WEBVTT - Equifax Faces Billions in Lawsuits After Data Breach (Audio)

0:00:00.080 --> 0:00:04.040
<v Speaker 1>Outrage, disbelief, confusion just a few of the things many

0:00:04.080 --> 0:00:08.160
<v Speaker 1>Americans are feeling after learning that their names, social security numbers,

0:00:08.240 --> 0:00:12.520
<v Speaker 1>birth dates, addresses, and driver's license numbers are potentially in

0:00:12.560 --> 0:00:16.279
<v Speaker 1>the hands of hackers. Equifax, a credit monitoring company with

0:00:16.320 --> 0:00:20.120
<v Speaker 1>a database of America's personal information, was hacked in the

0:00:20.239 --> 0:00:24.680
<v Speaker 1>largest data breach involving social security numbers in history one

0:00:25.120 --> 0:00:29.120
<v Speaker 1>forty three million consumers. Equifax has set up a website

0:00:29.240 --> 0:00:31.680
<v Speaker 1>and here's part of what you'll hear if you call

0:00:31.760 --> 0:00:35.400
<v Speaker 1>its eight hundred number to freeze your credit information. Welcome

0:00:35.440 --> 0:00:40.120
<v Speaker 1>to the Equifax Automated Security Freeze System. This automated system

0:00:40.159 --> 0:00:44.360
<v Speaker 1>would allow you to place, temporarily, lift or permanently remove

0:00:44.520 --> 0:00:48.560
<v Speaker 1>a security freeze from your Equifax credit file in accordance

0:00:48.600 --> 0:00:52.199
<v Speaker 1>with your individual states file freeze law. There may be

0:00:52.280 --> 0:00:56.240
<v Speaker 1>a charge, but here's part of the problem. To better

0:00:56.280 --> 0:00:59.560
<v Speaker 1>serve you, the following information will be required in order

0:00:59.600 --> 0:01:03.400
<v Speaker 1>to comp lead your request. Your state, numeric portion of

0:01:03.440 --> 0:01:07.440
<v Speaker 1>your current address, and social Security number. But do you

0:01:07.520 --> 0:01:11.560
<v Speaker 1>really want to give Equifax this information? Again? Here to

0:01:11.640 --> 0:01:16.120
<v Speaker 1>discuss the repercussions of this hack are two experts in cybersecurity.

0:01:16.520 --> 0:01:19.200
<v Speaker 1>Eric Gordon, A professor at the University of Michigan Ross

0:01:19.200 --> 0:01:24.440
<v Speaker 1>School of Business, and Craig Newman, a partner at Patterson Belknap. Eric.

0:01:24.640 --> 0:01:28.160
<v Speaker 1>Equifax said criminals gained access to certain files in the

0:01:28.200 --> 0:01:33.280
<v Speaker 1>company's system by exploiting a weak point in website software,

0:01:33.800 --> 0:01:37.319
<v Speaker 1>but there's no evidence of unauthorized activity on its main

0:01:37.480 --> 0:01:42.840
<v Speaker 1>consumer or commercial credit reporting databases. Interpret that for us,

0:01:42.880 --> 0:01:46.880
<v Speaker 1>what does it mean? Yeah, it means somebody obviously a

0:01:46.880 --> 0:01:50.440
<v Speaker 1>bad person. I mean, my mother didn't do this. Has

0:01:50.600 --> 0:01:53.440
<v Speaker 1>information on a hundred and forty three million of us

0:01:53.960 --> 0:01:58.960
<v Speaker 1>and so far, as far as Equifax knows, it hasn't

0:01:59.000 --> 0:02:02.760
<v Speaker 1>been used. That information hasn't been used in a bad way. Now,

0:02:02.920 --> 0:02:05.360
<v Speaker 1>you can guess that it's only a matter of time

0:02:05.840 --> 0:02:10.040
<v Speaker 1>until Equifax discovers this or we discover this. But you know,

0:02:10.160 --> 0:02:14.120
<v Speaker 1>does anybody believe this information was taken for anything other

0:02:14.160 --> 0:02:19.360
<v Speaker 1>than bad purposes? Eric? Are they saying that anything about

0:02:19.400 --> 0:02:22.840
<v Speaker 1>their security system when they're saying exploiting a weak point

0:02:22.919 --> 0:02:27.720
<v Speaker 1>in website software? Yeah, it gives you some idea of

0:02:28.000 --> 0:02:31.720
<v Speaker 1>how the entrance happens. Are they different entry points into

0:02:32.360 --> 0:02:35.400
<v Speaker 1>these databases? Uh? And they've told us what they what

0:02:35.520 --> 0:02:38.320
<v Speaker 1>they think the entry point was it was on the website.

