The Equifax data breach disclosed Sept. 7 — which exposed the personal information of approximately 143 million American consumers — continues to be one of the biggest stories of the year. Yesterday, the attorney general of Massachusetts became the first privacy regulator to file a lawsuit against the credit reporting agency pursuant to several Massachusetts consumer protection laws.

The breach has prompted a widespread outcry in the media, has already inspired the introduction of legislation in the U.S. and has sparked investigations from the Federal Trade Commission and the FBI.

Since the breach disclosure, Equifax’s stock price has fallen by a third, but the company’s woes are only just beginning. This article explores the potential legal liability Equifax faces in the United States. Given that thousands of U.K. and Canadian citizens were also affected by the incident, Equifax’s liability in the U.S. may just be the tip of the iceberg.

Background

Between March and July of this year, hackers were able to access consumers’ names, Social Security numbers, birth dates, addresses and more from Equifax. At least 200,000 consumers’ credit card numbers were revealed.

According to the Massachusetts complaint, Equifax failed to “develop, implement, or maintain a [comprehensive information security program] that met the minimum requirements of the state’s Data Security Regulations,” enacted and enforced under the state’s consumer protection statute. Specifically, the state alleges that Equifax violated the statute by (1) failing to adequately patch or otherwise secure its portal after the public disclosure of a major vulnerability in the open-source software used to build its consumer redress portal, (2) keeping Massachusetts’ residents’ information accessible in unencrypted form on a part of its network accessible from the internet, and (3) failing to maintain multiple layers of security around that consumer data.

Massachusetts further alleges that Equifax’s role as a multibillion-dollar corporation with thousands of employees “whose primary business consists of acquiring, compiling, analyzing, and selling sensitive and personal data” obligated the company to go beyond the regulations’ minimum requirements and “implement administrative, technical, and physical safeguards…which are at least consistent with industry best practices.” Massachusetts also claims that Equifax violated the state’s data breach notice requirements by waiting nearly six weeks to disclose the breach to both state authorities and consumers, when state law mandates disclosure “as soon as practicable and without unreasonable delay.”

It’s doubtful Massachusetts will be the only state to sue — other state attorneys general are bound to follow soon citing their state consumer protection laws (known as “mini-FTC Acts”) and state-specific data breach laws, which are an increasingly prominent state concern.

State attorneys general can also join actions brought by the U.S. FTC, which is also likely to pursue action against Equifax under one or more federal laws.

Statutes enforced by the FTC

At least three federal laws may be invoked by the FTC: The Federal Trade Commission Act, the Fair Credit Reporting Act, and the Graham-Leach Bliley Act.

The FTC Act

Equifax is not the first company to lose a mountain of consumer data. The first enforcement action against Equifax has already been announced by the FTC, pursuant to its authority under the FTC Act. A brief overview of the FTC’s investigatory and enforcement authority is available on the Commission’s website, but the key fact for Equifax is that the Commission has repeatedly found companies’ failure to adequately protect consumer data constitutes an “unfair trade practice.” Section 5 of the FTC Act outlaws “unfair or deceptive acts or practices affecting commerce” and empowers the FTC to initiate an enforcement action if it has “reason to believe” that the law is or has been violated.

A lack of proper security may be unfair

The FTC has repeatedly stated that companies must treat sensitive consumer information with “appropriate care and security” lest they are charged with unfair practices in violation of the FTC Act. “Unfair” practices are those that “cause or are likely to cause substantial injury to consumers, which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or competition.”

In a landmark 2012 case, the FTC sued the Wyndham Worldwide Corporation under Section 5 of the FTC Act, alleging that the company’s data security failures constituted an unfair trade practice in violation of the statute. Specifically, the FTC alleged that Wyndham-franchised hotels stored payment card information in readable text, permitted the use of easily guessable credentials to access its systems, and failed to emplace “readily available security measures” between its corporate network, franchisees, and the internet. The hotel and resort chain challenged the FTC’s enforcement authority in court, resulting in an appellate court decision recognizing the FTC’s ability to regulate cybersecurity practices under Section 5. Wyndham thereafter settled with the FTC and agreed to implement a “comprehensive information security program” in response to the allegations that it had unfairly exposed consumers’ personal information to risk of unauthorized access and theft.

Following Wyndham, the Commission has demonstrated its willingness to move against companies ranging from debt collectors to medical billing providers who were alleged to unfairly expose consumers’ personal information through poor information security practices. The FTC’s case against medical testing laboratory LabMD, Inc., for example, represents one of its broadest unfairness cases to date. In that case, the FTC found the mere exposure of health-related information on a peer-to-peer network violated Section 5 and ordered the company to implement a “comprehensive information security program.” The company has challenged the order as “beyond the FTC’s unfairness authority” in an appeal to the U.S. Court of Appeals for the 11th Circuit which could issue its opinion at any time.

Regardless of the outcome in the LabMD case, Equifax should expect its data security policies to be subject to substantial regulatory scrutiny.

