www.csoonline.com
Open in
urlscan Pro
151.101.66.165
Public Scan
Submitted URL: https://www.csoonline.com/article/3238076/data-breach/equifax-now-hit-with-a-rare-50-state-class-action-lawsuit.html
Effective URL: https://www.csoonline.com/article/3238076/equifax-now-hit-with-a-rare-50-state-class-action-lawsuit.html
Submission: On January 30 via api from IE — Scanned from DE
Effective URL: https://www.csoonline.com/article/3238076/equifax-now-hit-with-a-rare-50-state-class-action-lawsuit.html
Submission: On January 30 via api from IE — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" id="gsc-i-id1" dir="ltr" spellcheck="false" placeholder="Start Searching"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; background: url("https://www.google.com/cse/static/images/1x/en/branding.png") left center no-repeat rgb(255, 255, 255); outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Close Ad cso online GERMANY * United States * ASEAN * Australia * India * United Kingdom * Germany Welcome! Here are the latest Insider stories. * TIAA boosts cybersecurity talent strategy with university partnership * Lessons learned from 2021 network security events * Your Microsoft network is only as secure as your oldest server * How CISOs can drive the security narrative More Insider Sign Out Sign In Register × search Sign Out Sign In Register NEW Insider PRO Learn More Latest Insider * A security practitioner's take on CISA’s Incident and Vulnerability Response Playbooks * Malware variability explained: Changing behavior for stealth and persistence * Microsoft announces new security, privacy features at Ignite * Avery Dennison overhauls DLP program in enterprise-wide effort NEW FROM IDG Learn More Welcome! Check out the latest Insider stories here. Sign Out Sign In Register More from the IDG Network * About Us | * Contact | * Reprints | * Privacy Policy | * Cookie Policy | * Member Preferences | * Advertising | * IDG Careers | * Ad Choices | * E-commerce Links | * California: Do Not Sell My Personal Info | * Follow Us * * * × Close * The biggest data breach fines, penalties, and settlements so far * RELATED STORIES * Equifax data breach FAQ: What happened, who was affected, what was the impact? * Sponsored by HPE CIO's Guide to Data & Application Modernization * The buck stops here: 8 security breaches that got someone fired * Security and privacy laws, regulations, and compliance: The complete guide * Home * Security * Data Breach Cybersecurity Alerts By Tara Swaminatha, Contributor, CSO | 22 November 2017 13:39 News Analysis EQUIFAX NOW HIT WITH A RARE 50-STATE CLASS-ACTION LAWSUIT THIS RARE 50-STATE CLASS-ACTION SUIT AGAINST EQUIFAX, HIGHLIGHTS THE MASSIVE COSTS AND CRITICAL DAMAGE COMPANIES COULD FACE IN THE WAKE OF A CYBERSECURITY ATTACK. * * * * * * * Dado Ruvic/Reuters In the wake of one of the most highly-publicized and highly-sensitive cybersecurity attacks in history, the bad news seems to be never ending for Equifax. A slew of litigation and investigations have quickly followed the breach as consumers and regulators try to grapple with the monumental theft of personal information that resulted from this incident. This includes over 240 individual class-action lawsuits, an investigation opened by the Federal Trade Commission, and more than 60 government investigations from U.S. state attorneys general, federal agencies and the British and Canadian governments. Now, a rare 50-state class-action suit has been served on the company. The complaint is an ambitious 322-page document that names plaintiffs from every state and the District of Columbia who claim to have been injured to varying degrees by the Equifax security breach. ADVERTISEMENT This case highlights the massive costs and critical damage involved in data breaches and is a particular warning to companies that hold large quantities of highly sensitive personal information to ensure they have the most effective cybersecurity protocols in place well before an incident occurs. BACKGROUND ON THE EQUIFAX BREACH Hackers breached Equifax’s system between mid-May and July this year, but it went undetected until July 29, with external forensic consultants engaged in early August. The breach was publicly announced on September 7. Around 145.5 million individuals’ personal information was exposed, mostly that of Americans but also data of Canadian and British consumers. This was an increase of 2.5 million from initial estimates after additional compromised accounts were found. Customer data was reportedly exploited through a in a website application vulnerability known as Apache Struts. This vulnerability was identified by the United States Computer Emergency Readiness Team (US-CERT) in March. While the company contends that it took steps to patch those identified vulnerabilities after March, the Apache Foundation, which oversees the open-source application framework, has said that Equifax failed to install security updates in a timely manner. The compromised sensitive data includes: social security numbers, dates of birth, email and mailing addresses and even some driver’s license numbers. This type of data is often used to confirm identity in various types of applications. LEGISLATORS AND REGULATORS TAKE A SECOND LOOK Following the breach, lawmakers and regulators took note. On the day the breach was publicly reported, Congress was hearing on a bill (FCRA Liability Harmonization Act) that would have capped the amount of damages consumers could be awarded in a lawsuit against credit reporting companies. That bill is now unlikely to move forward. Congressional hearings have also commenced by several different committees, including the House Energy and Commerce Committee and the Senate Banking Committee, where Richard Smith – former Chair and CEO of the company - testified on October 3 that “mistakes were made”. SponsoredPost Sponsored by AMD Evaluating PC Performance Before You Buy? Here’s What You Need to Know This paper explores different techniques and strategies for evaluating PC performance and the pros and cons