Can a Security Breach Impact Your Company Years Later? Lessons Learned from the Equifax Breach

A breach of cybersecurity can cost a company millions of dollars[i] and now may even significantly lower its creditworthiness.[ii] Two years after its massive data breach was announced, Equifax still faces serious fallout from the breach [iii]—from damage to its professional reputation, to the fines paid to several federal organizations, and several lawsuits.[iv] Moody’s Investor Service (“Moody’s”) recently downgraded its rating of Equifax citing the company’s cybersecurity issues as the reason. Security incidents continue to impact companies in a multitude of ways, and often the full impact of an incident isn’t realized until years after the breach. 
 
The 2017 Equifax Breach
 
Equifax, a major credit score bureau, was the victim of one of the largest cybersecurity breaches in history.^[v] Beyond its credit report analytics, Equifax is known for purchasing and selling personal data.^[vi] Even those who may not have provided data directly to Equifax may still find their personal data in the hands of Equifax because Equifax obtains much of its content from third party companies.^[vii] Companies who have vast stores of personal data, like Equifax, are prime targets for cyber-attacks. ^[viii]
 
On September 7, 2017, Equifax announced it was breached.^[ix] Although the incident was reported in September, the unauthorized data collection process occurred from mid‑May until July 29, 2017. Personal identifiable information, including names, social security numbers, birthdates, addresses, and driver’s licenses numbers, were stolen. As a result, an estimated 148 million people were potentially impacted by the data breach.^[x] Experts can only speculate to the full extent of the data stolen because the data itself is still missing. The personal data profiles were not affected uniformly—some individuals’ addresses were stolen, while others lost social security information, date of birth, or other pieces of identifiable information.^[xi]

Results of Equifax’s Breach
 
Following the breach, the Federal Trade Commission (“FTC”) and the Consumer Financial Protection Bureau (“CFPB”) stated they plan to seek “injunctive relief damages.”^[xii] Equifax is still being investigated by the District of Columbia, the Department of Justice, the Securities and Exchange Commission (“SEC”), certain Congressional Committees of the House of Representatives and Senate, the United Kingdom’s Financial Conduct Authority, and the Office of the Privacy Commissioner of Canada.^[xiii] Equifax also faces lawsuits from more than 1,000 individual consumers, a 50 states class action lawsuit, its own shareholders, and even the Indiana Attorney General.^[xiv][xv] The Indiana Attorney General filed a complaint against Equifax on May 6, 2019 seeking civil penalties, consumer restitution, costs, and injunctive relief as a result of the massive data breach that compromised the personal information of nearly 148 million Americans.[xvi] The Indiana Attorney General lawsuit alleges Equifax chose to increase revenue instead of protecting its consumers by improving security measures through logical opportunities.[xvii]

During its first quarter earnings release, Equifax revealed it expected to lose upwards of $700 million for “certain legal proceedings and investigations related to the 2017 cybersecurity incident.”^[xviii]

Equifax’s Lowered Credit Rating
 
Moody’s has a longstanding history of providing creditable financial analytics.^[xix] Moody’s ranks companies from Aaa to C (Aaa is the highest and C is the lowest), which determines the creditworthiness of borrowers. Moody’s is currently integrating cybersecurity risk into its credit rating algorithms.^[xx] Equifax’s outlook has been downgraded after a recent Moody’s report on the topic.^[xxi] Cybersecurity is a significant topic of importance for consumers and companies.^[xxii] Equifax is the first company impacted by Moody’s new cybersecurity considerations.^[xxiii] 
 
Equifax’s credit rating was downgraded due to the $700 million dollars in legal disputes and sanctions it is expected to pay.^[xxiv] Equifax plans to improve its cybersecurity with estimated expense costs and capital investments of more than $400 million dollars. This also played a role in its downgraded outlook.^[xxv] It is likely that higher cybersecurity costs will continue to hurt Equifax’s profit margins in the future according to Moody’s.^[xxvi]
 
What Can My Company Do to Plan and Prepare?
 

1. Prepare a Cybersecurity Plan.

The process of preparing a cybersecurity plan allows for a company to obtain a better picture of the technology being used by the company, what types of information the company is collecting and processing, how to best protect that data, and more. A review of the types of data a company collects and how that data is stored and processed is a good starting point. Involving oversight from multiple areas of the company to create the cybersecurity plan allows for all parties with a stake in the protection of the data to be involved. Involving parties outside of just the information technology (“IT”) specialists allows for greater understanding of the reasons behind the polices and plan.
 

2. Obtain a Cyber-liability Insurance Policy.

A cyber-liability insurance policy has the potential to cover a multitude of losses such as liability for lost data; remediation costs for investigations, notifications and repairs to systems after a security incident; and settlement costs associated with a security incident. Typically, a cyber-liability insurance policy will give a company access to experts who can assist with a security incident.
 

3. Provide Cybersecurity Training and Education to Employees.

Providing employees with cybersecurity training is key; the first line of defense against a security incident is often people. By providing training and education about potential threats, best practices, and appropriate processes, a company can help to avoid incidents or attacks that are easily preventable.
 

4. Prepare an Incident Response Plan.

A security incident occurs, your emails have been hacked, financial information has been compromised, now what? Creating an Incident Response Plan will lay out the steps the company should take following an incident. The process of creating a plan helps to eliminate the stress and confusion that often surrounds a security incident by establishing the actions and processes before an incident occurs. A well-crafted Incident Response Plan can have a significant impact on the amount of damage caused by an incident.
 

5. Perform Table Top Exercises.

A tabletop exercise is an activity in which key personnel who are assigned management roles and responsibilities in the event of a security incident are gathered to discuss, in a non-threatening environment, various simulated security incident situations. The exercises are provided by third parties and allow key employees a chance to run through the company data security programs, policies, procedures, and other related processes. Tabletop exercises give employees the opportunity to become familiar with the plans in the event of a security incident and hopefully help to ensure the data security programs, policies, procedures, and other related processes are actually followed when an incident occurs.

Summer associate Arqueil Shaw contributed to this publication.
 
For guidance on responding to security incidents, please contact Rachel Spiker or another member of our Data Security and Privacy Team. Rachel Spiker is an associate in Ice Miller’s Data Security and Privacy and Litigation Groups who focuses much of her work on data breach and security incident response. *Summer associate Arqeil Shaw contributed to this publication.
 
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.