Eighteen months since news of the colossal data breach at Equifax broke, the company responsible for one of the country’s largest, and likely the most damaging, losses of personal information has yet to face monetary penalties. At the same time, very little has been done in the way of reform.
That could soon change.
According to Equifax’s annual report filed recently with the U.S. Securities and Exchange Commission, two federal agencies are poised to take action.
The Federal Trade Commission and the Consumer Financial Protection Bureau “intend to seek injunctive relief damages and, with respect to the CFPB, civil money penalties against us based on allegations related to the 2017 cybersecurity incident,” Atlanta-based Equifax said in the filing.
For many, such moves are overdue.
“One and a half years later, Equifax has still not paid a price for putting nearly 150 million Americans at risk of identity theft and other types of fraud for the rest of their lives,” said Mike Litt, consumer campaigns director for the Public Interest Research Group known as U.S. PIRG.
He considers the breach the worst in history because of the amount and type of sensitive data exposed, including Social Security numbers, birthdates, addresses and driver’s license numbers.
“Social Security numbers are really the keys to identity theft and other types of fraud,” he said.
Mr. Litt said the biggest way to prevent future large-scale breaches is to create the specter of large, looming fines.
Companies need to know, “if they fail to protect our personal information, there will be stiff penalties,” he said. “We really need an act of Congress to ensure that.”
The breach at Equifax was considered especially egregious in part because it and other credit reporting agencies collect personal information on consumers without their consent, and without