1
00:00:00,080 --> 00:00:04,040
Speaker 1: Outrage, disbelief, confusion just a few of the things many

2
00:00:04,080 --> 00:00:08,160
Speaker 1: Americans are feeling after learning that their names, social security numbers,

3
00:00:08,240 --> 00:00:12,520
Speaker 1: birth dates, addresses, and driver's license numbers are potentially in

4
00:00:12,560 --> 00:00:16,279
Speaker 1: the hands of hackers. Equifax, a credit monitoring company with

5
00:00:16,320 --> 00:00:20,120
Speaker 1: a database of America's personal information, was hacked in the

6
00:00:20,239 --> 00:00:24,680
Speaker 1: largest data breach involving social security numbers in history one

7
00:00:25,120 --> 00:00:29,120
Speaker 1: forty three million consumers. Equifax has set up a website

8
00:00:29,240 --> 00:00:31,680
Speaker 1: and here's part of what you'll hear if you call

9
00:00:31,760 --> 00:00:35,400
Speaker 1: its eight hundred number to freeze your credit information. Welcome

10
00:00:35,440 --> 00:00:40,120
Speaker 1: to the Equifax Automated Security Freeze System. This automated system

11
00:00:40,159 --> 00:00:44,360
Speaker 1: would allow you to place, temporarily, lift or permanently remove

12
00:00:44,520 --> 00:00:48,560
Speaker 1: a security freeze from your Equifax credit file in accordance

13
00:00:48,600 --> 00:00:52,199
Speaker 1: with your individual states file freeze law. There may be

14
00:00:52,280 --> 00:00:56,240
Speaker 1: a charge, but here's part of the problem. To better

15
00:00:56,280 --> 00:00:59,560
Speaker 1: serve you, the following information will be required in order

16
00:00:59,600 --> 00:01:03,400
Speaker 1: to comp lead your request. Your state, numeric portion of

17
00:01:03,440 --> 00:01:07,440
Speaker 1: your current address, and social Security number. But do you

18
00:01:07,520 --> 00:01:11,560
Speaker 1: really want to give Equifax this information? Again? Here to

19
00:01:11,640 --> 00:01:16,120
Speaker 1: discuss the repercussions of this hack are two experts in cybersecurity.

20
00:01:16,520 --> 00:01:19,200
Speaker 1: Eric Gordon, A professor at the University of Michigan Ross

21
00:01:19,200 --> 00:01:24,440
Speaker 1: School of Business, and Craig Newman, a partner at Patterson Belknap. Eric.

22
00:01:24,640 --> 00:01:28,160
Speaker 1: Equifax said criminals gained access to certain files in the

23
00:01:28,200 --> 00:01:33,280
Speaker 1: company's system by exploiting a weak point in website software,

24
00:01:33,800 --> 00:01:37,319
Speaker 1: but there's no evidence of unauthorized activity on its main

25
00:01:37,480 --> 00:01:42,840
Speaker 1: consumer or commercial credit reporting databases. Interpret that for us,

26
00:01:42,880 --> 00:01:46,880
Speaker 1: what does it mean? Yeah, it means somebody obviously a

27
00:01:46,880 --> 00:01:50,440
Speaker 1: bad person. I mean, my mother didn't do this. Has

28
00:01:50,600 --> 00:01:53,440
Speaker 1: information on a hundred and forty three million of us

29
00:01:53,960 --> 00:01:58,960
Speaker 1: and so far, as far as Equifax knows, it hasn't

30
00:01:59,000 --> 00:02:02,760
Speaker 1: been used. That information hasn't been used in a bad way. Now,

31
00:02:02,920 --> 00:02:05,360
Speaker 1: you can guess that it's only a matter of time

32
00:02:05,840 --> 00:02:10,040
Speaker 1: until Equifax discovers this or we discover this. But you know,

33
00:02:10,160 --> 00:02:14,120
Speaker 1: does anybody believe this information was taken for anything other

34
00:02:14,160 --> 00:02:19,360
Speaker 1: than bad purposes? Eric? Are they saying that anything about

35
00:02:19,400 --> 00:02:22,840
Speaker 1: their security system when they're saying exploiting a weak point

36
00:02:22,919 --> 00:02:27,720
Speaker 1: in website software? Yeah, it gives you some idea of

37
00:02:28,000 --> 00:02:31,720
Speaker 1: how the entrance happens. Are they different entry points into

38
00:02:32,360 --> 00:02:35,400
Speaker 1: these databases? Uh? And they've told us what they what

39
00:02:35,520 --> 00:02:38,320
Speaker 1: they think the entry point was it was on the website.