for each. A national standard for breach notification is also being considered by Congress. The chairman and ranking member of the Senate Judiciary Committee as well as the chairman of the House Financial Services Committee have forecasted a uniform breach notification standard. Another piece of legislation has been revived in the House that would establish a 30-day national standard for breach notifications and would mandate the Federal Trade Commission to help coordinate such disclosures. Currently, 48 states have their own separate statutes that govern companies’ notification to breach victims. These states are now stepping up regulation in this area. For example, as a reaction to the breach, New York Governor Andrew Cuomo directed the New York Department of Financial Services in late September to include credit-reporting agencies in their new Cybersecurity Regulations. ADVERTISEMENT In addition to Congressional actions, the Consumer Finance Protection Bureau Director Richard Cordray announced that in the wake of the Equifax hack, all three credit regulation agencies are going to have to get used to “a new regime” of regulation. Mr. Cordray has, however, recently announced that he will step down from the Bureau, so many will be watching to see the steps his successor takes in this regard. THE 50-STATE CLASS-ACTION SUIT AGAINST EQUIFAX The newly launched 50-state complaint alleges that Equifax failed to employ a critical software security patch that led to the breach itself, but also alleges that plaintiffs suffered further harm because Equifax took a number of missteps following the breach, including: SponsoredPost Sponsored by Adobe The CIO guide to making employee experience a strategic priority Better employee experience drives talent attraction and retention - and business profitability * Alerting customers more than a month after the breach was discovered and using confusing emails and notices regarding whose data was compromised; * Creating a monitoring service with conflicting messages as to whether consumers would be forced to arbitrate claims if they took advantage of the service; * Sending customers a link to a fake website to have their credit frozen; * Allowing hackers to further exploit Equifax’s website, which prompted consumers to download a fraudulent software update; and * Allowing several top Equifax executives to sell off $1.8 million in stock. Allegations of harm for the named plaintiffs range from having had to spend numerous hours monitoring personal accounts to those having experienced identity theft, multiple fraudulent charges on personal credit and debit cards, and/or the opening of unauthorized accounts and mortgages in their name. In total, the complaint provides eighty-three separate causes of action, brought on behalf of a nationwide class and two statewide subclasses, with one subclass brought under state consumer protection laws, and the other for state data breach statutes. The causes of action allege that Equifax’s business acts and practices were deceptive and unfair. ADVERTISEMENT With the rising number of class action suits pending across the country, a multidistrict litigation (MDL) to consolidate the numerous plaintiffs’ suits into one federal district court seems likely. In recent history, many prominent data breach cases have been consolidated in this manner by the U.S. Judicial Panel on Multidistrict Litigation (JPML). In this case, both Equifax and plaintiffs have already requested that the JPML establish an MDL to consolidate the growing number of class action suits. Oral arguments for the Equifax MDL is scheduled for November 30, 2017. IMPACT ON THE COMPANY’S BOTTOM LINE This case is a prime example of the costs involved in data breaches the fact that data security and proper data governance have become business critical and Board-level issues. It has now been reported that Equifax has already spent $88 million in the third quarter as a result of the breach, with their profits falling $35 million from this quarter last year. After a second scare with their credit report assistance portal, shares of the company continued to fall. The Internal Revenue Service has temporarily suspended a contract worth more than $7 million. In 2016, government services made up 5% of Equifax‘s overall $3.1 billion in revenue. In the wake of the breach and the reputation harm to the company, Richard F. Smith stepped down as CEO on September 26. The company’s CIO and CSO retired a week after the announcement. Equifax’s executives will also not receive incentive pay bonuses in 2017. ADVERTISEMENT With the impending lawsuits and increasing government and regulatory oversight, let’s hope they have good cyberinsurance. Next read this * 7 hot cybersecurity trends (and 2 going cold) * 22 cybersecurity myths organizations need to stop believing in 2022 * A 2022 checklist for protecting Microsoft 365 users and data * Active Directory security updates: What you need to know * 6 ways hackers hide their tracks Related: * Data Breach * Data and Information Security * Legal * Technology Industry Tara Swaminatha is a data privacy and cybersecurity partner at Squire Patton Boggs in Washington, D.C., and was previously a federal prosecutor in the Computer Crime & Intellectual Property Section at the U.S. Department of Justice. She is recognized as a Cybersecurity Trailblazer and as one of the leading cybersecurity incident response professionals as part of the “Incident Response 30,” and she is ranked as a Next Generation Lawyer on cybercrime. Follow * * * Copyright © 2017 IDG Communications, Inc. The 7 best password managers for business CSO Online CSO provides news, analysis and research on security and risk management Follow us * * * * About Us * Contact * Reprints * Privacy Policy * Cookie Policy * Member Preferences * Advertising * IDG Careers * Ad Choices * E-commerce Links * California: Do Not Sell My Personal Info Copyright © 2022 IDG Communications, Inc. Explore the IDG Network descend * CIO * Computerworld * CSO Online * InfoWorld * Network World