Equifax reported that revenue ticked up 4% year-over-year in the third quarter to a less-than expected $835 million and net income plunged 27% to $96 million due to the initial costs related to the most damaging consumer data hack in US history. But it also disclosed in the fine print of its SEC filing just what a legal nightmare it is getting into over what it calls the “cybersecurity incident.”
The “cybersecurity incident” occurred in mid-May, was discovered in July, and was first disclosed on September 7. Its dimensions have since expanded. It compromised the personal-data crown jewels of 145.5 million US consumers, credit card numbers of 209,000 US and Canadian consumers, “certain dispute documents with personal identifying information” for 182,000 US consumers, personal information of 8,000 Canadian consumers, and personal information of at least 690,000 UK consumers.
The initial expenses related to the “cybersecurity incident” were an undramatic $27.3 million. But that’s just the timid beginning.
Then the costs related to the “free credit file monitoring and identity theft protection” will likely range between $56 million and $110 million. And that too is just the beginning. The biggie?
“Over 240” class action lawsuits by consumers have been filed in US federal and state courts and in Canadian courts. The plaintiffs “generally … assert a variety of common law and statutory claims seeking monetary damages, injunctive relief, and other related relief.”
Undisclosed number of class action lawsuits by financial institutions “who allege their businesses have been placed at risk due to the cybersecurity incident and generally assert various common law claims such as claims for negligence and breach of contract, as well as, in some cases, statutory claims.” These suits seek compensatory damages and “other related relief.”
Undisclosed number of “putative class action lawsuits” by shareholders against Equifx and “certain” of its current and former officers and directors, alleging “violations of the federal securities laws in connection with statements regarding our cybersecurity systems and controls” and are seeking “unspecified monetary damages, costs and attorneys’ fees.”
Undisclosed number of “other lawsuits and claims allegedly arising out of the cybersecurity incident,” presumably including the $500,000-lawsuit filed by short seller Carson Block.
US federal, state, and city government agencies, and governmental agencies and officials in the Canada and the UK are investigating among other things, how the cybersecurity incident “occurred, the consequences thereof, and our response thereto.” They’re “seeking information and/or documents, including through Civil Investigative Demands.” And they “may seek to impose injunctive relief, consent decrees, or other civil or criminal penalties….”
And more hounding may come:
Additional lawsuits and claims related to the cybersecurity incident may be asserted by or on behalf of consumers, customers, shareholders or others seeking damages or other related relief and additional inquiries from governmental agencies may be received or investigations by governmental agencies commenced.
But it could be big — and “have an adverse effect on how we operate our business or our results of operations.”
It is not possible to estimate the amount of loss or range of possible loss, if any, that might result from adverse judgments, settlements, penalties or other resolution of the above described proceedings and investigations based on the early stage of these proceedings and investigations, that alleged damages have not been specified, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues.
Unknown “Future Costs” associated with the “cybersecurity incident” beyond the judgements, penalties, fines, and the like, include:
“Our remediation and security and IT enhancement efforts will be costly and may not be effective,” it said. Plus, the fiasco “has had a negative impact on our reputation” [no kidding!], and may have “a long-term effect on our relationships with our customers, our revenue and our business.”
Worst of all, this unwanted attention by government agencies and the courts could hamper its business of collecting and monetizing consumers’ personal data (remember, the consumer is the product):
The governmental agencies investigating the cybersecurity incident may seek to impose injunctive relief, consent decrees, or other civil or criminal penalties, which could, among other things, impact our ability to collect and use consumer information, materially increase our data security costs and/or otherwise require us to alter how we operate our business.
Where there’s a crisis, there’s opportunity – for fraudsters. Here are some of the Equifax scams now underway – and how to protect yourself. Read… Beware – the Equifax Scams Are Coming