0:02:38.760 --> 0:02:41.520
<v Speaker 1>So so for people who you know, are actually sort

0:02:41.520 --> 0:02:44.040
<v Speaker 1>of into the technology of this, it does give a

0:02:44.080 --> 0:02:47.880
<v Speaker 1>clue as to what where it happened, not necessarily how

0:02:47.919 --> 0:02:53.799
<v Speaker 1>it happened, Eric, I mean, Craig, excuse me, Craig. This

0:02:53.919 --> 0:02:58.240
<v Speaker 1>is a huge breach obviously, but just if people are

0:02:58.280 --> 0:03:02.480
<v Speaker 1>worried about what exactly has been exposed here, can you

0:03:02.520 --> 0:03:05.080
<v Speaker 1>take us through some of the details of what got

0:03:05.360 --> 0:03:09.919
<v Speaker 1>you know, what got hacked? Sure, Michael, Yeah, it's very difficult,

0:03:10.280 --> 0:03:12.760
<v Speaker 1>based on what we know now to really figure out

0:03:13.320 --> 0:03:17.480
<v Speaker 1>what information has been affected, because if you look at

0:03:17.520 --> 0:03:21.200
<v Speaker 1>the public disclosures that Equifax has made, they've said that quote,

0:03:21.320 --> 0:03:25.720
<v Speaker 1>certain files have been accessed and potentially dred and forty

0:03:25.720 --> 0:03:29.639
<v Speaker 1>three million Americans have been affected. So it's it's almost

0:03:30.080 --> 0:03:34.040
<v Speaker 1>you don't know what you can't see because we don't

0:03:34.120 --> 0:03:37.520
<v Speaker 1>have all that much information. I think that's why, you know,

0:03:37.600 --> 0:03:40.840
<v Speaker 1>consumers are scrambling and are kind of up in arms

0:03:40.880 --> 0:03:42.600
<v Speaker 1>over the way this has been handled. But at the

0:03:42.640 --> 0:03:48.000
<v Speaker 1>same time, all the companies, the data contributors that provide

0:03:48.280 --> 0:03:52.120
<v Speaker 1>the information that makes Equifax and the other monitoring services go,

0:03:52.800 --> 0:03:56.480
<v Speaker 1>they're also scrambling at the same time because they've got

0:03:56.480 --> 0:04:01.720
<v Speaker 1>their own legal obligations. So you've got coming at both sides. Eric,

0:04:02.240 --> 0:04:06.280
<v Speaker 1>this is the third time in two years that Equifax

0:04:06.800 --> 0:04:10.600
<v Speaker 1>has been hacked, not quite as badly the last two times.

0:04:10.640 --> 0:04:14.800
<v Speaker 1>But did it improve its security following those other hacks?

0:04:14.840 --> 0:04:17.960
<v Speaker 1>Did it put in more layers? You know, I don't

0:04:18.040 --> 0:04:20.119
<v Speaker 1>know that for a fact, but I'm going to guess

0:04:20.160 --> 0:04:23.640
<v Speaker 1>that they did, because the history of hacking is this

0:04:24.200 --> 0:04:28.039
<v Speaker 1>is this sort of escalation thing where you escalate your defenses,

0:04:28.440 --> 0:04:34.680
<v Speaker 1>they hackers escalate their capabilities. So you know, on on Monday,

0:04:34.720 --> 0:04:37.680
<v Speaker 1>the good guys might be ahead. That is well, I

0:04:37.680 --> 0:04:39.880
<v Speaker 1>don't know if Equifax is the good guy, but Equifaxes

0:04:40.000 --> 0:04:44.120
<v Speaker 1>defenses might be stronger on Tuesday, the hackers ability to

0:04:44.200 --> 0:04:47.800
<v Speaker 1>attack might be stronger. This is just an endless and

0:04:48.000 --> 0:04:54.880
<v Speaker 1>endless cycle. And um, as far as you know, Craig,

0:04:55.400 --> 0:05:01.200
<v Speaker 1>are there multiple layers of security at Equifax? We really

0:05:01.279 --> 0:05:04.080
<v Speaker 1>don't know. I mean, you would think that a company

0:05:04.120 --> 0:05:08.279
<v Speaker 1>that has the proverbial keys to the kingdom would have

