Equifax breach fallout far-reaching
The fallout from Equifax’s data breach, which compromised personal data of 143 million US consumers, continues with an investigation by the US Federal Trade Commission (FTC) and Mastercard and Visa warning issuers that more than 200 million cards are at risk.
What’s more, public sentiment following the breach could stymie a Congressional push to repeal the US Consumer Financial Protection Bureau‘s (CFPB’s) final rulemaking on arbitration agreements.
“The FTC typically does not comment on ongoing investigations,” spokesman Peter Kaplan said in a brief email statement to Reuters. “However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.”
Equifax says it’s in the process of contacting US state and federal regulators and has sent written notifications to all US state attorneys general.
Meanwhile, KrebsOnSecurity reports that Mastercard and Visa have sent confidential alerts to issuing banks saying that more than 200 million card numbers were compromised. The “window of exposure” for the cards stolen in the Equifax breach was between 10 November 2016 and 6 July 2017, Krebs reports.
Equifax says criminals exploited a US website application vulnerability to gain access to certain files and that based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The earlier dates provided by the card networks are related to historical data, not an earlier intrusion, Equifax told Krebs.
The company has established a dedicated website to help consumers determine if their information has been potentially impacted and to sign up for free credit file monitoring and identity theft protection. Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted.
Where does arbitration fit in?
It was the initial sign-up for the free credit monitoring service that brought the arbitration issue to the foreground of the discussion. The original terms appeared to block users from joining lawsuits against Equifax as part of a mandatory arbitration clause. The company has since clarified its terms, noting that the arbitration clause relates to the credit monitoring service itself and not the data breach, according to several reports.
But the cat may be out of the bag when it comes to arbitration. Financial institutions and other service providers had been backing resolutions in Congress, which had been gaining steam prior to the August recess, to use the Congressional Review Act (CRA) to repeal the CFPB’s final rule on arbitration agreements. The regulation bans companies from including mandatory arbitration clauses in their contracts.
The House passed its CRA measure on arbitration 25 July 2017, but the Senate has yet to take it up. Democrats and consumer advocates, who’d already been voicing their opposition to any repeal, have seized the moment to continue championing what they see as consumers’ right to their “day in court.” But critics of the final rule, say consumers do better under arbitration than litigation and cite the CFPB’s own research as proof.
While it looked like financial institutions had enough allies in Congressional Republicans – CRA only requires simple majorities in both houses—and the president, gathering sufficient support for repealing the arbitration rule may be harder to come by now. And the clock is ticking. CRA only can be used within 60 legislative days of a rule’s publication in the Federal Register. The CFPB published its rule on 19 July 2017.