Equifax's headquarters in Atlanta.

 

More than six months after the September 2017 breach at credit reporting agency Equifax Inc., there are still numerous questions surrounding the incident and its repercussions. What role, for instance, did some of its legal executives play in the breach response? How will hundreds of class actions against the company proceed? And how will the breach affect future cybersecurity regulation?

But with significant inquiries, they might have to take a back seat to a far more pressing matter: Just how many Equifax customers had their personal data compromised in the first place?

In a March 1 post on its website, Equifax said it discovered that an additional 2.4 million of its customers had their names and partial driver's license information stolen in the breach. The disclosure adds to the more than 145 million customers who had their Social Security data compromised.

Equifax noted that for the latest discovery, “in the vast majority of cases” the data taken “did not include consumers' home addresses, or their respective driver's license states, dates of issuance, or expiration dates.”

Still, though the stolen information was not as sensitive as Social Security numbers and affected far less than the more than one hundred million already impacted, the disclosure is likely to add another potential liability opening for the already besieged company.

“I think that the delay is going to be factored into the overarching analysis of, did they do enough to protect the extensive consumer data that was entrusted to them, and once there was a discovery, did they do enough to uncover everything?” said Sharon Klein, partner and chair of the privacy, security and data protection practice at Pepper Hamilton.

Marcus Christian, a partner at Mayer Brown and a former executive assistant U.S. attorney at the U.S. Attorney's Office for the Southern District of Florida, added that when the initial breach was disclosed in September 2017, there were questions about why it took so long to discover consumer data was stolen.

Now, “this issue could come up again,” he said.

Christian said the government agencies spearheading enforcement actions will likely be examining how Equifax is investigating the breach and trying “to determine whether it was reasonable for this information to be coming out at this time.”

Beyond the government investigations, the disclosure of more breached data may also bolster the numerous class action lawsuits against Equifax. Christian noted that the delay is something attorneys “can marshal as evidence” to further the case that Equifax failed to protect sensitive information and promptly and thoroughly investigate the extent of the incident.

To be sure, it is not yet known whether Equifax's recent disclosure points to a delay in investigating the breach, or represents the reasonable amount of time it would take to uncover additional stolen data in a breach this size.

“I think the scale does matter here,” Christian said, noting that the time it takes to investigate a breach can “depend upon a number of factors, certainly the size of the intrusions, the number of records affected, the types of networks, the number of locations affected, etc.”

It is common, after all, for companies that suffer large breaches to continue to discover additional compromised user data or accounts months after the incident.

Joshua M. Robbins, a partner at Greenberg Gross and chair of the firm's white-collar defense and government investigations department, noted that it is “not terribly unusual or surprising” for more information to trickle out post-breach. The extent of the compromised data, he said, can often “be revealed in an evolving process.”

Equifax has received accolades by hiring cybersecurity firm Mandiant to conduct the investigation into its breach. “That is one of the most well-regarded ones that been involved [in investigations] of a significant number of high-profile events,” Christian said.

Klein called Mandiant “very credible in terms of their third-party cybersecurity forensics,” and noted that it was “a good thing” that Equifax brought them onboard.

But Equifax still faces concerns over how it handled its investigation. In an online statement, House Commerce Committee chairman Greg Walden, R-Oregon, and Subcommittee on Digital Commerce and Consumer Protection chairman Bob Latta, R-Ohio, both of whom are part of the congressional investigations into Equifax, called the latest disclosure “deeply concerning.”

They added that the discovery “raises even more questions about the company's total failure in safeguarding consumers' information and providing adequate tools for protection post-breach” and will therefore request a briefing with Mandiant on the subject.

Yet any potential liability Equifax will face because of the recent discovery, whether through greater legal risk or regulatory action, is sure to pale in comparison to the liabilities it already shoulders from the initial breach,

“This particular discovery probably won't have a massive impact on the overall liability,” Robbins said. He added, “It is a relatively smaller number of accounts and the information that was obtained by the outside parties was much more limited and less significant than that of the original breach.”