I’ve been watching with interest as Equifax unravels. Last week it announced the largest-ever leak of highly confidential personal data. The leak is so large that, for most of us, there is no point in checking to see whether your own data was involved in the leak. Just ask yourself if you have ever, in the United States, applied for a credit card or held a checking account that had overdraft protection. If so, it is more likely than not that your personal information, including Social Security and driver’s license numbers, were part of the leak. The leak is so large that there is now talk about doing away with the use of Social Security numbers for identifying taxpayers and financial accounts. That never happened before except in a very hypothetical way.
It is not just the data that Equifax holds on most U.S. consumers that is at issue. Credit card accounts of the much smaller number of Equifax customers have also been compromised. Other data of significance was included in the leak, too much to list here. Equifax’s public response to the crisis has been marked by the company’s indifference to and suspicion of consumers in a moment when its entire future depends on the goodwill of the public.
Nevertheless, the consensus among financial analysts is that nothing will happen to Equifax. Indeed, the company’s stock value has fallen by only a third. I believe in this case analysts have fallen into the trap of not believing in consequences. I would argue that it makes sense to look at the possibility that there are no consequences in the Equifax case but also at the possibility that there are consequences.
What happens to Equifax depends to a great extent on the facts of the situation, and those are mostly secret at this point. One of the biggest questions is the extent to which Equifax leaked data that it was not legally entitled to hold in the first place. If this is extensive or pervasive, then there is no reason to imagine that the company can continue to operate. Its liabilities in this scenario do not depend on showing a degree of negligence, since the harm would have been caused by intentional actions of the company.
It is useful to consider Equifax’s position as a private investigating business. This is not like the leak at Home Depot or Target, where the company’s customers were the victims of the leak. Consumers are not customers in this case. For the most part, consumers do not directly give Equifax permission to collect and hold their data. So what separates Equifax from the criminal enterprises that obtained the same data? Only subtle legal distinctions make Equifax a legitimate business while others who collect the same data on you are criminals. This separation is based on fine points of the law that only a lawyer would be able to explain. But Equifax is not run by lawyers, so we don’t know how well they were following the laws involved. Not perfectly, it is safe to say, but under the circumstances it is reasonable to ask whether the company had controls in place to ensure that it followed the law in general. Conceivably it did not, and in that scenario, Equifax actually is the “hacker” in this case and is not entitled to any sympathy for having been victimized by another hacker.
In between, of course, there is the question of whether Equifax made commercially reasonable efforts to protect the data it held. This question, it turns out, is also vital to the future of the company. In particular, it is important to know whether Equifax lived up to the standards of care for highly confidential data in the banking industry. Why? If Equifax is not as secure as a bank is supposed to be, then it could effectively be shut down by banking regulators. It doesn’t appear that the Fed or the O.C.C. have the authority to take action directly against Equifax, but it hardly matters. If regulators issue guidance to banks that says that sharing data with Equifax is not consistent with banks’ obligation to keep data secure, banks will be obliged to stop sending Equifax any new data. A bank that violated any such guidance would risk regulatory fines and would face legal liability of its own for any subsequent data leaks. No reputable bank would take on those risks. Similar indirect actions could come from Visa or Mastercard that would prohibit credit card issuers from sharing credit card account data with Equifax. Equifax could not operate in its current form after even one such action against it. It would instantly lose most of its legitimate sources of data and most of its revenue. In all likelihood, it would close its doors for good at the end of the next day.
Even if Equifax were found to have done nothing worse than ordinary negligence, the legal liabilities could sink the company. The financial damage caused to U.S. consumers by the first leak alone is probably between $50 billion and $150 billion — an average of a few hundred dollars per consumer. The company’s total stock market value is only $11 billion. The entire company is not worth enough to pay for the damage. The company would have to dodge liability almost completely to survive financially in the end. I’m not saying that couldn’t happen, but if a horse named Equifax presented that kind of long odds you would not want to bet on it. Imagine just paying the lawyers to defend a company against lawsuits brought by more than 150 million people. A company could claim vindication in such a case and still go under from legal fees and reputational loss.
I must conclude with a reminder that the facts in the case remain secret and that this is all just speculation. The actual facts could be better or worse for the company than they appear at this point. At the same time, when people say that nothing will happen to Equifax, remember that that is a speculative position too.