Annual report pursuant to Section 13 and 15(d)

COMMITMENTS AND CONTINGENCIES

v3.19.3.a.u2
COMMITMENTS AND CONTINGENCIES
12 Months Ended
Dec. 31, 2019
Commitments and Contingencies Disclosure [Abstract]  
COMMITMENTS AND CONTINGENCIES COMMITMENTS AND CONTINGENCIES
 
2017 Cybersecurity Incident. 

In fiscal 2017, we experienced a cybersecurity incident following a criminal attack on our systems that involved the theft of certain personally identifiable information of U.S., Canadian and U.K. consumers. Criminals exploited a software vulnerability in a U.S. website application to gain unauthorized access to our network. In March 2017, the U.S. Department of Homeland Security distributed a notice concerning the software vulnerability. We undertook efforts to identify and remediate vulnerable systems; however, the vulnerability in the website application that was exploited was not identified by our security processes. We discovered unusual network activity in late-July 2017 and upon discovery promptly investigated the activity. Once the activity was identified as potential unauthorized access, we acted to stop the intrusion and engaged a leading, independent cybersecurity firm to conduct a forensic investigation to determine the scope of the unauthorized access, including the specific information potentially impacted. Based on our forensic investigation, the unauthorized access occurred from mid-May through July 2017.
Product Liability.  As a result of the 2017 cybersecurity incident, we offered TrustedID® Premier, a credit file monitoring and identity theft protection product, for free to all eligible U.S. consumers who signed up through January 31, 2018. In late 2018, the Company extended the free credit monitoring services for an additional twelve months for eligible consumers impacted by the 2017 cybersecurity incident by providing them the opportunity to enroll in Experian® IDNotify™ at no cost. We also provided free credit reports and scores, credit monitoring and identity theft protection for twenty four months to impacted consumers in Canada and the U.K. We have recorded the expenses necessary to provide this service to those who signed up. The remaining product liability balance at December 31, 2019 and 2018 was not material to the Consolidated Financial Statements.

Litigation, Claims and Government Investigations.  Following the 2017 cybersecurity incident, hundreds of class actions and other lawsuits were filed against us typically alleging harm from the 2017 cybersecurity incident and seeking various remedies, including monetary and injunctive relief. We were also subject to investigations and inquiries by federal, state and foreign governmental agencies and officials regarding the 2017 cybersecurity incident and related matters. As described below, most of these lawsuits and government investigations have concluded or been resolved, including pursuant to the settlement agreements described below, while others remain ongoing. The Company’s participation in these settlements does not constitute an admission by the Company of any fault or liability, and the Company does not admit fault or liability.

We believe it is probable that we will incur losses associated with certain of the proceedings and investigations related to the 2017 cybersecurity incident. We recorded expenses, net of insurance recoveries, of $800.9 million in other current liabilities and selling, general, and administrative expenses in our Consolidated Balance Sheets and Statements of (Loss) Income, respectively, as of and for the twelve months ended December 31, 2019, exclusive of our legal and professional services expenses. The amount accrued represents our best estimate of the liability related to these matters. The Company will continue to evaluate information as it becomes known and adjust accruals for new information and further developments in accordance with ASC 450-20-25. While it is reasonably possible that losses exceeding the amount accrued may be incurred, it is not possible at this time to estimate the additional possible loss in excess of the amount already accrued that might result from adverse judgments, settlements, penalties or other resolution of the proceedings and investigations described below based on a number of factors, such as the various stages of these proceedings and investigations, including matters on appeal, that alleged damages have not been specified or are uncertain, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues. The ultimate amount paid on these actions, claims and investigations in excess of the amount already accrued could be material to the Company’s consolidated financial condition, results of operations, or cash flows in future periods.

Consumer Settlement. On July 19, 2019 and July 22, 2019, we entered into multiple agreements that resolve the U.S. consolidated consumer class action cases, captioned In re: Equifax, Inc. Customer Data Security Breach Litigation, MDL No. 2800 (Consumer Cases) (the “U.S. Consumer MDL Litigation”), and the investigations of the FTC, the CFPB, the MSAG Group and the NYDFS (collectively, the “Consumer Settlement”). Under the terms of the Consumer Settlement, the Company will contribute $380.5 million to a non-reversionary settlement fund (the “Consumer Restitution Fund”) to provide restitution for U.S. consumers identified by the Company whose personal information was compromised as a result of the 2017 cybersecurity incident.