0:05:08.600 --> 0:05:11.880
<v Speaker 1>what we call layered security, and that's you know, firewalls,

0:05:12.040 --> 0:05:16.640
<v Speaker 1>internal intrusion detection, and all sorts of kind of the

0:05:16.720 --> 0:05:19.120
<v Speaker 1>latest bells and whistles to make sure you're keeping this

0:05:19.279 --> 0:05:23.960
<v Speaker 1>information safe. But again we don't know exactly what Equifax

0:05:24.160 --> 0:05:27.800
<v Speaker 1>or the other credit monitoring companies have. You would think, however,

0:05:27.839 --> 0:05:33.680
<v Speaker 1>that given the value of these massive warehouses of information

0:05:33.680 --> 0:05:38.520
<v Speaker 1>that they keep, that they would have pretty sophisticated layer security.

0:05:38.640 --> 0:05:41.680
<v Speaker 1>The hack of Equifax, a credit monitoring company, was the

0:05:41.800 --> 0:05:46.200
<v Speaker 1>largest data breach in history involving social security numbers. Cyber

0:05:46.240 --> 0:05:49.880
<v Speaker 1>Scout founder Adam Levin explains why that makes this hack

0:05:49.960 --> 0:05:53.960
<v Speaker 1>so serious. The problem is that the social security number

0:05:54.000 --> 0:05:57.440
<v Speaker 1>is the scalon key to our identities, and when that's stolen,

0:05:57.839 --> 0:05:59.560
<v Speaker 1>we're in a position where we're going to have to

0:05:59.560 --> 0:06:02.239
<v Speaker 1>be lucky over our shoulders for the rest of our lives.

0:06:03.080 --> 0:06:06.040
<v Speaker 1>We've been discussing this hack with Eric Gordner, professor at

0:06:06.040 --> 0:06:08.960
<v Speaker 1>the University of Michigan Ross School of Business, and Craig Newman,

0:06:09.040 --> 0:06:13.360
<v Speaker 1>a partner at Better Patterson Belknap. Craig, there's all kinds

0:06:13.360 --> 0:06:16.839
<v Speaker 1>of advice out there. Do you have any advice about

0:06:16.839 --> 0:06:21.600
<v Speaker 1>what people should do? Now? Look, it's the most important

0:06:21.600 --> 0:06:25.080
<v Speaker 1>thing at this point is to put a credit freeze

0:06:26.200 --> 0:06:28.880
<v Speaker 1>in with all the credit reporting agencies, and it's all

0:06:28.960 --> 0:06:31.880
<v Speaker 1>three of them. Because you want to prevent any sort

0:06:31.880 --> 0:06:35.400
<v Speaker 1>of criminal from opening an account, taking out a loan,

0:06:35.920 --> 0:06:38.120
<v Speaker 1>or doing anything in your name, and the way to

0:06:38.160 --> 0:06:44.200
<v Speaker 1>do that is to put a credit freeze on your account. Eric.

0:06:44.320 --> 0:06:47.400
<v Speaker 1>One of the things that was most remarkable in the

0:06:47.440 --> 0:06:50.720
<v Speaker 1>news after all this happened was the news that to

0:06:50.960 --> 0:06:55.560
<v Speaker 1>seen two executives at Equifax sold a lot of stock

0:06:56.160 --> 0:07:00.200
<v Speaker 1>shortly after learning about the breach. What's the story worry

0:07:00.320 --> 0:07:02.360
<v Speaker 1>on this and and how could something like that end

0:07:02.440 --> 0:07:06.440
<v Speaker 1>up happening? Well, it could end up happening innocently. It

0:07:06.440 --> 0:07:08.480
<v Speaker 1>could have been a sale they planned in advance. But

0:07:08.600 --> 0:07:13.400
<v Speaker 1>it looks terrible. Looks terrible because of this. It turns

0:07:13.400 --> 0:07:17.360
<v Speaker 1>out this hack apparently went on from mid May to July,

0:07:18.360 --> 0:07:22.920
<v Speaker 1>and somehow Equifax didn't discover it, But they discovered it

0:07:22.960 --> 0:07:27.040
<v Speaker 1>on July twenty nine and waited until last Thursday. They

0:07:27.040 --> 0:07:30.360
<v Speaker 1>waited almost six weeks to make that news public. But

0:07:30.560 --> 0:07:33.600
<v Speaker 1>Insider sold something like one point eight million dollars of

0:07:33.680 --> 0:07:38.080
<v Speaker 1>their stock right away, So they got to do something

