents with personal identifying information” for 182,000 US consumers, personal information of 8,000 Canadian consumers, and personal information of at least 690,000 UK consumers.

The initial expenses related to the “cybersecurity incident” were an undramatic $27.3 million. But that’s just the timid beginning.

Then the costs related to the “free credit file monitoring and identity theft protection” will likely range between $56 million and $110 million. And that too is just the beginning. The biggie?

Litigation, Claims, and Government Investigations.

“Over 240” class action lawsuits by consumers have been filed in US federal and state courts and in Canadian courts. The plaintiffs “generally … assert a variety of common law and statutory claims seeking monetary damages, injunctive relief, and other related relief.”

Undisclosed number of class action lawsuits by financial institutions “who allege their businesses have been placed at risk due to the cybersecurity incident and generally assert various common law claims such as claims for negligence and breach of contract, as well as, in some cases, statutory claims.” These suits seek compensatory damages and “other related relief.”

Undisclosed number of “putative class action lawsuits” by shareholders against Equifx and “certain” of its current and former officers and directors, alleging “violations of the federal securities laws in connection with statements regarding our cybersecurity systems and controls” and are seeking “unspecified monetary damages, costs and attorneys’ fees.”

Undisclosed number of “other lawsuits and claims allegedly arising out of the cybersecurity incident,” presumably including the $500,000-lawsuit filed by short seller Carson Block.

Government entities are getting restless.

US federal, state, and city government agencies, and governmental agencies and officials in the Canada and the UK are investigating among other things, how the cybersecurity incident “occurred, the consequences thereof, and our response thereto.” They’re “seeking information and/or documents, including through Civil Investigative Demands.” And they “may seek to impose injunctive relief, consent decrees, or other civil or criminal penalties….”

The restless entities in the US include:

  • The 50 state Attorneys General offices and the District of Columbia and Puerto Rico. The Attorney General of Massachusetts has already filed a civil enforcement action.
  • The City of San Francisco and the Chicago City Council have filed lawsuits “alleging violations of state laws and local ordinances governing protection of personal data, consumer fraud, and breach notice requirements and business practices.”
  • The Federal Trade Commission (FTC).
  • The Consumer Finance Protection Bureau (CFPB)
  • The SEC and the US Attorney’s Office for the Northern District of Georgia have sent subpoenas to Equifax “regarding trading activities by certain of our employees in relation to the cybersecurity incident.”
  • The New York Department of Financial Services
  • The New York Department of State – Division of Consumer Protection
  • “Other US state bank regulators”
  • The Financial Industry Regulatory Authority (FINRA)
  • “Certain Congressional committees” of the Senate and House of Representatives.

Outside the US:

  • The UK’s Financial Conduct Authority (FCA). Its Enforcement Division has opened an investigation into Equifax’s UK subsidiary.
  • The UK’s Information Commissioner’s Office
  • Canada’s Office of the Privacy Commissioner.

And more hounding may come:

Additional lawsuits and claims related to the cybersecurity incident may be asserted by or on behalf of consumers, customers, shareholders or others seeking damages or other related relief and additional inquiries from governmental agencies may be received or investigations by governmental agencies commenced.

Equifax doesn’t know how much it’ll cost.

But it could be big — and “have an adverse effect on how we operate our business or our results of operations.”

It is not possible to estimate the amount of loss or range of possible loss, if any, that might result from adverse judgments, settlements, penalties or other resolution of the above described proceedings and investigations based on the early stage of these proceedings and investigations, that alleged damages have not been specified, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues.

Unknown “Future Costs” associated with the “cybersecurity incident” beyond the judgements, penalties, fines, and the like, include:

  • “Significant” legal and other professional services expenses.
  • Increased expenses and capital investments for IT and security.
  • Increased expenses for insurance, finance, compliance activities, and to meet increased legal and regulatory requirements.
  • Increased costs to provide free services to consumers including “increased customer support costs.”

There will be “other risk factors,” in addition the legal risks:

“Our remediation and security and IT enhancement efforts will be costly and may not be effective,” it said. Plus, the fiasco “has had a negative impact on our reputation” [no kidding!], and may have “a long-term effect on our relationships with our customers, our revenue and our business.”

Worst of all, this unwanted attention by government agencies and the courts could hamper its business of collecting and monetizing consumers’ personal data (remember, the consumer is the product):

The governmental agencies investigating the cybersecurity incident may seek to impose injunctive relief, consent decrees, or other civil or criminal penalties, which could, among other things, impact our ability to collect and use consumer information, materially increase our data security costs and/or otherwise require us to alter how we operate our business.

Where there’s a crisis, there’s opportunity – for fraudsters. Here are some of the Equifax scams now underway – and how to protect yourself. Read…  Beware – the Equifax Scams Are Coming