The Consumer Restitution Fund will be used to (1) compensate affected consumers for certain unreimbursed costs or expenditures incurred by affected consumers that are fairly traceable to the 2017 cybersecurity incident, (2) provide affected consumers with an opportunity to enroll in at least four years of credit monitoring services provided by a third party unaffiliated with the Company or alternative compensation for affected consumers who already have other credit monitoring services, (3) provide affected consumers with additional benefits such as identity restoration services and (4) pay reasonable attorneys’ fees and reasonable costs and expenses for the plaintiffs’ counsel in the U.S. Consumer MDL Litigation (not to exceed $80.5 million) and administrative and notice costs.

The Company has agreed to contribute up to an additional $125.0 million to the Consumer Restitution Fund to cover unreimbursed costs and expenditures described in (1) above in the event the $380.5 million in the Consumer Restitution Fund is exhausted.

In accordance with the terms of the Consumer Settlement, in the third quarter of 2019, the Company paid $180.5 million to the MSAG Group and the following monetary penalties: (1) $100.0 million to the CFPB and (2) $10.0 million to the NYDFS. As part of the Consumer Settlement, the Company also agreed to implement certain business practice commitments related to consumer assistance and its information security program, including conducting third party assessments of its information security program.
In the third quarter of 2019, the agreements with the FTC and CFPB were approved by the U.S. District Court for the Northern District of Georgia. The settlement with the MSAG Group, which consists of substantially similar agreements with each of the participating jurisdictions, was approved by courts in the relevant jurisdiction also in the third quarter of 2019.

On January 13, 2020, the Northern District of Georgia, the U.S. District Court overseeing centralized pre-trial proceedings for the U.S. Consumer MDL Litigation and numerous other federal court actions relating to the 2017 cybersecurity incident (the “MDL Court”), entered an order granting final approval of the settlement in connection with the U.S. Consumer MDL Litigation, from which several objectors have appealed. Until the appeals are finally adjudicated or dismissed, we can provide no assurance that the U.S. Consumer MDL Litigation will be resolved as contemplated by the settlement agreement. If the MDL Court’s order approving the settlement were reversed by an appellate court, there is a risk that we would not be able to settle the U.S. Consumer MDL Litigation on acceptable terms or at all, which could have a material adverse effect on our financial condition.

The Company has accrued its best estimate for estimated probable losses it expects to incur with respect to the Consumer Settlement.

Other Settlements.

Securities Class Action Litigation. A consolidated putative class action lawsuit alleging violations of certain federal securities laws in connection with statements and alleged omissions regarding our cybersecurity systems and controls was filed against us and our former Chairman and Chief Executive Officer in the U.S. District Court for the Northern District of Georgia. The consolidated complaint seeks certification of a class of all persons who purchased or otherwise acquired Equifax securities from February 25, 2016 through September 15, 2017 and unspecified monetary damages, costs and attorneys’ fees. The Company moved to dismiss the complaint in its entirety. On January 28, 2019, the court dismissed claims against certain individual defendants and claims challenging certain statements, but allowed other claims against Equifax and our former Chairman and Chief Executive Officer to proceed.

On February 12, 2020, we entered into a settlement agreement to resolve the securities class action lawsuit in which the Company agreed to create a settlement fund for the benefit of class members. The settlement is subject to a number of conditions, including certification of a settlement class, notice, and preliminary and final court approvals. We can provide no assurance that all conditions will be satisfied or that the necessary court approvals will be obtained. The Company recorded an accrual for the settlement amount, net of the estimated insurance recovery, in the Consolidated Balance Sheets and Statements of (Loss) Income as of and for the twelve months ended December 31, 2019. The Company recorded the estimated insurance recovery to the settlement in the Company’s Consolidated Statements of (Loss) Income for the year ended December 31, 2019. The estimated insurance recovery was recorded as a receivable in the Company’s Consolidated Balance Sheets as of December 31, 2019.

Shareholder Derivative Litigation. A consolidated putative shareholder derivative action naming certain of our current and former executives, officers and directors as defendants and naming us as a nominal defendant was filed in the U.S. District Court for the Northern District of Georgia. Among other things, the consolidated complaint alleges claims for breaches of fiduciary duties, unjust enrichment, corporate waste and insider selling by certain defendants, as well as certain claims under the federal securities laws. The complaint seeks unspecified damages on behalf of the Company, plus certain equitable relief. We appointed a committee of independent directors (the “Demand Review Committee”) empowered to evaluate and respond in our best interests to the claims and related litigation demands.

