Equifax headquarters in Atlanta. Credit: John Disney/ ALM

Appearing before Congress last month, former Equifax Inc. CEO Richard Smith apologized to consumers over a data breach that potentially compromised the personal information of nearly half the U.S. adult population.

A month later, the Atlanta-based credit reporting bureau is showing less contrition as it confronts a rising wave of class actions alleging harm to consumers and financial institutions.

“We dispute the allegations in the complaints described above and intend to defend against such claims,” Equifax said in a regulatory filing Thursday.

Here's a look, by the numbers, at where things stand for Equifax in the fallout over one of the largest data breaches in U.S. history.

|

$87.5 million

That's the total so far of expenses stemming from the data breach, according to Equifax's filing at the U.S. Securities and Exchange Commission.

|

240

Consumers have filed more than 240 class actions in federal, state and Canadian courts over the breach, which exposed personal information—including names, Social Security numbers and birth dates—of at least 145 million Americans. Financial institutions have brought other class actions claiming their businesses have been “placed at risk,” according to the disclosure. Other lawsuits allege securities laws violations related to the company's past statements about cybersecurity.

|

50

The state attorneys general in all 50 states, along with the District of Columbia and Puerto Rico, are involved in ongoing investigations. According to the disclosure, state enforcers are investigating “or otherwise seeking information” about the breach.

One attorney general has been particularly aggressive. In September, within weeks of the public disclosure of the breach, Massachusetts Attorney General Maura Healey brought the first enforcement action over what her office described “the company's failure to protect sensitive and personal information of nearly three million Massachusetts residents.”

|

4

Equifax's latest disclosure identified four federal offices that are conducting investigations: the Federal Trade Commission, Securities and Exchange Commission, Consumer Financial Protection Bureau and the U.S. Attorney's Office in Atlanta, where the company—and its lawyers at King & Spalding—are based.

In a rare move, the FTC confirmed in September it was investigating the data breach. But, as The National Law Journal first reported, it is conducting that probe without the interim chief of the office leading the investigation. Thomas Pahl, named acting head of the bureau of consumer protection in February, has recused himself from the investigation because he represented Equifax when he was a partner at Arnall Golden Gregory in Washington. A deputy, longtime FTC lawyer Daniel Kaufman, is overseeing the probe.

The CFPB said in September that it was “looking into the data breach and Equifax's response” and defended its authority over the credit reporting industry. In recent years, the CFPB has identified Equifax as among the top targets of consumer complaints. Since 2012, consumers have filed more than 57,000 complaints against Equifax, for an average of 31 per day, according to a Fast Company review of the CFPB's complaint database.

Meanwhile, the SEC and U.S. Attorney's Office in Atlanta have been scrutinizing stock sales by Equifax executives in the days after the company learned of the breach, but weeks before the public disclosure.

Equifax said it has received subpoenas “regarding trading activities by certain of our employees in relation to the cybersecurity incident.” Smith testified the executives were unaware of the breach when they made the sales, and last week, the company said an internal investigation uncovered no evidence of wrongdoing.

|

2

In New York, two agencies—the state Department of Financial Services and State Department's division of consumer protection—have both entered the mix. At the local level, two cities—Chicago and San Francisco—have filed lawsuits “alleging violations of state laws and local ordinances governing protection of personal data, consumer fraud and breach notice requirements and business practices,” according to Equifax.

And internationally, two countries—the United Kingdom and Canada—have launched investigations, with the U.K.'s Financial Conduct Authority focused on the company's subsidiary in the country, Equifax Ltd.

|

Indefinite

“It is not possible to estimate the amount of loss or range of possible loss, if any, that might result from adverse judgments, settlements, penalties or other resolution of the above described proceedings and investigations based on the early stage of these proceedings and investigations, that alleged damages have not been specified, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues,” Equifax said.

Read more: