COMMITMENTS AND CONTINGENCIES
|6 Months Ended|
Jun. 30, 2019
|Commitments and Contingencies Disclosure [Abstract]|
|COMMITMENTS AND CONTINGENCIES||COMMITMENTS AND CONTINGENCIES
2017 Cybersecurity Incident
In 2017, we experienced a cybersecurity incident following a criminal attack on our systems that involved the theft of certain personally identifiable information of U.S., Canadian and U.K. consumers. Criminals exploited a software vulnerability in a U.S. website application to gain unauthorized access to our network. In March 2017, the U.S. Department of Homeland Security distributed a notice concerning the software vulnerability. We undertook efforts to identify and remediate vulnerable systems; however, the vulnerability in the website application that was exploited was not identified by our security processes. We discovered unusual network activity in late July 2017 and upon discovery promptly investigated the activity. Once the activity was identified as potential unauthorized access, we acted to stop the intrusion and engaged a leading, independent cybersecurity firm to conduct a forensic investigation to determine the scope of the unauthorized access, including the specific information potentially impacted. Based on our forensic investigation, the unauthorized access occurred from mid-May through July 2017.
Product Liability. As a result of the 2017 cybersecurity incident, we offered TrustedID® Premier, a credit file monitoring and identity theft protection product, for free to all eligible U.S. consumers who signed up through January 31, 2018. We also provided free credit reports and scores, credit monitoring and identity theft protection for twenty four months to impacted consumers in Canada and the U.K. We have recorded the expenses necessary to provide this service to those who signed up. In the fourth quarter of 2018, the Company extended the free credit monitoring services for an additional twelve months for eligible U.S. consumers impacted by the 2017 cybersecurity incident by providing them the opportunity to enroll in Experian® IDNotify™ at no cost. As of June 30, 2019 and December 31, 2018, our product liability balance was $5.6 million and $12.7 million, respectively.
Future Costs. We are currently executing substantial initiatives in security and consumer support, and a company-wide transformation of our technology infrastructure, which we refer to as our technology transformation, and incurred substantial increased expenses and capital expenditures in the three and six months ended June 30, 2019 related to these initiatives. We expect to continue to incur significant expenses and capital expenditures in the remainder of 2019 and through 2020 related to these initiatives, although at levels slightly below those incurred in 2018.
We incurred significant legal and professional services expenses related to the lawsuits, claims and government investigations related to the 2017 cybersecurity incident in the three and six months ended June 30, 2019, and expect to continue to incur these expenses until these items are resolved. We will recognize the expenses referenced herein as they are incurred. In the three and six months ended June 30, 2019, we incurred elevated costs for insurance, finance and compliance activities, and expect to incur costs at these levels for the remainder of 2019.
Insurance Coverage. At the time of the 2017 cybersecurity incident, we had $125.0 million of cybersecurity insurance coverage, above a $7.5 million deductible, to limit our exposure to losses such as those related to this incident. Since the announcement of the 2017 cybersecurity incident, we have received the maximum reimbursement under the insurance policy of $125.0 million.
Litigation, Claims and Government Investigations. As a result of the 2017 cybersecurity incident, we are subject to a significant number of proceedings and investigations. Since the 2017 cybersecurity incident, hundreds of class actions and other lawsuits have been filed against us typically alleging harm from the 2017 cybersecurity incident and seeking various remedies, including monetary and injunctive relief.
On July 19, 2019 and July 22, 2019, as further described below, we entered into multiple agreements that resolve the U.S. Consumer MDL Litigation (as defined below) and the investigations of the Federal Trade Commission (“FTC”), the Consumer Financial Protection Bureau (“CFPB”), the Attorneys General of 48 states, the District of Columbia and Puerto Rico (the “MSAG Group”) and the New York Department of Financial Services (“NYDFS”) (collectively, the “Consumer Settlement”). Under the terms of the Consumer Settlement, if finally approved by the MDL Court (as defined below), the Company will contribute $380.5 million to a non-reversionary settlement fund (the “Consumer Restitution Fund”) to provide restitution for U.S. consumers identified by the Company whose personal information was compromised as a result of the 2017 cybersecurity incident.
The Consumer Restitution Fund will be used to (1) compensate affected consumers for certain unreimbursed costs or expenditures incurred by affected consumers that are fairly traceable to the 2017 cybersecurity incident, (2) provide affected consumers with an opportunity to enroll in at least four years of credit monitoring services provided by a third party unaffiliated with the Company or alternative compensation for affected consumers who already have other credit monitoring services, (3) provide affected consumers with additional benefits such as identity restoration services and (4) pay reasonable attorneys’ fees and reasonable costs and expenses for the plaintiffs’ counsel in the U.S. Consumer MDL Litigation (not to exceed $80.5 million) and administrative and notice costs.
The Company has agreed to contribute up to an additional $125 million to the Consumer Restitution Fund to cover unreimbursed costs and expenditures described in (1) above in the event the $380.5 million in the Consumer Restitution Fund is exhausted. In addition, if the number of affected consumers who enroll in the third party credit monitoring services described above in (2) exceeds seven million, the Company may be required, under certain circumstances, to contribute additional money into the Consumer Restitution Fund to cover the incremental cost of providing credit monitoring services to the additional affected consumers.
The Company also agreed to pay an additional $180.5 million to the MSAG Group and the following monetary penalties: (1) $100 million to the CFPB and (2) $10 million to the NYDFS. The Company has accrued its best estimate for estimated probable losses it expects to incur with respect to the Consumer Settlement. The Company also agreed to implement certain business practice commitments related to information security to safeguard the personal information of consumers, including conducting third party assessments of its information security program.
The agreement regarding the U.S. Consumer MDL Litigation is subject to approval by the U.S. District Court for the Northern District of Georgia. The settlement with the MSAG Group consists of substantially similar agreements with each of the participating jurisdictions, and each agreement is subject to court approval in the relevant jurisdiction. There can be no assurance that the courts in each relevant jurisdiction will approve the agreements which make up the Consumer Settlement. The Company’s participation in the Consumer Settlement does not constitute an admission by the Company of any fault or liability, and the Company does not admit fault or liability.
We face numerous other lawsuits and government investigations related to the 2017 cybersecurity incident that have not yet been resolved. These ongoing lawsuits and governmental investigations may result in additional judgments, fines, settlements or other relief. We dispute the allegations in the remaining lawsuits and intend to defend against such claims.
We believe it is probable that we will incur losses associated with certain of the proceedings and investigations related to the 2017 cybersecurity incident. We recorded accruals of $11.3 million and $701.3 million, respectively, in selling, general, and administrative expenses and other current liabilities in our Consolidated Statements of Income (Loss) and Balance Sheets, respectively, for the three and six months ending June 30, 2019, respectively, exclusive of our legal and professional services expenses. The amount accrued represents our best estimate of the liability related to these matters. The Company will continue to evaluate information as it becomes known and adjust accruals for new information and further developments in accordance with ASC 450-20-25. While it is reasonably possible that losses exceeding the amount accrued may be incurred, it is not possible at this time to estimate the additional possible loss in excess of the amount already accrued that might result from
adverse judgments, settlements, penalties or other resolution of the proceedings and investigations described below based on a number of factors, such as the various stages of these proceedings and investigations, that alleged damages have not been specified or are uncertain, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues. The ultimate amount paid on these actions, claims and investigations in excess of the amount already accrued could be material to the Company’s consolidated financial condition, results of operations, or cash flows in future periods.
Set forth below are descriptions of the main categories of lawsuits and investigations related to the 2017 cybersecurity incident.
Multidistrict Litigation. Hundreds of class actions were filed against us in federal and state courts relating to the 2017 cybersecurity incident. The plaintiffs in these cases, who purport to represent various classes of U.S. consumers and small businesses, generally claim to have been harmed by alleged actions and/or omissions by Equifax in connection with the 2017 cybersecurity incident and assert a variety of common law and statutory claims seeking monetary damages, injunctive relief and other related relief.