40
00:02:38,760 --> 00:02:41,520
Speaker 1: So so for people who you know, are actually sort

41
00:02:41,520 --> 00:02:44,040
Speaker 1: of into the technology of this, it does give a

42
00:02:44,080 --> 00:02:47,880
Speaker 1: clue as to what where it happened, not necessarily how

43
00:02:47,919 --> 00:02:53,799
Speaker 1: it happened, Eric, I mean, Craig, excuse me, Craig. This

44
00:02:53,919 --> 00:02:58,240
Speaker 1: is a huge breach obviously, but just if people are

45
00:02:58,280 --> 00:03:02,480
Speaker 1: worried about what exactly has been exposed here, can you

46
00:03:02,520 --> 00:03:05,080
Speaker 1: take us through some of the details of what got

47
00:03:05,360 --> 00:03:09,919
Speaker 1: you know, what got hacked? Sure, Michael, Yeah, it's very difficult,

48
00:03:10,280 --> 00:03:12,760
Speaker 1: based on what we know now to really figure out

49
00:03:13,320 --> 00:03:17,480
Speaker 1: what information has been affected, because if you look at

50
00:03:17,520 --> 00:03:21,200
Speaker 1: the public disclosures that Equifax has made, they've said that quote,

51
00:03:21,320 --> 00:03:25,720
Speaker 1: certain files have been accessed and potentially dred and forty

52
00:03:25,720 --> 00:03:29,639
Speaker 1: three million Americans have been affected. So it's it's almost

53
00:03:30,080 --> 00:03:34,040
Speaker 1: you don't know what you can't see because we don't

54
00:03:34,120 --> 00:03:37,520
Speaker 1: have all that much information. I think that's why, you know,

55
00:03:37,600 --> 00:03:40,840
Speaker 1: consumers are scrambling and are kind of up in arms

56
00:03:40,880 --> 00:03:42,600
Speaker 1: over the way this has been handled. But at the

57
00:03:42,640 --> 00:03:48,000
Speaker 1: same time, all the companies, the data contributors that provide

58
00:03:48,280 --> 00:03:52,120
Speaker 1: the information that makes Equifax and the other monitoring services go,

59
00:03:52,800 --> 00:03:56,480
Speaker 1: they're also scrambling at the same time because they've got

60
00:03:56,480 --> 00:04:01,720
Speaker 1: their own legal obligations. So you've got coming at both sides. Eric,

61
00:04:02,240 --> 00:04:06,280
Speaker 1: this is the third time in two years that Equifax

62
00:04:06,800 --> 00:04:10,600
Speaker 1: has been hacked, not quite as badly the last two times.

63
00:04:10,640 --> 00:04:14,800
Speaker 1: But did it improve its security following those other hacks?

64
00:04:14,840 --> 00:04:17,960
Speaker 1: Did it put in more layers? You know, I don't

65
00:04:18,040 --> 00:04:20,119
Speaker 1: know that for a fact, but I'm going to guess

66
00:04:20,160 --> 00:04:23,640
Speaker 1: that they did, because the history of hacking is this

67
00:04:24,200 --> 00:04:28,039
Speaker 1: is this sort of escalation thing where you escalate your defenses,

68
00:04:28,440 --> 00:04:34,680
Speaker 1: they hackers escalate their capabilities. So you know, on on Monday,

69
00:04:34,720 --> 00:04:37,680
Speaker 1: the good guys might be ahead. That is well, I

70
00:04:37,680 --> 00:04:39,880
Speaker 1: don't know if Equifax is the good guy, but Equifaxes

71
00:04:40,000 --> 00:04:44,120
Speaker 1: defenses might be stronger on Tuesday, the hackers ability to

72
00:04:44,200 --> 00:04:47,800
Speaker 1: attack might be stronger. This is just an endless and

73
00:04:48,000 --> 00:04:54,880
Speaker 1: endless cycle. And um, as far as you know, Craig,

74
00:04:55,400 --> 00:05:01,200
Speaker 1: are there multiple layers of security at Equifax? We really

75
00:05:01,279 --> 00:05:04,080
Speaker 1: don't know. I mean, you would think that a company

76
00:05:04,120 --> 00:05:08,279
Speaker 1: that has the proverbial keys to the kingdom would have