On February 12, 2020, the Company, by and through the Demand Review Committee, and individual defendants entered into a settlement agreement with the plaintiffs which, subject to court approval, will resolve the matter by agreeing to adopt certain governance changes and obtaining an insurance recovery for the Company. We can provide no assurance that the necessary court approvals will be obtained. We have recorded an accrual for the amount of attorneys’ fees we estimate that we will pay as part of this settlement in the Company’s Consolidated Balance Sheets as of December 31, 2019. We have recorded a receivable for the amount of the estimated insurance recovery in the Company’s Consolidated Balance Sheets as of December 31, 2019.

Government Lawsuits. Separate civil enforcement actions were filed against us in state court by the respective Attorneys General of Indiana and Massachusetts alleging violations of commonwealth/state consumer protection laws and seeking injunctive relief, civil penalties, restitution, costs and other relief. The Company filed motions to dismiss the actions which were denied. On December 26, 2019, we filed a motion asking the court in the Indiana action to certify its order denying our motion to dismiss for interlocutory appeal, and that motion was granted on February 6, 2019.
The Company has reached an agreement in principle with each of the Attorneys General of Massachusetts and Indiana to resolve their actions. These settlements, in which the Company has agreed to make a monetary payment and to injunctive relief consistent with the MSAG Group settlement, are subject to finalizing definitive settlement agreements and court approval in each respective jurisdiction. The Company has recorded an accrual for the amount it expects to pay in connection with these settlements.

Financial Institutions MDL Class Action. Certain class actions were filed by financial institutions and transferred to the MDL Court (the “Financial Institutions MDL Litigation”). These class actions allege that the financial institutions’ businesses have been placed at risk due to the 2017 cybersecurity incident, generally assert common law claims such as claims for negligence, as well as, in some cases, statutory claims and seek compensatory damages, injunctive relief and other related relief. The Company moved to dismiss the financial institutions’ consolidated class action complaint in its entirety, and the MDL Court dismissed certain claims, while allowing other claims to proceed. The financial institution plaintiffs filed a motion to amend their class action complaint which was granted in part and denied in part on December 18, 2019. The majority of the claims which the financial institutions sought to revive by amendment, however, remained dismissed.

The Company has reached an agreement in principle to enter into a class-wide settlement of the remaining financial institutions’ claims. Upon submission of the final settlement documents and necessary court approvals, the settlement will resolve any remaining claims that could be asserted by the financial institutions before the MDL Court. The settlement contemplates payment for claims up to a maximum amount and certain non-monetary relief. The settlement is subject to a number of conditions, including notice, and preliminary and final court approvals. We can provide no assurance that all conditions will be satisfied or that the necessary court approvals will be obtained. The Company has recorded an accrual for the amount it expects to pay in connection with this settlement.

Pennsylvania State Court Financial Institution Class Action. One of the initial named plaintiffs in Financial Institutions MDL Litigation filed a purported class action suit against us in the Court of Common Pleas of Lawrence County, Pennsylvania on behalf of financial institutions headquartered in Pennsylvania. The claims being asserted in this matter are substantially similar to claims that previously were dismissed in the MDL proceeding for lack of standing. We filed preliminary objections to the complaint on September 5, 2019, and a hearing on the preliminary objections is scheduled for June 29, 2020. The Company has reached an agreement in principle to resolve this matter. The settlement is subject to court approval, and we can provide no assurance that the necessary court approval will be obtained. The Company has recorded an accrual for the amount it expects to pay in connection with this settlement.

Indian Tribes Class Actions and City of Chicago Lawsuit. Three Indian Tribes and the City of Chicago filed separate suits with respect to the 2017 cybersecurity incident, which were subsequently transferred to the MDL Court. The Indian Tribes brought their claims purportedly on behalf of themselves and other similarly situated federally recognized Indian Tribes and Nations. The Company has reached an agreement in principle to resolve the three Indian Tribes’ claims as well as an agreement in principle to resolve the City of Chicago’s lawsuit. The Company has recorded an accrual for the amount it expects to pay in connection with these settlements.

Other Matters. We face other lawsuits and government investigations related to the 2017 cybersecurity incident that have not yet been concluded or resolved. These ongoing matters may result in judgments, fines or penalties, settlements or other relief. We dispute the allegations in the remaining lawsuits and intend to defend against such claims. Set forth below are descriptions of the main categories of these matters.