In addition, certain class actions have been filed by financial institutions that allege their businesses have been placed at risk due to the 2017 cybersecurity incident and generally assert common law claims, such as claims for negligence, as well as, in some cases, statutory claims. The financial institution class actions seek compensatory damages, injunctive relief and other related relief.
Furthermore, a lawsuit has been filed against us by the City of Chicago with respect to the 2017 cybersecurity incident alleging violations of state laws and local ordinances governing protection of personal data, consumer fraud, breach notice requirements and business practices and seeking declaratory and injunctive relief and the imposition of fines the aggregate amount of which the complaint does not specifically quantify. Three Indian Tribes filed suits in federal court asserting putative class actions relating to the 2017 cybersecurity incident brought on behalf of themselves and other similarly situated federally recognized Indian Tribes and Nations. Additionally, the Commonwealth of Puerto Rico filed an action on its own behalf and on behalf of the people of Puerto Rico arising out of the 2017 cybersecurity incident.
Beginning on December 6, 2017 and pursuant to multiple subsequent orders, the U.S. Judicial Panel on Multidistrict Litigation ordered the consolidation and transfer for pre-trial proceedings with respect to the U.S. cases pending in federal court discussed above, including the City of Chicago action, the Indian Tribal suits, and the Puerto Rico action, to the Northern District of Georgia as the single U.S. District Court for centralized pre-trial proceedings (the “MDL Court”). Based on these orders, consolidated proceedings with respect to U.S. consumer, small business and financial institution federal class actions and other lawsuits related to the 2017 cybersecurity incident have been conducted in the MDL Court. The MDL Court has established separate tracks for the consumer and financial institution class action cases and appointed lead counsel on behalf of plaintiffs in both tracks. We refer to the consumer class action cases, captioned In re: Equifax, Inc. Customer Data Security Breach Litigation, MDL No. 2800 (Consumer Cases), as the “U.S. Consumer MDL Litigation.” Certain plaintiffs with cases pending in the MDL consolidated proceedings, including the Indian Tribe plaintiffs, Puerto Rico and the City of Chicago, have sought the establishment of additional tracks and other related relief. The MDL Court denied the request for a separate track by an individual plaintiff, but has not yet ruled on the remaining requests.
The Company moved to dismiss the consolidated class action complaints filed by the U.S. consumer, small business and financial institution plaintiffs in their entirety. On January 28, 2019, the MDL Court dismissed the small businesses’ consolidated class action complaint in its entirety. The MDL Court dismissed certain claims brought by the consumer and financial institution plaintiffs, while allowing other claims by those plaintiffs to proceed. Pursuant to case management orders issued by the MDL Court, consolidated pre-trial proceedings, including discovery between the parties, have been proceeding on the remaining claims of the U.S. consumer and financial institution plaintiffs.
As described above, in the third quarter of 2019, the Company entered into a settlement agreement that, upon approval by the MDL Court, will resolve and dismiss the claims asserted in the U.S. Consumer MDL Litigation. This settlement does not resolve the financial institution class action before the MDL Court or the actions by the City of Chicago or the Indian Tribes. The action by Puerto Rico will be dismissed with prejudice after the U.S. Consumer MDL Litigation settlement is approved.
Georgia State Court Consumer Class Actions. Four putative class actions arising from the 2017 cybersecurity incident were filed against us in Fulton County Superior Court and Fulton County State Court in Georgia based on similar allegations and theories as alleged in the U.S. consumer class actions pending in the MDL Court and seek monetary damages, injunctive relief and other related relief on behalf of Georgia citizens. These cases have been transferred to a single judge in the Fulton County Business Court and three of the cases were consolidated into a single action. On July 27, 2018, the Fulton County
Business Court granted the Company’s motion to stay the remaining single case, and on August 17, 2018, the Fulton County Business Court granted the Company’s motion to stay the consolidated case.
