Equifax data breach probes could affect insurance coverageReprints
Investigations into the Equifax Inc. data breach by one or more regulatory bodies could affect an insured’s ability to obtain coverage, but a news report has indicated that a key federal regulator has not taken steps to investigate the incident.
Reuters reported on Feb. 5 that Mick Mulvaney, head of the Consumer Financial Protection Bureau, has pulled back from a full-scale probe of how Equifax failed to protect the personal data of more than 145 million consumers, with the agency to date not issuing subpoenas against Equifax or seeking sworn testimony from executives and shelving plans for on-the-ground tests of how Equifax protects data.
While not directly addressing the report, the CFPB maintains it is “committed” to protecting consumers.
“Acting Director Mulvaney takes data security issues very seriously,” John Czwartacki, senior adviser to the acting director, said in an email statement. “Under his direction, the CFPB is working with our partners across government on Equifax’s data breach and response. We are committed to enforcing the law. As policy, we do not confirm or deny enforcement or supervisory matters.”
The reported inactivity has drawn the attention of 31 senators who sent a letter to Mr. Mulvaney on Thursday demanding answers about why the CFPB halted its investigation into the data breach.
“We are deeply troubled by recent news reports that, under Director Mulvaney’s leadership, the CFPB may have stopped its investigation into the Equifax breach,” the senators said in their letter.
An investigation by the CFPB could help establish facts about the breach that could be used by insureds and even plaintiffs.
“It definitely has a bearing on insurance coverage,” said Daniel J. Healy, a partner with Anderson Kill L.L.P. in Washington, D.C.
It is conceivable, for example, that a regulatory investigation by the CFPB could help demonstrate a cyber incident is the result of mere negligence, despite reasonable cyber security practices, which may very well make insurance coverage easier to obtain, Mr. Healy said.
“The investigation and its findings could be evidence used by a company, including in its efforts to obtain an insurance recovery,” for a cyber incident, Mr. Healy said.
Likewise, that same information and evidence could be used by those with potential claims against the enterprise that suffered the cyber incident, he said.
Other agencies could become involved in investigating the Equifax incident, Mr. Healy said.
“There are a number of agencies getting into this area,” Mr. Healy said, noting the Securities and Exchange Commission, which “ties together the protection of consumer data with the duty owed by corporations and boards to investors.”
“While we are aware of reports that the Federal Trade Commission may be taking the lead in investigating Equifax’s failure to maintain adequate data security standards, the CFPB still has a duty to investigate the harm to consumers and whether other federal consumer financial laws have been violated,” the senators said in their letter.
The story came just two days before the Feb. 7 release of a report detailing the findings of an investigation into the Equifax incident by Sen. Elizabeth Warren (D-Mass.) that was highly critical of the CFPB.
The question of other agencies and additional regulation was raised by Sen. Warren’s report, key findings of which included that Equifax set up a flawed system to prevent and mitigate data security problems; Equifax ignored numerous warnings of risks to sensitive data; and Equifax failed to notify consumers, investors and regulators about the breach in a timely and appropriate fashion.
The senator’s report also proposed legislation to “set strict cyber security standards and empower the FTC to update and monitor these standards,” asserting that “no single agency currently has the appropriate authority to both establish basic cyber security requirements and monitor companies’ adherence to those standards.”
New York state in 2017 moved to establish standards and regulations under the Department of Financial Services.
“The response to this event by regulators thus far has been ineffective and anemic,” said Joshua Motta, CEO of San Francisco-based Coalition Inc., which specializes in cyber insurance coverage. “The magnitude of this ‘data spill’ raises tough questions as to who is ultimately responsible for protecting the data of Americans, and how they will be held accountable.”
Equifax did not respond to requests for comment. But the company reported in its latest quarterly financial statement released on Nov. 9, 2017, that more than 240 class actions relating to the cyber security incident had been filed by consumers against the company in U.S. federal and state and Canadian courts, as well as class actions by financial institutions and class action lawsuits against the company and its directors and officers alleging violations of federal securities laws.
The company said it is “cooperating with federal, state, city and foreign governmental agencies and officials investigating or otherwise seeking information and/or documents…regarding the cyber security incident and related matters.”
Equifax warned that “it is not possible to estimate the amount of loss or range of possible loss, if any, that might result from adverse judgments, settlements, penalties or other resolution of the above described proceedings and investigations based on the early stage of these proceedings and investigations.”