(by Susan Miller, Colorado Law 2L)
A cyberattack on Equifax, a consumer credit reporting agency, was announced last week. The breach was especially problematic for a variety of reasons:
- Equifax’s job is to gather and maintain sensitive personal information. Yet it learned of the breach in July but failed to inform the public of the breach until September, taking more than two months to give consumers notice of the breach.
- The breach put the personal information of 143 million Americans, nearly one-third of the entire population, at risk. This personal information includes names, social security numbers, birth dates, addresses, driver’s license numbers, and in some cases, credit card numbers.
- Three Equifax executives sold their stock days only days after the company learned of the attack and before the public was notified.
Equifax is offering free credit monitoring and, thanks to angry consumers, waived fees for setting up credit freezes through Equifax.
Unfortunately, major data breaches aren’t unusual in an era where so much sensitive and valuable information is stored online, only a click away from a clever hacker:
- Yahoo! recently had a far worse breach in terms of the number of users affected than Equifax. One billion accounts were compromised in 2013 and consumers weren’t even made aware of the fact until 2016. A federal judge recently ruled that Yahoo! will face litigation for the data breach, rejecting Yahoo!’s arguments that breach victims lacked standing.
- In 2013, Target was hacked only days after Black Friday and nearly 41 million people had their personal information stolen. The period in which the hackers had access to the data was between November 27 and December 15, a prime time for shoppers looking for gifts and sales. All of those credit card swipes and new online shopping accounts with updated contact information are also prime targets for hackers. As a remedy, Target provided free credit monitoring and was required to pay $18.5 million in a multi-state class-action settlement.
Consumer goods are not the only targets of hackers:
- Anthem, a health insurance company, was attacked at the end of 2014 and the personal information of 80 million Americans was put at risk. Similar to Equifax, Anthem did not realize the extent of the attack for six weeks. Anthem offered affected consumers free credit monitoring for two years and will also be paying $115 million to settle a class-action lawsuit.
- In 2015, hackers attacked the Office of Personnel Management’s computer system and accessed the private details of approximately 21.5 million federal employees, their family members, and millions of people who had been required to have a government background check at some point over the last 15 years.
Since these breaches are unlikely to be stopped completely, federal and state governments are trying to protect consumers through various laws. Currently 48 states have enacted data breach notification laws, including Colorado. Colorado Revised Statutes § 6-1-716 states:
(2) Disclosure of breach.
(a) An individual or a commercial entity that conducts business in Colorado and that owns or licenses computerized data that includes personal information about a resident of Colorado shall, when it becomes aware of a breach of the security of the system, conduct in good faith a prompt investigation to determine the likelihood that personal information has been or will be misused. The individual or the commercial entity shall give notice as soon as possible to the affected Colorado resident . . . Notice shall be made in the most expedient time possible and without unreasonable delay . . .
At the federal level, two agencies that help protect consumers are the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB). Section 5 of the FTC Act, 15 U.S.C § 45, reads:
(1) Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.
Although enacted in 1914, the FTC Act applies to online companies today and it can protect consumers from the unfair or deceptive methods of companies in regards to privacy and data security.
Should the U.S. government play a stronger role in protecting the private information of individuals? What are the appropriate remedies for those who have had their data stolen? What are the responsibilities of companies who do get hacked to their customers? Should large companies be held to a particular standard to protect private information?