Canadian Class Actions. Eight Canadian class actions, six of which are on behalf of a national class of approximately 19,000 Canadian consumers, have been filed against us in Ontario, Saskatchewan, Quebec, British Columbia and Alberta. Each of the proposed Canadian class actions asserts a number of common law and statutory claims seeking monetary damages and other related relief in connection with the 2017 cybersecurity incident. The plaintiffs in each case seek class certification/authorization on behalf of Canadian consumers whose personal information was allegedly impacted by the 2017 cybersecurity incident. In some cases, plaintiffs also seek class certification on behalf of Canadian consumers who had contracts for subscription products with Equifax around the time of the incident. All purported class actions are at preliminary stages, and we are opposing class certification or authorization in cases where such motions are pending. In addition, one of the cases in Ontario as well as the Saskatchewan case have been stayed. The Court’s order staying the Saskatchewan case is on appeal.
TransUnion Litigation. On November 27, 2017, Trans Union LLC and TransUnion Interactive, Inc. (collectively, “TransUnion”) filed a lawsuit in the U.S. District Court for the Northern District of Illinois against Equifax Information Services LLC, Equifax Inc., and Equifax Consumer Services LLC f/k/a Equifax Consumer Services, Inc. In its lawsuit, TransUnion asserts claims for declaratory relief, breach of contract, and anticipatory repudiation of contract based on our Reciprocal Data Supply Agreement (the “Agreement”), which sets forth the pricing terms for credit monitoring supplied by the parties to each other. TransUnion seeks a declaration regarding its contractual rights under the Agreement and monetary damages. On January 26, 2018, we moved to dismiss TransUnion’s claims. On June 19, 2018, the court granted in part and denied in part our motion to dismiss, dismissing Equifax Inc. from the case. On July 24, 2019, the parties executed a settlement agreement to settle the matter. The Company has accrued for estimated probable losses it expects to incur with respect to this matter.
Securities Class Action Litigation. A consolidated putative class action lawsuit alleging violations of certain federal securities laws in connection with statements and alleged omissions regarding our cybersecurity systems and controls is pending against us and our former Chairman and Chief Executive Officer in the U.S. District Court for the Northern District of Georgia. The consolidated complaint seeks certification of a class of all persons who purchased or otherwise acquired Equifax securities from February 25, 2016 through September 15, 2017 and unspecified monetary damages, costs and attorneys’ fees. The Company moved to dismiss the consolidated class action complaint in its entirety. On January 28, 2019, the court dismissed claims against certain individual defendants and claims challenging certain statements, but allowed other claims against Equifax and our former Chairman and Chief Executive Officer to proceed. Pursuant to scheduling and case management orders issued by the court, pre-trial proceedings, including discovery between the parties, are moving forward on the remaining claims.
Shareholder Derivative Litigation. A consolidated putative shareholder derivative action naming certain of our current and former executives, officers and directors as defendants and naming us as a nominal defendant is pending in the U.S. District Court for the Northern District of Georgia. Among other things, the consolidated complaint alleges claims for breaches of fiduciary duties, unjust enrichment, corporate waste and insider selling by certain defendants, as well as certain claims under the federal securities laws. The complaint seeks unspecified damages on behalf of the Company, plus certain equitable relief. We have appointed a committee of independent directors empowered to evaluate and respond in our best interests to the claims and related litigation demands.
Government Lawsuits. In addition to the City of Chicago’s and Commonwealth of Puerto Rico’s lawsuits in the MDL Court, the City of San Francisco filed a lawsuit against us in Superior Court in the County of San Francisco on behalf of the People of the State of California alleging violations of California’s unfair competition law due to purported violations of statutory protections of personal data and statutory data breach requirements and seeking statutory penalties, injunctive relief, and restitution for California consumers, among other relief. The court has stayed the City of San Francisco action until August 1, 2019.