0:07:38.640 --> 0:07:42.080
<v Speaker 1>that may have helped themselves that the rest of us

0:07:42.120 --> 0:07:44.480
<v Speaker 1>didn't get to do. So, even though it could be

0:07:44.560 --> 0:07:47.920
<v Speaker 1>perfectly innocent, it could have been a preplanned sale. It

0:07:48.000 --> 0:07:51.000
<v Speaker 1>sure looks terrible to the other hundred and forty three

0:07:51.080 --> 0:07:55.280
<v Speaker 1>million of US something I'm sure the SEC will be

0:07:55.440 --> 0:07:59.440
<v Speaker 1>looking into as well as the SEC Craig. There are

0:07:59.520 --> 0:08:04.680
<v Speaker 1>so many agencies involved in this, the FTC doing investigation,

0:08:04.840 --> 0:08:09.440
<v Speaker 1>state attorneys general, they are going to be multiple congressional inquiries.

0:08:10.200 --> 0:08:16.320
<v Speaker 1>Will this help security in the future, Well, this breach, June,

0:08:16.600 --> 0:08:21.360
<v Speaker 1>it's it's bigger than than Equifax, because you're talking about

0:08:21.760 --> 0:08:28.440
<v Speaker 1>big data and how these stockpiles of information are safeguarded

0:08:28.840 --> 0:08:33.800
<v Speaker 1>really in the face of a really sophisticated threat environment.

0:08:34.280 --> 0:08:37.360
<v Speaker 1>And at the same time, the growth of big data

0:08:37.440 --> 0:08:43.240
<v Speaker 1>and these these warehouses of information just keeps leaping and growing.

0:08:43.600 --> 0:08:46.760
<v Speaker 1>So you have really a collision of these two interests

0:08:47.080 --> 0:08:51.239
<v Speaker 1>and that's really going to be the story um with Equifax.

0:08:51.720 --> 0:08:54.000
<v Speaker 1>But you know, you're also going to have You've got

0:08:54.000 --> 0:08:56.800
<v Speaker 1>two class actions already, You've got the New York Attorney General,

0:08:56.840 --> 0:08:59.480
<v Speaker 1>You're going to have the usual course of cries for

0:08:59.679 --> 0:09:02.960
<v Speaker 1>congre sational hearings. But the real question is is this

0:09:03.040 --> 0:09:06.200
<v Speaker 1>going to become a teachable moment where people sit up

0:09:06.200 --> 0:09:12.040
<v Speaker 1>and take notice and say, this is a really significant hack. Eric,

0:09:12.400 --> 0:09:15.720
<v Speaker 1>you know in addition to all the investigations that obviously

0:09:15.840 --> 0:09:17.400
<v Speaker 1>have to go on, and we'll go on here, there

0:09:17.440 --> 0:09:19.640
<v Speaker 1>are a couple of class action lawsuits that have already

0:09:19.640 --> 0:09:23.720
<v Speaker 1>been filed. Um, what kind of liability does that does

0:09:23.800 --> 0:09:27.840
<v Speaker 1>Equifax face here? Uh, you know, under the law for

0:09:27.920 --> 0:09:30.240
<v Speaker 1>having you know, given the sheer amount of data we've

0:09:30.280 --> 0:09:34.080
<v Speaker 1>got out having been breached. Yeah, I think they face

0:09:34.160 --> 0:09:36.920
<v Speaker 1>serious liability that's going to be measured in billions. That's

0:09:36.920 --> 0:09:39.040
<v Speaker 1>with the b and they're gonna be three groups that

0:09:39.080 --> 0:09:41.600
<v Speaker 1>come after them. The obvious group is the people whose

0:09:41.679 --> 0:09:44.760
<v Speaker 1>data was stolen, but they're not the only ones. You're

0:09:44.760 --> 0:09:48.760
<v Speaker 1>gonna see class actions from shareholders and Equifax who are

0:09:48.760 --> 0:09:51.240
<v Speaker 1>going to sue the officers and directors, which is the

0:09:51.280 --> 0:09:55.600
<v Speaker 1>same as suing Equifax in the end um for um

0:09:55.880 --> 0:09:58.560
<v Speaker 1>for you know, some kind of breach of duty. You're

0:09:58.600 --> 0:10:02.080
<v Speaker 1>also going to see credit card issuers, the banks, the

0:10:02.160 --> 0:10:06.080
<v Speaker 1>stores that actually issue credit cards come after Equifax because

