The cities of Chicago and San Francisco and the Massachusetts Attorney General have filed the first enforcement actions against Equifax following the announcement of a data breach affecting an estimated 143 million consumers.  Equifax announced the data breach on September 7, 2017, after hackers allegedly exploited a vulnerability in open-source software used by Equifax to create its online consumer dispute portal.

The first suits were filed on September 26th by the Massachusetts Attorney General and San Francisco.  Massachusetts’s complaint was filed in Superior Court in Suffolk County and alleges that Equifax knew or should have known about the vulnerability and that hackers were attempting to exploit it, but that Equifax failed to take known and available measures to prevent the breach.  Massachusetts asserts claims for violations of the Massachusetts data privacy statute and the Massachusetts Consumer Protection Act prohibiting unfair and deceptive practices based on Equifax’s alleged failure to give timely notice of the breach, failure to safeguard personal information, and failure to take other actions that Equifax was uniquely positioned to provide that would have mitigated damages to Massachusetts consumers.  The Massachusetts Attorney General is seeking unspecified civil penalties, disgorgement of profits, restitution, costs and attorney’s fees.

San Francisco’s complaint, filed in the Superior Court of San Francisco, asserts claims under the California Business and Professions Code for unlawful, unfair or fraudulent business practices, alleging that Equifax failed to maintain reasonable security practices and procedures, failed to provide timely notice of the security breach, and failed to provide complete, plain and clear information when notice was provided.  The lawsuit seeks restitution for all California consumers, civil penalties up to $2,500 per violation of law, restitution, costs, and a court order requiring Equifax to implement and maintain appropriate security procedures in the future.

Finally, the City of Chicago filed suit on September 28th in Cook County Circuit Court and asserts claims arising under both state law and city ordinance.  Specifically, Chicago alleges Equifax violated a local ordinance prohibiting fraudulent, unfair, and deceptive business practices, as well as the Illinois Consumer Fraud and Deceptive Business Practices Act.  Chicago’s claims are based on allegations that Equifax failed to give prompt notice of the breach, failed to safeguard personal information, and deceived consumers by requiring them to waive their legal rights in exchange for credit monitoring services and by misrepresenting that the offered credit monitoring was free.  Chicago seeks civil monetary penalties in the amount of $10,000 for each day a violation has existed that involves a Chicago resident, restitution, and injunctive relief requiring Equifax to maintain adequate security measures to prevent data breaches.

These are likely just the first of many lawsuits to be filed against Equifax by state and local officials.  Further action at both the federal and state level seems all but certain.  For example, the Federal Trade Commission and Department of Justice have confirmed they are investigating the breach, and the New York Department of Financial Services confirmed that it recently issued a subpoena to Equifax for more information about the breach.  This vigorous and immediate government enforcement effort further supports our position that private class action lawsuits are an unnecessary and inappropriate tool for vindicating any harm caused by the data breach.  We will continue to follow these significant cases and update you as events unfold.

The recent data breach disclosure by Equifax raised an outcry from consumer advocates trying to link the data breach to the Consumer Financial Protection Bureau’s (CFPB) final arbitration rule.  They are portraying this cybersecurity incident as a prime example of why class actions are needed to protect consumers, hoping to persuade the U.S. Senate not to repeal the rule under the Congressional Review Act.  The CFPB rule bars financial services companies from including class action waivers in consumer arbitration agreements beginning on March 19, 2018.

The Senate should disregard their arguments.  While the CFPB arbitration rule covers some credit reporting company activities, it does not appear to cover data breaches such as this one.  Therefore, the Equifax data breach has nothing to do with the CFPB arbitration rule.  In any event, the issue appears to be moot, since according to published reports Equifax has stated that it will not seek to apply its on-line arbitration clause and class action waiver to claims based on the data breach itself.

Consumer advocates have also criticized Equifax for purportedly requiring consumers who may have been affected by the data breach and who want to sign up for the company’s offer to provide free credit protection services to agree to arbitrate claims from those services (unless they exercise their right to opt out of the arbitration clause), but Equifax has made clear that its arbitration clause and class action waiver will not apply to this cybersecurity event.  But lost in the hubbub is the fact that claims of this nature would appear to be inherently individualized and not susceptible to class action treatment since the facts pertinent to each consumer’s account presumably will be unique.