Georgia State Court Consumer Class Actions. Four putative class actions arising from the 2017 cybersecurity incident were filed against us in Fulton County Superior Court and Fulton County State Court in Georgia based on similar allegations and theories as alleged in the U.S. Consumer MDL Litigation and seek monetary damages, injunctive relief and other related relief on behalf of Georgia citizens. These cases were transferred to a single judge in the Fulton County Business Court and three of the cases were consolidated into a single action. On July 27, 2018, the Fulton County Business Court granted the Company’s motion to stay the remaining single case, and on August 17, 2018, the Fulton County Business Court granted the Company’s motion to stay the consolidated case. These cases remain stayed pending resolution of the U.S. Consumer MDL Litigation.

Canadian Class Actions. Eight Canadian class actions, six of which are on behalf of a national class of approximately 19,000 Canadian consumers, have been filed against us in Ontario, Saskatchewan, Quebec, British Columbia and Alberta. Each of the proposed Canadian class actions asserts a number of common law and statutory claims seeking monetary damages and other related relief in connection with the 2017 cybersecurity incident. The plaintiffs in each case seek class certification/authorization on behalf of Canadian consumers whose personal information was allegedly impacted by the 2017 cybersecurity incident. In some cases, plaintiffs also seek class certification on behalf of a larger group of Canadian consumers who had
contracts for subscription products with Equifax around the time of the incident or earlier and were not impacted by the incident.

On October 21, 2019, the court in the Quebec case dismissed the plaintiff’s motion for authorization to institute a class action. On December 13, 2019, the court in the active Ontario case granted certification of a nationwide class that includes impacted Canadians as well as Canadians who had subscription products with Equifax between March 7, 2017 and July 30, 2017. We have sought leave to appeal this decision. All remaining purported class actions are at preliminary stages. In addition, one of the cases in Ontario as well as the Saskatchewan case have been stayed. The court’s order staying the Saskatchewan case is on appeal.

Individual Consumer Litigation. We have several hundred individual consumer actions pending against us in state (general jurisdiction and small claims) and federal courts across the U.S. related to the 2017 cybersecurity incident. The plaintiffs/claimants in these cases have generally claimed to have been harmed by alleged actions and/or omissions by Equifax in connection with the 2017 cybersecurity incident and assert a variety of common law and statutory claims seeking primarily monetary damages. Where possible, actions filed in or removed to federal court were noticed for transfer to the MDL Court. We believe that many of the remaining individual consumer actions will be subject to the settlement in the U.S. Consumer MDL Litigation discussed above, unless the individual consumers submitted a valid and timely request to be excluded from the settlement.

Government Investigations. We have cooperated with federal, state and foreign governmental agencies and officials investigating or otherwise seeking information, testimony and/or documents, regarding the 2017 cybersecurity incident and related matters.

The FCA opened an enforcement investigation against our U.K. subsidiary, Equifax Limited, in October 2017. The investigation by the FCA has involved a number of information requirements and interviews. We continue to respond to the information requirements and are cooperating with the investigation.

The New York State Attorney General Investor Protection Bureau (“IPB”) issued a subpoena in September 2017 relating to its investigation of whether there has been a violation of the Martin Act. We have cooperated with the IPB in its investigation, and the IPB has not contacted us regarding the investigation since January 2019.
Although we continue to cooperate in the above investigations and inquiries, an adverse outcome to any such investigations and inquiries could subject us to fines or other obligations, which may have an adverse effect on how we operate our business or our results of operations.

Data Processing, Outsourcing Services and Other Agreements  
We have separate agreements with Google, Amazon Web Services, IBM, Tata Consultancy Services and others to outsource portions of our network and security infrastructure, computer data processing operations, applications development, business continuity and recovery services, help desk service and desktop support functions, operation of our voice and data networks, maintenance and related functions and to provide certain other administrative and operational services. The agreements expire between 2020 and 2026. The estimated aggregate minimum contractual obligation remaining under these agreements is approximately $296 million as of December 31, 2019, with no future year’s minimum contractual obligation expected to exceed approximately $109 million. Annual payment obligations in regard to these agreements vary due to factors such as the volume of data processed; changes in our servicing needs as a result of new product offerings, acquisitions or divestitures; the introduction of significant new technologies; foreign currency; or the general rate of inflation. In certain circumstances (e.g., a change in control or for our convenience), we may terminate these data processing and outsourcing agreements, and, in doing so, certain of these agreements require us to pay significant termination fees.
 