0:10:06.120 --> 0:10:08.840
<v Speaker 1>they're going to have to issue you know, millions and

0:10:08.880 --> 0:10:11.960
<v Speaker 1>millions and millions of new credit cards, so they're going

0:10:12.200 --> 0:10:15.360
<v Speaker 1>Equifax is going to be facing lawsuits in a lot

0:10:15.440 --> 0:10:18.840
<v Speaker 1>of courts from a lot of people. And uh, you know,

0:10:18.920 --> 0:10:22.160
<v Speaker 1>we we know from the prior the prior ones, the

0:10:22.200 --> 0:10:25.679
<v Speaker 1>home depots, the targets that they're they're going to end

0:10:25.760 --> 0:10:30.160
<v Speaker 1>up settling, and it's going to be big amounts Greig

0:10:30.440 --> 0:10:34.760
<v Speaker 1>have there there are three major credit reporting companies. Have

0:10:34.920 --> 0:10:38.600
<v Speaker 1>the two others ever been hacked? Well, one of the

0:10:38.640 --> 0:10:43.160
<v Speaker 1>other's experience had to hack two years ago. And but

0:10:43.320 --> 0:10:45.760
<v Speaker 1>in terms of just sheer numbers, I think it was

0:10:45.920 --> 0:10:50.320
<v Speaker 1>about fifteen or eighteen million consumers that were affected, So

0:10:50.600 --> 0:10:55.600
<v Speaker 1>those were relatively minor compared to Equifax, where you have

0:10:55.720 --> 0:10:58.840
<v Speaker 1>the potential you know, is Eric noted, you have the

0:10:58.840 --> 0:11:02.560
<v Speaker 1>potential of will belye the largest class action lawsuit ever

0:11:03.400 --> 0:11:09.520
<v Speaker 1>withd percent of the American population as class members, and

0:11:10.679 --> 0:11:15.280
<v Speaker 1>Eric is there. Is it just impossible to stop these hacks?

0:11:15.280 --> 0:11:17.600
<v Speaker 1>It just it seems, I mean, the government has been hacked,

0:11:17.640 --> 0:11:20.560
<v Speaker 1>has been so many hacks, is it impossible to stop them?

0:11:21.000 --> 0:11:23.520
<v Speaker 1>I mean, ironically, the other big Social Security hack was

0:11:23.559 --> 0:11:27.080
<v Speaker 1>a government site office of Personnel Management. I don't think

0:11:27.120 --> 0:11:29.640
<v Speaker 1>it's possible to stop them. But you know, the law

0:11:29.720 --> 0:11:33.000
<v Speaker 1>doesn't require won't probably won't require you to be perfect.

0:11:33.400 --> 0:11:35.319
<v Speaker 1>But I think what the law is going to evolve

0:11:35.360 --> 0:11:38.920
<v Speaker 1>to require at least for people like credit agencies that

0:11:38.960 --> 0:11:42.600
<v Speaker 1>have Social Security numbers, birth dates. Things that can haunt

0:11:42.640 --> 0:11:46.840
<v Speaker 1>you forever is that you show that you did everything

0:11:46.920 --> 0:11:50.600
<v Speaker 1>that was the state of the art at the time. Uh.

0:11:50.640 --> 0:11:52.880
<v Speaker 1>And if you did anything less, I think you're going

0:11:52.960 --> 0:11:56.280
<v Speaker 1>to be in trouble. I think what the law needs

0:11:56.320 --> 0:11:59.360
<v Speaker 1>to do is to make the penalties designed in such

0:11:59.400 --> 0:12:03.240
<v Speaker 1>a way that every company that has really sensitive data

0:12:03.720 --> 0:12:08.600
<v Speaker 1>spends whatever money it takes. Not to stop you there, Eric,

0:12:08.600 --> 0:12:10.600
<v Speaker 1>but we'll be back to this topic. Thank you both.

0:12:10.640 --> 0:12:13.160
<v Speaker 1>That's Eric Gordon, a professor at the University of Michigan

0:12:13.240 --> 0:12:15.880
<v Speaker 1>rass School of Business, and Craig Newman, a partner at

0:12:15.920 --> 0:12:19.920
<v Speaker 1>Patterson Belknap, coming up on Bloomberg law. Google appealing a

0:12:20.000 --> 0:12:24.080
<v Speaker 1>record fine from the EU to the highest court in

0:12:24.120 --> 0:12:25.880
<v Speaker 1>the EU. This is Bloomberg