Potential claimants would face an ‘uphill battle in order to establish standing’, says US privacy law expert
ANALYSIS The 2017 Equifax mega-breach was arguably the worst data breach that consumers have ever endured, but details of the final settlement reveal that most individuals have little chance of getting any recompense.
Attackers took advantage of a known vulnerability in Apache Struts to break into the credit reference agencies database through its dispute resolution portal before siphoning off the credit records of more than 147 million US citizens and an estimated 15 million UK residents.
The breach exposed names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud.
Credit card numbers for around 209,000 US consumers and US driving licences details of more than 10 million people were also exposed.
Equifax’s systems were exposed for weeks between May and July 2017 before the problem was detected and remedial action was carried out. The key Apache Struts update was published in March 2017.
After the massive breach was made public in September 2017, lawsuits and enforcement action followed.
In July 2019, Equifax agreed to pay $175 million to 48 US states, the District of Columbia and Puerto Rico, as well as $100 million to the Consumer Financial Protection Bureau.
The credit reference agency was faulted for a “failure to take reasonable steps to secure its network”, shortcomings in attack detection controls, admin credentials stored in plain text, and inadequate encryption of sensitive customer data.
Under the terms of the under-reported final settlement, Equifax agreed to pay at least $300 million to a consumer fund to help affected by the breach recover from the incident. The credit reference agency further agreed, if necessary, to pay up to $125 million more in a supplementary fund to reimburse consumers for out-of-pocket losses resulting from the data breach.
Breaking down the Equifax breach
A spokesperson for the US Federal Trade Commission (FTC) offered The Daily Swig a breakdown of how the primary $300 million consumer fund will be distributed:
- Free credit monitoring for 10 years will be allocated to affected consumers.
- Money to reimburse consumers (capped at $20,000 per consumer) for out-of-pocket losses related to the breach such as unauthorized charges to their accounts, costs of freezing their credit, and credit monitoring.
- Funds of $31 million to compensate consumers for time spent recovering from the breach – up to 20 hours at $25 per hour.
- A further $31 million for consumers who want to obtain alternative credit monitoring.
- Up to 25% reimbursement for the cost of Equifax subscription products in the year before the breach.
Asked how much has been budgeted to cover costs associated with identity theft resulting from the security incident, an FTC spokesperson explained: “Each consumer is eligible for up to $20,000 for valid claims, with $31 million (up to $38M as discussed above) for time compensation claims.”
Consumers will be obliged to demonstrate “out-of-pocket losses” in order to receive compensation. There will be no ‘pro rata’ payment to all those many millions affected by the massive breach.
This may come as a bit of a surprise to consumers who throughout 2019 were invited to take part in class action lawsuits over the breach through emails inviting them to “claim benefits in the Equifax data breach settlement”, or similar.
Despite early fears, data from the breach has yet to surface on dark web cybercrime forums. US authorities believe the data was not stolen in profit-motivated cybercrime.
In February 2020, US authorities unsealed a nine-count indictment charging four named members of the Chinese military with mounting the attack on Equifax.
Equifax has agreed to spend $1 billion on security improvements following the 2017 mega-breach
David Oberly, an attorney at US law firm Blank Rome and an expert in cybersecurity and privacy law, told The Daily Swig that the agreement with Equifax goes “above and beyond the standard settlement terms that are ordinarily seen in connection with the resolution of data breach disputes”.
For one thing, 10 years of free credit monitoring is being offered to impacted consumers rather than the standard three. In addition, Equifax has agreed to budget $1 billion on security improvements.
Oberly explained that potential claimants or litigants seeking to seek monetary compensation as a consequence of the breach will face an uphill battle in order to establish ‘standing’ or the right to sue:
Standing represents a major hurdle that many plaintiffs are not able to overcome which, in turns, prevents them from any form of recovery in the wake of a data compromise incident.
Importantly, many courts have found that the cost of taking protective measures following an unauthorized data breach is not sufficient, by itself, to create standing.
In particular, the Eleventh Circuit – the federal court of appeals associated with the Georgia federal court where the Equifax litigation took place – has held that where data breach plaintiffs could suffer future injury from misuse of their personal information compromised during a data breach, but where no actual misuse has occurred, the risk of misuse alone falls short of establishing standing.
With the Equifax settlement, however, Equifax has agreed to cover the costs incurred in connection with the time spent responding to the event, even though the validity of such claims is very questionable based on the venue of the litigation.
In response to a query on how many valid claimants are there and what will they each receive, an FTC representative referred us to settlement administrators.
Oberly concluded that regardless of how much Equifax ultimately pays consumers the whole data breach saga ought to “serve as a wake-up call to other companies who see this eye-popping figure and prompt them to consider taking proactive measures to improve their security programs”.
YOU MAY ALSO LIKE Red Cross servers ‘were hacked via unpatched ManageEngine flaw’