Civil enforcement actions have been filed against us by the Attorneys General of Indiana, Massachusetts and West Virginia alleging violations of commonwealth/state consumer protection laws. The Indiana action, which was filed on May 6, 2019, is pending in the Superior Court of Marion County and seeks injunctive relief, civil penalties, restitution, costs and other relief. The Massachusetts action is pending in Suffolk Superior Court and seeks permanent injunctive relief, civil penalties, restitution, disgorgement of profits, costs and attorneys’ fees. The Suffolk Superior Court denied the Company’s motions to stay and dismiss the case, and the case is in discovery. On July 19, 2019, the Company entered into an agreement with the Attorney General of West Virginia to resolve the West Virginia lawsuit as part of the settlement with the MSAG Group. The lawsuit filed by the Attorney General of Puerto Rico was transferred to the MDL proceeding, as described above. On July 19, 2019, the
Company entered into an agreement with the Attorney General of Puerto Rico to resolve the lawsuit as part of the settlement with the MSAG Group.
Individual Consumer Litigation. Over 1,000 individual consumer actions, including multi-plaintiff actions, have been filed against us in state (general jurisdiction and small claims) and federal courts across the U.S. related to the 2017 cybersecurity incident. These claims have included more than 2,500 individual plaintiffs. In addition, approximately 50 individual arbitration claims have been filed. The plaintiffs/claimants in these cases have generally claimed to have been harmed by alleged actions and/or omissions by Equifax in connection with the 2017 cybersecurity incident and assert a variety of common law and statutory claims seeking primarily monetary damages. Where possible, actions filed in federal court have been removed to federal court and noticed for transfer to the MDL Court. Many of these matters have been finally resolved, and others are in various stages.
Government Investigations. We continue to cooperate with federal, state, city and foreign governmental agencies and officials investigating or otherwise seeking information, testimony and/or documents, including through Civil Investigative Demands and subpoenas, regarding the 2017 cybersecurity incident and related matters, including the U.S. Securities and Exchange Commission (“SEC”), the U.S. Department of Justice, other U.S. state regulators, certain Congressional committees and the U.K.’s Financial Conduct Authority (“FCA”). In addition, the Puerto Rico Department of Consumer Affairs has issued Notices of Infraction related to the Company’s alleged failure to give timely notice of the 2017 cybersecurity incident under Puerto Rico law to the Department and Puerto Rico consumers.
The SEC issued a subpoena on May 14, 2018 regarding disclosure issues relating to the 2017 cybersecurity incident. We continue to cooperate with the SEC in its investigation. In addition, we continue to cooperate with the SEC and the U.S. Attorney’s Office for the Northern District of Georgia regarding investigations into the trading activities by certain of our current and former employees in relation to the 2017 cybersecurity incident.
The New York State Attorney General Investor Protection Bureau (“IPB”) issued a subpoena on September 20, 2017 relating to an investigation of whether there has been a violation of the Martin Act. We have continued to cooperate with the IPB in its investigation.
The FCA served an Enforcement Notice and Information Requests. We have provided responses to these requests and continue to cooperate with the FCA.
Although we are actively cooperating with the above investigations and inquiries, an adverse outcome to any such investigations and inquiries could subject us to fines or other obligations, which may have an adverse effect on how we operate our business or our results of operations.
In addition to the ongoing investigations described above, a number of governmental investigations have concluded, including the following described below.
As described above, on July 19, 2019, the Company resolved the consolidated multi-state investigation involving the Attorneys General of 48 states, the District of Columbia and Puerto Rico. As noted above, the Attorneys General of Indiana and Massachusetts did not participate in the multi-state process and each have filed suit. The Attorney General of Texas conducted a separate investigation, and resolved its investigation as part of the MSAG Group settlement. The settlement with the MSAG Group consists of substantially similar agreements with each of the participating jurisdictions, and each agreement is subject to court approval in the relevant jurisdiction.
As described above, the Company entered into agreements with the CFPB, FTC and NYDFS to resolve their investigations. The agreements with the CFPB and the FTC were approved by the U.S. District Court for the Northern District of Georgia.
The Financial Industry Regulatory Authority, Inc. conducted an investigation that has now been concluded.
The Office of the Privacy Commissioner of Canada (“OPC”) concluded its investigation into the 2017 cybersecurity incident, and published its report of findings on April 9, 2019. Equifax cooperated with the OPC’s investigation and entered into a compliance agreement with the OPC regarding certain non-monetary terms which was published on April 9, 2019.
