In early September of 2017, it was reported that Equifax Inc., one of the country’s three leading credit reporting services, was subject to a cyberattack that resulted in the access by the hackers of financial and personal information of more than 143 million U.S. consumers. According to Equifax, the hacking occurred from mid-May through July 2017. The EquiFax data breach involved names, social security numbers, birth dates, addresses and driver’s license numbers. Additionally, the hackers gained access to credit card numbers for 209,000 consumers.
Now, less than two weeks later, it has been reported that Equifax is under investigation by the Federal Trade Commission for possible violation of the Federal Trade Commission Act (“FTC Act”). Since at least 2005, the FTC has charged numerous companies with violation of the FTC Act for deficient cybersecurity and for failing to protect consumer data against hackers.
What is the Federal Trade Commission Act?
The original FTC Act was passed by Congress in 1914, as an attempt to regulate deceptive and unfair business practices and advertising in interstate commerce. The FTC Act created a Commission that is empowered to investigate and sue businesses in federal court for violations of the Act.
Two sections are particularly relevant. Section 5 of the Act, codified at 15 U.S.C. §45(a) states:
“(1) Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.
(2) The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations … from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.”
Section 12, codified at 15 U.S.C. §53(a), states:
“(a) Unlawfulness: It shall be unlawful for any person, partnership, or corporation to disseminate, or cause to be disseminated, any false advertisement—
(1) By United States mails, or in or having an effect upon commerce, by any means, for the purpose of inducing, or which is likely to induce, directly or indirectly the purchase of food, drugs, devices, services, or cosmetics; or
(2) By any means, for the purpose of inducing, or which is likely to induce, directly or indirectly, the purchase in or having an effect upon commerce, of food, drugs, devices, services, or cosmetics.
(b) Unfair or deceptive act or practice:
The dissemination or the causing to be disseminated of any false advertisement within the provisions of subsection (a) of this section shall be an unfair or deceptive act or practice in or affecting commerce within the meaning of section 45 of this title.”
Deceptive and Unfair Acts, Data Breaches and the FTC case against EquiFax
As noted, beginning in 2005, the FTC began charging companies with violation of the FTC Act for data breaches. Equifax is likely to face this charge from the FTC.
To see a good example of how the FTC case against EquiFax is likely to proceed, we can look at the recent case of FTC v. Wyndham Worldwide Corp., 799 F. 3d 236 (3rd Cir. 2015). In that case, hackers stole personal and financial information for hundreds of thousands of consumers. Eventually, over $10.6 million in fraudulent charges were made against those credit cards and other financial accounts. The FTC filed suit, alleging that Wyndham’s failure to protect the privacy of their customer’s information was an unfair practice and that its advertising deceptively overstated the extent of its cybersecurity.
In particular, the FTC charged that Wyndham engaged in unfair cybersecurity practices that, “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” The FTC cited several facts to supports its charge, stating that Wyndham:
- stored payment card information in clear readable text
- allowed the use of easily guessed passwords for remote access to the hotel’s computer systems
- allowed access to the network even though default user IDs and passwords were enabled which were easily obtainable by hackers
- failed to use firewalls
- failed to limit network access and connection from various subsidiary and affiliated departments, even though one affiliate’s network was using an out-of-date operating system that had not received a security update in over three years
- failed to adequately restrict the access of third-party vendors
- failed to maintain an adequate inventory of computers connected to networks which, after at least one cyberattack, caused Wyndham to be unable to identify the vector of the attack
- failed to restrict necessary access to certain time period and to certain portions of the network
- failed to conduct security investigations when “red flags” were raised, thus allowing the hacking to continue over a significant period of time
- did not follow industry standard incident response procedures
- failed to monitor its network for malware and other snooping software, which might have prevented the subsequent breaches (the hackers used similar methods in each attack)
At the trial level, Wyndham sought to have the case dismissed claiming that concepts of “unfair” and “deceptive” did not apply to protection of customer information. However, that argument was rejected, and Wyndham’s motion to dismiss was denied. The trial court was affirmed by the circuit court.
In the FTC case against Equifax, the FTC investigators will be looking at these factors and others unique to Equifax to determine if, and to what extent, Equifax can be charged with violation(s) of the FTC Act. Based on reports, it is a good guess that Equifax is in deep legal water. It’s not certain, but the fact that the hacking occurred from mid-May to July 2017 suggests significant malfeasance.
What are the FTC’s Available Remedies?
The FTC Act authorizes the Commission to seek injunctive and other equitable relief. The courts have held this to include the ability to seek and obtain monetary damages. It’s likely that injunctive relief will be issued and Equifax required to pay a large fine to the government and, possibly, create a separate fund to cover damages to consumers who have fraudulent charges made against their credit cards. See e.g., FTC v. ChoicePoint, Inc., discussed at Mellot v. ChoicePoint, Inc., 561 F. Supp. 2d 1305 (N.D. Georgia 2007).
As we wrote recently, with the growth in digital data has come a corresponding rise in data breaches. Such breaches result in civil litigation from irate consumers, but as we see, they also bring governmental action.