On May 10, Equifax announced its financial results for the quarter ended March 31, 2019. In that announcement, the company reported that during that quarter, it took a $690 million pre-tax legal accrual relating to the 2017 data breach that “resulted in the exposure of the personal data of 148 million individuals in the U.S., or 56 percent of all American adults.” Equifax explained that the $690 million reflects its “estimate of losses we expect to incur in connection with a potential global resolution of the consumer class action cases and the investigations by certain federal and state regulators [related to the breach].”
The $690 million, according to Bank Information Security, represents only a substantial portion of the $1.35 billion in costs that Equifax reported it has incurred to deal with the breach. Moreover, as Equifax acknowledged, that $1.35 billion is not the final tally of breach-related costs:
While it is reasonably possible that losses exceeding the amount accrued will be incurred, it is not possible at this time to estimate the additional possible loss in excess of the amount already accrued that might result from adverse judgments, settlements, penalties or other resolution of the proceedings and investigations related to the 2017 cybersecurity incident based on a number of factors, such as the various stages of these proceedings and investigations, that alleged damages have not been specified or are uncertain, the uncertainty and complexity of achieving a multi-party resolution, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues.
Equifax ended this statement on a potentially ominous note: “The ultimate amount paid on these actions, claims and investigations in excess of the amount already accrued could be material to the Company’s consolidated financial condition, results of operations, or cash flows in future periods.”
Note: Chief Information Security Officers and Chief Compliance Officers should draw on this information in reminding senior executives in their companies and agencies about the substantial compliance, reputational, and other risks that can flow from inadequate cyber-defenses. At the time, the Equifax breach seemed to be an object lesson for public- and private-sector entities in maintaining robust cybersecurity. The continuing spate of reports about breaches that have resulted in losses of billions of personal records, and cyberthefts that caused billions of dollars in losses, however, indicates that too many firms and agencies have not taken that lesson to heart.