Inaccurate security policies can be deceptive 

As noted above, the FTC Act also prohibits companies from engaging in “deceptive” trade practices. The FTC’s 1983 Policy Statement on deception lays out the elements of an illegal deception: (1) a representation, omission, or practice that (2) is likely to mislead consumers who act reasonably in the circumstances, and that (3) has a material effect on consumer conduct or choices. Depending on what facts come to light in the aftermath of this breach, Equifax may face allegations that its practices were both unfair and misleading.

Just last month, the FTC cited Uber for making misleading representations of its data security practices to consumers and required the company to submit to biennial privacy audits for the next two decades. The ride-sharing company allegedly stored data about thousands of consumers on an easily accessible Amazon storage service — resulting in the compromise of more than 100,000 of its drivers’ names and license numbers in the spring of 2014. This breach occurred while Uber claimed that it used “industry-standard” protections for its consumer data.

In 2016, the FTC settled another deception claim stemming from a massive data breach — at dating service AshleyMadison.com — for $1.6 million in payouts to federal and state regulators. Among other things, the web service had represented that it securely stored sensitive consumer information, including its users’ dates of birth, relationship status, and sexual orientation, even though it allegedly had wholly inadequate security and even lacked a written security policy.

Equifax’s own privacy policy makes similar claims. Specifically, Equifax represents that it takes “reasonable precautions” to ensure that third parties receiving PII are aware of and comply with its privacy policy. The company also promises “reasonable, physical, technical and procedural safeguards to help protect [consumers’] personal information.” Too little is publicly known about Equifax’s data security policies before and during this spring’s breach to say if they are a candidate for a “deception”-based enforcement action, but it certainly remains possible under the known facts.

FCRA — Sharing with unauthorized parties 

Equifax may also face liability under the Fair Credit Reporting Act. Originally passed in 1970, FCRA regulates “consumer reporting agencies,” which the statute defines as:

[A]ny person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.

Equifax is clearly covered by the statute — indeed, FCRA was originally written because of Equifax and its peers — and FCRA requires consumer reporting agencies to “maintain reasonable procedures to limit the furnishing of consumer reports to the purposes listed in the statute.”

In 2006, poor data security practices cost data aggregator ChoicePoint, Inc. $15 million dollars in fines and restitution payments in a settlement with the FTC. ChoicePoint disclosed that the personal information of more than 163,000 consumers had been compromised, resulting in at least 800 cases of identity theft. ChoicePoint’s breach resulted from an ineffective screening of potential customers for data, rather than an outside attacker.

If Equifax is ultimately alleged to have behaved in a similar fashion to ChoicePoint (at least to the extent that it willfully violated its FCRA obligations) it may also be subject to private lawsuits under FCRA’s private right of action. 15 U.S.C. Section 1681n(a) creates individual liability for noncompliance with FCRA requirements; the 2016 Supreme Court decision in Spokeo v. Robins leaves open the possibility of a successful lawsuit. If other courts follow the 9th Circuit’s decision on standing regarding FCRA violations, the demonstration of a sufficiently serious violation may be enough to qualify as a constitutionally recognizable injury without further harm.

GLBA — The Safeguards Rule

Finally, the FTC may pursue claims under the Gramm-Leach-Bliley Act (GLBA). Passed in 1999, GLBA repealed parts of the Glass-Steagall Act of 1933 and most notably removed the long-standing prohibition against a financial institution simultaneously operating as a commercial bank, an investment bank, a securities firm, and an insurance company. GLBA also created two major consumer protections: the Financial Privacy Rule and the Safeguards Rule.

One of these rules, the Safeguards Rule, may be implicated in the Equifax data breach. The FTC specifically notes that the Safeguards Rule applies to credit reporting agencies. As a general matter, the Safeguards Rule requires that companies “develop a written information security plan that describes their program to protect customer information.” This program must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. According to the FTC, pursuant to the Safeguards Rule companies must “assess and address the risks to customer information in all areas of their operation.”

The FTC has previously sued consumer reporting agencies like Equifax for violating the Safeguards Rule. In three 2011 consent orders, the FTC required that consumer report resellers ARCAnet, Inc., SettlementOne Credit Corporation, and Fajilan and Associates, Inc. d/b/a Statewide Credit Services establish and implement comprehensive security programs in compliance with the requirements of the Safeguards Rule. All three sanctioned entities allegedly failed to develop or disseminate written information security policies, assess the risks involved in allowing access to end users with unverified security, or implement reasonable measures to address those risks, monitor end-user behavior, or take any appropriate corrective action once the security flaws became known.

Unlike the FCRA, the Gramm-Leach-Bliley Act does not provide consumers with an individual right of action. It does, however, provide the FTC an additional mechanism for regulatory oversight of information security policies—which will likely become relevant to Equifax in coming months.

Conclusion

The foregoing examples may yet pale compared to what Equifax might be facing in the coming months, considering the apparently large scale of the breach and the richness of information stored by consumer reporting agencies. Certainly, the enormity of this breach and Equifax’s status as a pre-eminent consumer data aggregator are likely to provoke a full display of federal and state data breach enforcement tools in the U.S., with the U.K. and Canada evaluating their options, as well.