Ultimately, this incident exemplifies why the Senate should vote to repeal the CFPB arbitration rule.  The CFPB, the Federal Trade Commission and state attorneys general (most notably Attorney General Schneiderman of New York) got involved almost immediately and will advocate on behalf of consumers more efficiently and effectively than class action lawsuits, without siphoning off a hefty attorneys’ fee if they prevail.

On May 15, 2017, the Federal Reserve Office of Inspector General – which also oversees the CFPB – released a report finding deficiencies in the CFPB Office of Enforcement’s (Enforcement) processes for securing sensitive information.  The evaluation, conducted between February 2016 and July 2016, reviewed Enforcement’s processes for protecting the information it collects from the entities subject to its investigations and litigation activities related to potential violations of federal consumer financial laws, referred to as confidential investigative information (CII).

First, the Report found that access to matters containing CII was not always restricted to employees that required it to perform their assigned duties – during the time period evaluated, the OIG identified 113 individuals with access to matters when they no longer needed it.  Although CFPB policy is to require that access to high-sensitivity information, including CII, be restricted to individuals “with a demonstrated business need;” employees were generally allowed broad access to the network drive containing CII.  To address these issues, the Report offered five recommendations: (1) formalize in policy that employees should be granted access to Enforcement’s review tools and network drive matter folders only when such access is relevant to their assigned duties; (2) update policies and procedures to specify the process for approving and updating matter folder access rights for Enforcement’s review tools and network drive; (3) expand existing training for employees to reinforce guidance on Enforcement’s  interpretation that “demonstrated business need” means relevance to performing assigned duties, and the access approval and updating process for Enforcement’s review tools and network drive; (4) develop and implement a monitoring and testing approach to periodically confirm that Enforcement’s matter folders are appropriately restricted; and (5) coordinate with the Chief Information Officer to ensure that the new cloud environment, which is intended to replace the network drive, includes access approval and monitoring capabilities that meet the current and future needs of Enforcement.

Second, the Report found that Enforcement employees did not consistently follow CFPB guidelines for safeguarding CII, were unaware of certain aspects of the CFPB’s policies, and did not understand how relevant policies applied to their daily work activities.  The Report offered three recommendations to address this issue: (1) develop and implement operational procedures specific to Enforcement for handling printed high-sensitivity information, including but not limited to information labeling requirements and the use of cover sheets; (2) establish a strategy to periodically reinforce handling and safeguarding requirements and establish a monitoring approach to test compliance with information handling and safeguarding policies and procedures; and (3) monitor securable, access-controlled storage space, including but not limited to lockable cabinets and offices, to ensure that it meets the needs of all Enforcement employees.

Lastly, the Report found that Enforcement’s lack of a uniform naming convention hindered its ability to monitor and maintain access to matter folders.  The Report found that matter folder names were not uniform, with several instances of duplicate matters, and matters were inconsistently identified across different systems.  This hindered management’s ability to: (1) locate documents; (2) assign and monitor access to matter folders; and (3) ensure uniform and complete documentation or data for a matter.  The Report recommended developing a policy to establish a standard naming convention for matter folders and other relevant Enforcement folders to be used across all Enforcement applications and internal drives.

The Report raises significant – and continuing – concerns regarding Enforcement’s ability to safeguard the information it collects in the course of its investigations.  The Report follows the OIG’s September 29, 2016, memorandum, which identified information security as an area of improvement for CFPB management (see our prior blog post).  It is also interesting to note that the Report’s review period coincides with Enforcement’s March 2016 consent order with Dwolla, which marked Enforcement’s first – and to date, its only – foray into the data security realm (see our blog post on the consent order).  The Report’s findings highlight Enforcement’s continued struggle to satisfy the same internal data security requirements that it expects companies to maintain.  Enforcement’s failure to restrict access to sensitive information creates a risk of unauthorized disclosure.  Moreover, while the Report notes that former employees do not pose a significant risk due to the fact that they should no longer have access to the CFPB’s network, the fact that their access has not been restricted provides at least some reason for concern that these individuals may be able to misuse this information.

New Mexico recently became the 48th state to enact a data breach notification law.  This continues the accelerated pace of state data breach legislative activity in the last two years.  Since 2015, at least 41 states have considered legislation relating to data security incidents, and at least 16 states have enacted or amended such laws.