Public Records Litigation
Equifax has been named as a defendant in 19 putative class action lawsuits pending in federal courts across the country relating to its reporting of civil judgments and tax liens on consumers’ credit files. In October 2018, Equifax and the plaintiffs’ attorneys who filed the lawsuits reached an agreement in principle to settle the public records-related claims at issue on behalf of a nationwide class of consumers and we accrued an estimate of $18.5 million for our liability for these matters in the third quarter of 2018. The amount accrued represents our best estimate of the liability related to this matter. The parties have filed notices of settlement in the pending lawsuits, and on April 17, 2019, the plaintiffs filed a motion for preliminary approval of the nationwide class action settlement in the case titled Mark William Thomas, et al. v. Equifax Information Services LLC. On May 14, 2019, the court preliminarily approved the settlement and scheduled a final approval hearing for September 13, 2019. If the settlement is not finally approved by the court, Equifax believes it has valid defenses to each of these actions and will continue to defend against them.
Data Processing, Outsourcing Services and Other Agreements
We have separate agreements with Google, IBM, Tata Consultancy Services and others to outsource portions of our network infrastructure, computer data processing operations, applications development, business continuity and recovery services, help desk service and desktop support functions, operation of our voice and data networks, maintenance and related functions and to provide certain other administrative and operational services. Annual payment obligations in regard to these agreements vary due to factors such as the volume of data processed; changes in our servicing needs as a result of new product offerings, acquisitions or divestitures; the introduction of significant new technologies; foreign currency; or the general rate of inflation. In certain circumstances (e.g., a change in control or for our convenience), we may terminate these data processing and outsourcing agreements, and, in doing so, certain of these agreements require us to pay significant termination fees.
Guarantees and General Indemnifications
We may issue standby letters of credit and performance and surety bonds in the normal course of business. The aggregate notional amounts of all performance and surety bonds and standby letters of credit was not material at June 30, 2019, and generally have a remaining maturity of one year or less. We may issue other guarantees in the ordinary course of business. The maximum potential future payments we could be required to make under the guarantees in the ordinary course of business is not material at June 30, 2019. We have agreed to guarantee the liabilities and performance obligations (some of which have limitations) of a certain debt collections and recovery management variable interest entity under its commercial agreements.
We have agreed to standard indemnification clauses in many of our lease agreements for office space, covering such things as tort, environmental and other liabilities that arise out of or relate to our use or occupancy of the leased premises. Certain of our credit agreements include provisions which require us to make payments to preserve an expected economic return to the lenders if that economic return is diminished due to certain changes in law or regulations. In conjunction with certain transactions, such as sales or purchases of operating assets or services in the ordinary course of business, or the disposition of certain assets or businesses, we sometimes provide routine indemnifications, the terms of which range in duration and sometimes are not limited. Additionally, the Company has entered into indemnification agreements with its directors and executive officers to indemnify such individuals to the fullest extent permitted by applicable law against liabilities that arise by reason of their status as directors or officers. The Company maintains directors and officers liability insurance coverage to reduce its exposure to such obligations.
We cannot reasonably estimate our potential future payments under the guarantees and indemnities and related provisions described above because we cannot predict when and under what circumstances these provisions may be triggered. We had no accruals related to guarantees and indemnities on our Consolidated Balance Sheets at June 30, 2019 or December 31, 2018.
In addition to the matters set forth above, we are involved in legal and regulatory matters, government investigations, claims and litigation arising in the ordinary course of business. We periodically assess our exposure related to these matters based on the information which is available. We have recorded accruals in our Consolidated Financial Statements for those matters in which it is probable that we have incurred a loss and the amount of the loss, or range of loss, can be reasonably estimated.
For additional information about these and other commitments and contingencies, see Note 6 of the Notes to Consolidated Financial Statements in our 2018 Form 10-K.
The entire disclosure for commitments and contingencies.
Reference 1: http://fasb.org/us-gaap/role/ref/legacyRef