77
00:05:08,600 --> 00:05:11,880
Speaker 1: what we call layered security, and that's you know, firewalls,

78
00:05:12,040 --> 00:05:16,640
Speaker 1: internal intrusion detection, and all sorts of kind of the

79
00:05:16,720 --> 00:05:19,120
Speaker 1: latest bells and whistles to make sure you're keeping this

80
00:05:19,279 --> 00:05:23,960
Speaker 1: information safe. But again we don't know exactly what Equifax

81
00:05:24,160 --> 00:05:27,800
Speaker 1: or the other credit monitoring companies have. You would think, however,

82
00:05:27,839 --> 00:05:33,680
Speaker 1: that given the value of these massive warehouses of information

83
00:05:33,680 --> 00:05:38,520
Speaker 1: that they keep, that they would have pretty sophisticated layer security.

84
00:05:38,640 --> 00:05:41,680
Speaker 1: The hack of Equifax, a credit monitoring company, was the

85
00:05:41,800 --> 00:05:46,200
Speaker 1: largest data breach in history involving social security numbers. Cyber

86
00:05:46,240 --> 00:05:49,880
Speaker 1: Scout founder Adam Levin explains why that makes this hack

87
00:05:49,960 --> 00:05:53,960
Speaker 1: so serious. The problem is that the social security number

88
00:05:54,000 --> 00:05:57,440
Speaker 1: is the scalon key to our identities, and when that's stolen,

89
00:05:57,839 --> 00:05:59,560
Speaker 1: we're in a position where we're going to have to

90
00:05:59,560 --> 00:06:02,239
Speaker 1: be lucky over our shoulders for the rest of our lives.

91
00:06:03,080 --> 00:06:06,040
Speaker 1: We've been discussing this hack with Eric Gordner, professor at

92
00:06:06,040 --> 00:06:08,960
Speaker 1: the University of Michigan Ross School of Business, and Craig Newman,

93
00:06:09,040 --> 00:06:13,360
Speaker 1: a partner at Better Patterson Belknap. Craig, there's all kinds

94
00:06:13,360 --> 00:06:16,839
Speaker 1: of advice out there. Do you have any advice about

95
00:06:16,839 --> 00:06:21,600
Speaker 1: what people should do? Now? Look, it's the most important

96
00:06:21,600 --> 00:06:25,080
Speaker 1: thing at this point is to put a credit freeze

97
00:06:26,200 --> 00:06:28,880
Speaker 1: in with all the credit reporting agencies, and it's all

98
00:06:28,960 --> 00:06:31,880
Speaker 1: three of them. Because you want to prevent any sort

99
00:06:31,880 --> 00:06:35,400
Speaker 1: of criminal from opening an account, taking out a loan,

100
00:06:35,920 --> 00:06:38,120
Speaker 1: or doing anything in your name, and the way to

101
00:06:38,160 --> 00:06:44,200
Speaker 1: do that is to put a credit freeze on your account. Eric.

102
00:06:44,320 --> 00:06:47,400
Speaker 1: One of the things that was most remarkable in the

103
00:06:47,440 --> 00:06:50,720
Speaker 1: news after all this happened was the news that to

104
00:06:50,960 --> 00:06:55,560
Speaker 1: seen two executives at Equifax sold a lot of stock

105
00:06:56,160 --> 00:07:00,200
Speaker 1: shortly after learning about the breach. What's the story worry

106
00:07:00,320 --> 00:07:02,360
Speaker 1: on this and and how could something like that end

107
00:07:02,440 --> 00:07:06,440
Speaker 1: up happening? Well, it could end up happening innocently. It

108
00:07:06,440 --> 00:07:08,480
Speaker 1: could have been a sale they planned in advance. But

109
00:07:08,600 --> 00:07:13,400
Speaker 1: it looks terrible. Looks terrible because of this. It turns

110
00:07:13,400 --> 00:07:17,360
Speaker 1: out this hack apparently went on from mid May to July,

111
00:07:18,360 --> 00:07:22,920
Speaker 1: and somehow Equifax didn't discover it, But they discovered it

112
00:07:22,960 --> 00:07:27,040
Speaker 1: on July twenty nine and waited until last Thursday. They

113
00:07:27,040 --> 00:07:30,360
Speaker 1: waited almost six weeks to make that news public. But

114
00:07:30,560 --> 00:07:33,600
Speaker 1: Insider sold something like one point eight million dollars of

115
00:07:33,680 --> 00:07:38,080
Speaker 1: their stock right away, So they got to do something