Among the most significant aspects of New Mexico’s brand new “Data Breach Notification Act” is its definition of “Personal Identifying Information.”  The Act follows a growing state trend by including “biometric data” in its definition of “personal identifying information.  In addition, “security breach” is defined as the acquisition of—but not mere access to—unencrypted computerized data or encrypted data if the encryption key is also acquired.  The Act contains an exemption from the requirement to provide notice within 45 calendar days after discovery of the breach for persons subject to the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996.

For more information on the new law, see our legal alert.



On September 29th, the Office of the Inspector General (OIG) that oversees the CFPB released a memorandum detailing the major management challenges facing the CFPB.  The memo identified four areas of improvement that, unless addressed, would otherwise hamper the CFPB’s ability to accomplish its strategic objectives:

  • Ensuring an Effective Information Security Program
  • Ensuring Comprehensive Policies and Procedures Are in Place and Followed
  • Maturing the Human Capital Program
  • Managing and Acquiring Sufficient Workspace to Support CFPB Activities

Despite the vast quantities of consumer information being collected by the CFPB as part of its consumer protection mission, the CFPB has not fully implemented an information security continuous monitoring program, including a comprehensive data loss prevention system and oversight of contractor-operated information systems.  Furthermore, the CFPB has not fully implemented processes within its internal network that would enable the agency to detect and better protect against unauthorized access to and disclosure of its sensitive information.  Not only must the CFPB be concerned about hackers, the CFPB must also address the risk of insider threats.  A review of the CFPB website reveals that the CFPB makes very few representations about the level of security being provided for consumer information.  In the wake of the CFPB’s data security enforcement action against Dwolla, Inc. (see our prior blog post), the CFPB should be prepared to satisfy the same data security requirements that it expects to see among the companies that it regulates.

Additionally, the CFPB expects companies to maintain comprehensive compliance management systems, including written policies and procedures as well as employee training on those policies and procedures.  However, the OIG concluded that the CFPB does not have a comprehensive set of policies and procedures for some program areas, and that the CFPB did not fully ensure that its staff members were aware of and complied with its existing policies and procedures.  Despite clear guidance provided to industry about the minimum requirements of an effective compliance management system, as described in the CFPB Supervision and Examination Manual, the CFPB appears to have similar struggles in establishing its own internal governance.

Last August, we blogged about a Third Circuit decision that held the FTC can regulate cybersecurity policies and procedures as “unfair” acts or practices under Section 5 of the FTC Act.  In our blog post, we commented that banks and other companies subject to the CFPB’s jurisdiction faced the possibility that the CFPB could begin using its Dodd-Frank authority  to bring enforcement actions against companies engaged in unfair, deceptive, and abusive acts and practices (UDAAP) to regulate cybersecurity policies and procedures.  The CFPB’s announcement yesterday of its first data security enforcement action demonstrates that our concerns were well-founded.

The CFPB’s target in this action was Dwolla, Inc., a company that operates an online payment system and uses consumers’ personal information to complete financial transactions.  The CFPB lacks enforcement authority with respect to the data security provisions of Gramm-Leach-Bliley.  In targeting Dwolla, the CFPB apparently decided that it could use its UDAAP authority with respect to data security matters.  Focusing on the UDAAP deception prong, the CFPB alleged that the company failed to maintain adequate data security practices despite representations made on the company website and in communications with consumers that the company has implemented practices that exceed industry standards.  The CFPB’s action significantly ups the ante for large banks and non-banks subject to the CFPB’s enforcement jurisdiction.

For more about the action, see our legal alert.  On March 18, 2016, Ballard Spahr will conduct a webinar, “The CFPB’s First Data Security Enforcement Action – Its Significance for Banks and Non-Banks.”  A link to register is available here.


The Association of Corporate Counsel Foundation (ACC) released a State of Cybersecurity report on December 9, 2015.  Ballard Spahr was the only law firm that served on the advisory board for the study and helped to formulate the survey questions.  The report provides valuable insights on cybersecurity issues from more than 1,000 corporate lawyers at 887 organizations worldwide—most of whom hold the position of General Counsel or Chief Legal Officer.

