By: Sam DeLong
In some sense, large-scale data hacks seem common in our ever-expanding digital age. Officially announced on September 7, 2017, the breach of Equifax, a U.S. based credit-reporting agency, was added to the growing list of all-time largest data breaches. The gravity of the hack is not measured solely by its volume of nearly 143,000,000 potential victims, but also by the sensitivity of the data that was stolen. In addition to approximately 209,000 credit card numbers, hackers stole names, social security numbers, birth dates, and even some driver’s license numbers. Nevertheless, amidst this garden-variety hack, other legal issues are now surfacing.
The Federal Trade Commission reports that the breach lasted from mid-May of 2017 through July. However, Bloomberg additionally reports that Equifax suffered a prior data breach five months earlier in March of 2017. A nexus between the two hacks has yet to be established, but the most recent breach has caused the company’s Chief Information Officer and Chief Security Officer to each resign. Additionally, the nearly $1.8 million in stock sales by three Equifax executives following the March breach has prompted the U.S. Department of Justice to open a criminal investigation for potential violations of insider trading laws.
As affected and outraged customers begin to file lawsuits, lawmakers are using the hack to push new legislation that would hold large data companies accountable and allow consumers to better regulate control over their digital information. Broadly, stricter federal oversight is being called for, but what are some tangible solutions?
One possibility could come in the form of punitive damages. Hefty fines have become a favorable slap-on-the-wrist in some industries. Following the 2010 Deepwater Horizon disaster, BP agreed to pay the U.S. Justice Department and four states a total of $18.7 billion dollars. Record breaking reparations like BP’s allow resources to be allocated to solutions now instead of later after wading through what could be years of costly litigation. In 2013, following a lawsuit against Sysco, a large portion of the damages paid by Sysco were required to be used to pay the massive team of attorneys, investigators, experts, paralegals, and other agencies that were involved in the lawsuit. Developing regulations in the digital community that mirror those in the physical world could facilitate change inside companies. In terms of compensating the affected individuals however, patently different than food poisoning or an oil spill, the damages suffered to consumers are not so readily apparent in a data breach. Many Equifax users only know with a certain likelihood that their data was stolen and many more may not feel an effect for years to come.
In any event, changes in the practices of large data companies will require changes in the policies of standing federal organizations. Currently, the Federal Trade Commission lacks the ability to wage war against wrongdoing companies. Though some have called the F.T.C.’s punishment approach remedial and noneconomic at best, perhaps adding a punitive edge could prompt greater scrutiny within these large data companies. While a switch towards punitive action on the part of the F.T.C. might be one step in the right direction, such a change will not be immediate and unfortunately many Americans will be left to worry about their data security for years to come.
Student Bio: Sam DeLong is a second-year student at Suffolk University Law School. He is pursuing a J.D. as well as an advanced degree in taxation.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.