116
00:07:38,640 --> 00:07:42,080
Speaker 1: that may have helped themselves that the rest of us

117
00:07:42,120 --> 00:07:44,480
Speaker 1: didn't get to do. So, even though it could be

118
00:07:44,560 --> 00:07:47,920
Speaker 1: perfectly innocent, it could have been a preplanned sale. It

119
00:07:48,000 --> 00:07:51,000
Speaker 1: sure looks terrible to the other hundred and forty three

120
00:07:51,080 --> 00:07:55,280
Speaker 1: million of US something I'm sure the SEC will be

121
00:07:55,440 --> 00:07:59,440
Speaker 1: looking into as well as the SEC Craig. There are

122
00:07:59,520 --> 00:08:04,680
Speaker 1: so many agencies involved in this, the FTC doing investigation,

123
00:08:04,840 --> 00:08:09,440
Speaker 1: state attorneys general, they are going to be multiple congressional inquiries.

124
00:08:10,200 --> 00:08:16,320
Speaker 1: Will this help security in the future, Well, this breach, June,

125
00:08:16,600 --> 00:08:21,360
Speaker 1: it's it's bigger than than Equifax, because you're talking about

126
00:08:21,760 --> 00:08:28,440
Speaker 1: big data and how these stockpiles of information are safeguarded

127
00:08:28,840 --> 00:08:33,800
Speaker 1: really in the face of a really sophisticated threat environment.

128
00:08:34,280 --> 00:08:37,360
Speaker 1: And at the same time, the growth of big data

129
00:08:37,440 --> 00:08:43,240
Speaker 1: and these these warehouses of information just keeps leaping and growing.

130
00:08:43,600 --> 00:08:46,760
Speaker 1: So you have really a collision of these two interests

131
00:08:47,080 --> 00:08:51,239
Speaker 1: and that's really going to be the story um with Equifax.

132
00:08:51,720 --> 00:08:54,000
Speaker 1: But you know, you're also going to have You've got

133
00:08:54,000 --> 00:08:56,800
Speaker 1: two class actions already, You've got the New York Attorney General,

134
00:08:56,840 --> 00:08:59,480
Speaker 1: You're going to have the usual course of cries for

135
00:08:59,679 --> 00:09:02,960
Speaker 1: congre sational hearings. But the real question is is this

136
00:09:03,040 --> 00:09:06,200
Speaker 1: going to become a teachable moment where people sit up

137
00:09:06,200 --> 00:09:12,040
Speaker 1: and take notice and say, this is a really significant hack. Eric,

138
00:09:12,400 --> 00:09:15,720
Speaker 1: you know in addition to all the investigations that obviously

139
00:09:15,840 --> 00:09:17,400
Speaker 1: have to go on, and we'll go on here, there

140
00:09:17,440 --> 00:09:19,640
Speaker 1: are a couple of class action lawsuits that have already

141
00:09:19,640 --> 00:09:23,720
Speaker 1: been filed. Um, what kind of liability does that does

142
00:09:23,800 --> 00:09:27,840
Speaker 1: Equifax face here? Uh, you know, under the law for

143
00:09:27,920 --> 00:09:30,240
Speaker 1: having you know, given the sheer amount of data we've

144
00:09:30,280 --> 00:09:34,080
Speaker 1: got out having been breached. Yeah, I think they face

145
00:09:34,160 --> 00:09:36,920
Speaker 1: serious liability that's going to be measured in billions. That's

146
00:09:36,920 --> 00:09:39,040
Speaker 1: with the b and they're gonna be three groups that

147
00:09:39,080 --> 00:09:41,600
Speaker 1: come after them. The obvious group is the people whose

148
00:09:41,679 --> 00:09:44,760
Speaker 1: data was stolen, but they're not the only ones. You're

149
00:09:44,760 --> 00:09:48,760
Speaker 1: gonna see class actions from shareholders and Equifax who are

150
00:09:48,760 --> 00:09:51,240
Speaker 1: going to sue the officers and directors, which is the

151
00:09:51,280 --> 00:09:55,600
Speaker 1: same as suing Equifax in the end um for um

152
00:09:55,880 --> 00:09:58,560
Speaker 1: for you know, some kind of breach of duty. You're

153
00:09:58,600 --> 00:10:02,080
Speaker 1: also going to see credit card issuers, the banks, the

154
00:10:02,160 --> 00:10:06,080
Speaker 1: stores that actually issue credit cards come after Equifax because