We have previously observed that banks and other companies subject to the CFPB’s jurisdiction face the possibility that the CFPB could begin using its authority under Sections 1031 and 1036 of the Dodd-Frank Act (which proscribe unfair, deceptive or abusive acts or practices) to regulate cybersecurity policies and procedures.  The ACC report can be used by in-house lawyers to assess whether their companies are devoting appropriate time and resources to cybersecurity.  A company whose cybersecurity practices did not align with companies of a similar size in the same industry might be at greater risk of a UDAAP challenge if the CFPB were to scrutinize its cybersecurity policies and procedures.

For more on the report, see our legal alert.  On January 12, 2016, Ballard Spahr will hold a webinar, “Lessons Learned: Best Practices for In-House Counsel from the ACC Cybersecurity Report,” from 12:00 p.m. to 1:00 p.m. ET.  A link to register is available here.

As we have previously observed, banks and other companies subject to the CFPB’s jurisdiction face the possibility that the CFPB could begin using its authority under Sections 1031 and 1036 of the Dodd-Frank Act (which proscribe unfair, deceptive or abusive acts or practices) to regulate cybersecurity policies and procedures.

For companies also subject to the FTC’s jurisdiction, the threat of FTC regulation of their cybersecurity policies and procedures became significantly more imminent as a result of the Third Circuit’s August 2015 decision in FTC v. Wyndham Worldwide Corporation.  In that case, the Third Circuit ruled that the FTC can regulate cybersecurity policies and procedures as “unfair” acts or practices under Section 5 of the FTC Act.  The prohibition of “unfair” acts or practices in Dodd-Frank is based on the unfairness standard in Section 5.

However, in a more favorable development, the FTC’s Chief Administrative Law Judge recently dismissed the FTC’s complaint against LabMD, Inc., in which the FTC charged that the company engaged in unfair acts or practices in violation of Section 5 by failing to adequately protect consumer data.  According to the FTC, the company’s failure to provide reasonable and appropriate security for personal information maintained on its computer networks resulted in two “security incidents.”

For both incidents, the ALJ based its decision to dismiss the complaint primarily on the FTC’s failure to prove the company’s practices were “likely to cause substantial injury to consumers,” as is required by the unfairness standard in Section 5.  This was, in large part, because for both incidents, no consumers had been harmed despite the passage of considerable time since the incidents.

This decision marks the rare instance in which a company has successfully challenged an FTC data security action.  For more on the decision, see our legal alert.

The Office of the Inspector General (OIG) has released the “2015 list of major management challenges” faced by the CFPB that the OIG believes will hamper the CFPB’s ability to accomplish the CFPB’s strategic objectives.  Like the 2014 list, one of the challenges identified by the OIG is the need to ensure that the CFPB has an effective information security program.  Due to the advanced persistent threats faced by the federal government, the OIG concluded that the CFPB needs to strengthen its defenses against attacks from outside governments, organized groups, and other threats.  The OIG identified four high-priority security risk areas for CFPB improvement:

  • Continuous monitoring to assess security controls and system configurations
  • Configuration management of CFPB systems
  • Role-based security training for individuals with significant security responsibilities
  • Incident response and reporting

The OIG applauded the CFPB’s efforts to build out its Cybersecurity Program Management Office, but the OIG recommended that the CFPB should continue improving its information security program, overseeing the security of contractor-operated information systems, transitioning IT resources from the Treasury Department, and ensuring that personally identifiable information (PII) is properly protected, including the PII that the CFPB receives from consumer complaints about credit card accounts, mortgage loans, and other consumer financial products and services.

Banks and other companies subject to the CFPB’s jurisdiction face the possibility that the CFPB could begin using its authority under Sections 1031 and 1036 of the Dodd-Frank Act (which proscribe unfair, deceptive or abusive acts or practices) to regulate cybersecurity policies and procedures.  For companies also subject to the FTC’s jurisdiction, however, the threat of FTC regulation of their cybersecurity policies and procedures is significantly more imminent in view of a recent decision of the U.S. Court of Appeals for the Third Circuit.

In FTC v. Wyndham Worldwide Corporation, a case of first impression, the Third Circuit ruled that the FTC can regulate cybersecurity policies and procedures as “unfair” acts or practices under Section 5 of the FTC Act.  For a discussion of the decision, see our legal alert.

On September 10, 2015, Ballard Spahr attorneys will hold a webinar, “FTC as the de Facto Privacy Regulator: 10 Things You Need To Know” from 12:00-1:00 p.m. ET.   The registration form is available here.