Equifax Discloses its Coming Nightmares

by Wolf Richter, Wolf Street:

“It is not possible to estimate the amount of loss or range of possible loss.”

Equifax reported that revenue ticked up 4% year-over-year in the third quarter to a less-than expected $835 million and that net income plunged 27% to $96 million due to the initial costs related to the most damaging consumer data hack in US history. But it also disclosed in the fine print of its SEC filing just what a legal and financial nightmare it is getting into over what it calls the “cybersecurity incident.”

The “cybersecurity incident” occurred in mid-May, was discovered in July, and was first disclosed on September 7. Its dimensions have since expanded. It compromised the personal-data crown jewels, including Social Security numbers, of 145.5 million US consumers, credit card numbers of  209,000 US and Canadian consumers, “certain dispute documents with personal identifying information” for 182,000 US consumers, personal information of 8,000 Canadian consumers, and personal information of at least 690,000 UK consumers.

The initial expenses related to the “cybersecurity incident” were an undramatic $27.3 million. But that’s just the timid beginning.

Then the costs related to the “free credit file monitoring and identity theft protection” will likely range between $56 million and $110 million. And that too is just the beginning.

The biggie? Litigation, Claims, and Government Investigations.

“Over 240” class action lawsuits by consumers against Equifax in US federal and state courts and in Canadian courts. The plaintiffs “generally … assert a variety of common law and statutory claims seeking monetary damages, injunctive relief, and other related relief.”

Undisclosed number of class action lawsuits by financial institutions against against Equifax. They “allege their businesses have been placed at risk due to the cybersecurity incident and generally assert various common law claims such as claims for negligence and breach of contract, as well as, in some cases, statutory claims.” These suits seek compensatory damages and “other related relief.”

Undisclosed number of “putative class action lawsuits” by shareholdersagainst Equifx and “certain” of its current and former officers and directors. They allege “violations of the federal securities laws in connection with statements regarding our cybersecurity systems and controls” and are seeking “unspecified monetary damages, costs and attorneys’ fees.”

Undisclosed number of “other lawsuits and claims allegedly arising out of the cybersecurity incident,” presumably including the $500,000-lawsuit filed by short seller Carson Block.

Government entities are getting restless.

US federal, state, and city government agencies, and governmental agencies and officials in the Canada and the UK are investigating among other things, how the cybersecurity incident “occurred, the consequences thereof, and our response thereto.” They’re “seeking information and/or documents, including through Civil Investigative Demands.” And they “may seek to impose injunctive relief, consent decrees, or other civil or criminal penalties….”

The restless entities in the US include:

  • The 50 state Attorneys General offices and the District of Columbia and Puerto Rico. The Attorney General of Massachusetts has already filed a civil enforcement action.
  • The City of San Francisco and the Chicago City Council have filed lawsuits “alleging violations of state laws and local ordinances governing protection of personal data, consumer fraud, and breach notice requirements and business practices.”
  • The Federal Trade Commission (FTC).
  • The Consumer Finance Protection Bureau (CFPB)
  • The SEC and the US Attorney’s Office for the Northern District of Georgia have sent subpoenas to Equifax “regarding trading activities by certain of our employees in relation to the cybersecurity incident.”
  • The New York Department of Financial Services
  • The New York Department of State – Division of Consumer Protection
  • “Other US state bank regulators”
  • The Financial Industry Regulatory Authority (FINRA)
  • “Certain Congressional committees” of the Senate and House of Representatives.

Outside the US:

  • The UK’s Financial Conduct Authority (FCA). Its Enforcement Division has opened an investigation into Equifax’s UK subsidiary.
  • The UK’s Information Commissioner’s Office
  • Canada’s Office of the Privacy Commissioner.

And more hounding may come:

Additional lawsuits and claims related to the cybersecurity incident may be asserted by or on behalf of consumers, customers, shareholders or others seeking damages or other related relief and additional inquiries from governmental agencies may be received or investigations by governmental agencies commenced.

Equifax doesn’t know how much it’ll cost.

But it could be big — and “have an adverse effect on how we operate our business or our results of operations.”

It is not possible to estimate the amount of loss or range of possible loss, if any, that might result from adverse judgments, settlements, penalties or other resolution of the above described proceedings and investigations based on the early stage of these proceedings and investigations, that alleged damages have not been specified, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues.

Read More @ WolfStreet.com