155
00:10:06,120 --> 00:10:08,840
Speaker 1: they're going to have to issue you know, millions and

156
00:10:08,880 --> 00:10:11,960
Speaker 1: millions and millions of new credit cards, so they're going

157
00:10:12,200 --> 00:10:15,360
Speaker 1: Equifax is going to be facing lawsuits in a lot

158
00:10:15,440 --> 00:10:18,840
Speaker 1: of courts from a lot of people. And uh, you know,

159
00:10:18,920 --> 00:10:22,160
Speaker 1: we we know from the prior the prior ones, the

160
00:10:22,200 --> 00:10:25,679
Speaker 1: home depots, the targets that they're they're going to end

161
00:10:25,760 --> 00:10:30,160
Speaker 1: up settling, and it's going to be big amounts Greig

162
00:10:30,440 --> 00:10:34,760
Speaker 1: have there there are three major credit reporting companies. Have

163
00:10:34,920 --> 00:10:38,600
Speaker 1: the two others ever been hacked? Well, one of the

164
00:10:38,640 --> 00:10:43,160
Speaker 1: other's experience had to hack two years ago. And but

165
00:10:43,320 --> 00:10:45,760
Speaker 1: in terms of just sheer numbers, I think it was

166
00:10:45,920 --> 00:10:50,320
Speaker 1: about fifteen or eighteen million consumers that were affected, So

167
00:10:50,600 --> 00:10:55,600
Speaker 1: those were relatively minor compared to Equifax, where you have

168
00:10:55,720 --> 00:10:58,840
Speaker 1: the potential you know, is Eric noted, you have the

169
00:10:58,840 --> 00:11:02,560
Speaker 1: potential of will belye the largest class action lawsuit ever

170
00:11:03,400 --> 00:11:09,520
Speaker 1: withd percent of the American population as class members, and

171
00:11:10,679 --> 00:11:15,280
Speaker 1: Eric is there. Is it just impossible to stop these hacks?

172
00:11:15,280 --> 00:11:17,600
Speaker 1: It just it seems, I mean, the government has been hacked,

173
00:11:17,640 --> 00:11:20,560
Speaker 1: has been so many hacks, is it impossible to stop them?

174
00:11:21,000 --> 00:11:23,520
Speaker 1: I mean, ironically, the other big Social Security hack was

175
00:11:23,559 --> 00:11:27,080
Speaker 1: a government site office of Personnel Management. I don't think

176
00:11:27,120 --> 00:11:29,640
Speaker 1: it's possible to stop them. But you know, the law

177
00:11:29,720 --> 00:11:33,000
Speaker 1: doesn't require won't probably won't require you to be perfect.

178
00:11:33,400 --> 00:11:35,319
Speaker 1: But I think what the law is going to evolve

179
00:11:35,360 --> 00:11:38,920
Speaker 1: to require at least for people like credit agencies that

180
00:11:38,960 --> 00:11:42,600
Speaker 1: have Social Security numbers, birth dates. Things that can haunt

181
00:11:42,640 --> 00:11:46,840
Speaker 1: you forever is that you show that you did everything

182
00:11:46,920 --> 00:11:50,600
Speaker 1: that was the state of the art at the time. Uh.

183
00:11:50,640 --> 00:11:52,880
Speaker 1: And if you did anything less, I think you're going

184
00:11:52,960 --> 00:11:56,280
Speaker 1: to be in trouble. I think what the law needs

185
00:11:56,320 --> 00:11:59,360
Speaker 1: to do is to make the penalties designed in such

186
00:11:59,400 --> 00:12:03,240
Speaker 1: a way that every company that has really sensitive data

187
00:12:03,720 --> 00:12:08,600
Speaker 1: spends whatever money it takes. Not to stop you there, Eric,

188
00:12:08,600 --> 00:12:10,600
Speaker 1: but we'll be back to this topic. Thank you both.

189
00:12:10,640 --> 00:12:13,160
Speaker 1: That's Eric Gordon, a professor at the University of Michigan

190
00:12:13,240 --> 00:12:15,880
Speaker 1: rass School of Business, and Craig Newman, a partner at

191
00:12:15,920 --> 00:12:19,920
Speaker 1: Patterson Belknap, coming up on Bloomberg law. Google appealing a

192
00:12:20,000 --> 00:12:24,080
Speaker 1: record fine from the EU to the highest court in

193
00:12:24,120 --> 00:12:25,880
Speaker 1: the EU. This is Bloomberg