Americans and Pennsylvanians just experienced the largest data breach in our country's history. The Equifax data breach, affecting the personal, financial information of 143 million Americans and 5.4 million Pennsylvanians, is an outrageous display of corporate malfeasance. I'm leading a coalition of state attorneys general to get to the bottom of it, protect consumers, and force change in corporate behavior.
The day after Equifax disclosed this massive breach, I directed my Bureau of Consumer Protection to open an investigation and invite other attorneys general to join our probe. That investigation has grown to include 47 state attorneys general from both parties plus the District of Columbia. We've issued subpoenas and are working together to peel back the multiple layers of Equifax's malfeasance and misconduct. Those layers include:
Delaying notification of the breach. Equifax initially claimed it learned about the breach in July, but delayed notifying the public until Sept. 7 – a six-week, unexplained time lag. In recent days, it's become clear Equifax was alerted by its software vendor as early as March to irregularities in its data system — but it did nothing to fix them or notify the public. Those delays are a key subject of our investigation.
Stock sales. During the six-week delay between when Equifax claims it learned of the breach and when it disclosed it, several of its executives sold $1.8 million in company stock. That conduct is under federal investigation, as it should be.
Duping consumers to waive their rights. As consumers went to Equifax's website to find out if their data was compromised, they were encouraged to sign up for identity theft protection, but there was a hidden catch: consumers unwittingly waived their rights to file legal claims against Equifax. As soon as my fellow attorneys generals and I learned of this shameful tactic, we demanded the company stop it. They did.
Profiteering off the breach. After the breach, Equifax offered consumers two kinds of protection – one free, and another "premier" service that cost a fee. It was confusing for consumers and inappropriate for Equifax to try to make a buck off anxious consumers. My attorneys general colleagues and I forced Equifax to end that practice too.
Reimbursing consumers. Equifax is no longer charging consumers who want to freeze their credit, but other reporting agencies still are. Another demand we've made on Equifax: Reimburse consumers for any costs they incur in freezing their credit.
In recent months, my fellow attorneys general and I have settled data breach cases with Target, Nationwide and Lenovo. Those settlements have impacted millions of Americans and required the companies to change how they protect our data. What's disturbing about the Equifax case is it happened at a large credit-reporting agency, with unique access to our most sensitive data – Social Security numbers, credit cards, work and personal histories – and the company's lax security allowed this massive breach to happen anyway. Understanding how that occurred is a central focus of our investigation.
Our investigation has three main goals: Making Equifax answer for the breach, protecting consumers' data and obtaining restitution, and changing corporate behavior so it doesn't happen again. Some of the changes following recent data breach cases include:
- Companies must be transparent with consumers about what they are doing with their data.
- They should maintain appropriate security practices, like limiting internal access to customer data and encryption policies.
- Companies must keep their software up to date.
- Companies should regularly consult with independent, third-party security experts to get objective advice about their technology and data-management practices.
- Lastly they should have an executive responsible for security of customers' data.
Notification laws need to change, and Congress should act to require companies to disclose data breaches to consumers within a certain time frame. Currently, each state has its own laws on notifications. A federal law would provide uniformity and better protect consumers.
Companies should not need a law on the books to force them to alert consumers when data breaches occur.
Unfortunately, our corporate culture has swung so far in the direction of valuing profits above people that Equifax's behavior, while appalling, is not surprising. Every data breach violates the public's trust, and I'm working with my colleagues to force corporations to change their behavior and prevent them moving forward.