Under our agreement with IBM (which covers our operations in North America, Europe and Asia Pacific), we have outsourced certain of our mainframe and midrange operations, help desk service and desktop support functions, and the operation of our voice and data networks. The scope of services provided by IBM, and the term of our agreement with respect to such services, varies by geography and location. The estimated future minimum contractual obligation under the revised North America (US and Canada), Europe (UK and Spain), Australia and Latin America agreements is approximately $85 million for the remaining term, with no individual year’s minimum expected to exceed approximately $42 million. We may terminate certain portions of this agreement without penalty in the event that IBM is in material breach of the terms of the agreement. During 2019, 2018 and 2017, we paid approximately $52 million, $49 million and $40 million, respectively, for these services.
Under our agreement with Google, we have outsourced certain areas of our network and security infrastructure. The estimated future minimum contractual obligation under the agreement is approximately $120 million for the remaining term, with no individual year’s minimum expected to exceed approximately $44 million. We may terminate certain portions of this agreement without penalty in the event that Google is in material breach of the terms of the agreement. During 2019, 2018 and 2017, we paid approximately $14 million, $7 million and $4 million, respectively, for these services.
 
Change in Control Agreements  

In February 2019, we adopted the Equifax Inc. Change in Control Severance Plan (the “CIC Plan”) for certain key executives. The CIC Plan does not apply to Mark W. Begor, our Chief Executive Officer, whose severance benefits in a change of control are contained in his employment agreement with the Company. The CIC Plan and Mr. Begor’s agreement provide for, among other things, certain payments and benefits in the event of a qualifying termination of employment (i.e., termination of employment by the executive for “good reason” or termination of employment by the Company without “cause,” each as defined in the applicable document) following a change in control of the Company. In the event of a qualifying termination, the executive will become entitled to continuation of certain employee benefits for two or three years, depending on the eligibility, as well as a lump sum severance payment, all of which differs by executive. 
 
Change in control events potentially triggering benefits under the CIC Plan and Mr. Begor’s agreement would occur, subject to certain exceptions, if (1) any person acquires 20% or more of our voting stock; (2) upon a merger or other business combination, our shareholders receive less than two-thirds of the common stock and combined voting power of the new company; (3) members of the current Board of Directors ceasing to constitute a majority of the Board of Directors, except for new directors that are regularly elected; (4) we sell or otherwise dispose of all or substantially all of our assets; or (5) we liquidate or dissolve. If these change in control benefits had been triggered as of December 31, 2019, payments of approximately $36.8 million would have been made.

Under the Company’s existing employee stock benefit plans, upon a change in control, outstanding awards will continue to vest in accordance with the terms. However, if outstanding awards are not assumed or continued in the change in control transaction or if the executive incurs a qualifying termination in connection with the change in control, then all outstanding stock options and nonvested stock awards will vest. With respect to unvested performance based share awards dependent upon the Company’s three-year relative total shareholder return, if at least one calendar year of performance during the performance period has been completed prior to the change in control event, the awards will be paid out based on the Company’s performance at that time; otherwise the payout of shares will be at 100% of the target award. Under the Company’s existing director stock benefit plans, upon a change in control, all outstanding nonvested stock awards will vest.
 
Guarantees  

We will from time to time issue standby letters of credit, performance or surety bonds or other guarantees in the normal course of business. The aggregate notional amount of all performance bonds, surety bonds, and standby letters of credit is not material at December 31, 2019 and generally have a remaining maturity of one year or less. We may issue other guarantees in the ordinary course of business. The maximum potential future payments we could be required to make under the guarantees is not material at December 31, 2019. We have agreed to guarantee the liabilities and performance obligations (some of which have limitations) of a certain debt collections and recovery management VIE under its commercial agreements. We cannot reasonably estimate our potential future payments under the guarantees and related provisions described above because we cannot predict when and under what circumstances these provisions may be triggered. We had no accruals related to guarantees on our Consolidated Balance Sheets at December 31, 2019.
 
General Indemnifications  

Many of our commercial agreements contain commercially standard indemnification obligations related to tort, material breach or other liabilities that arise during the course of performance under the agreement. These indemnification obligations are typically mutual.

We are the lessee under many real estate leases. It is common in these commercial lease transactions for us, as the lessee, to agree to indemnify the lessor and other related third parties for tort, environmental and other liabilities that arise out of or relate to our use or occupancy of the leased premises. This type of indemnity would typically make us responsible to indemnified parties for liabilities arising out of the conduct of, among others, contractors, licensees and invitees at or in connection with the use or occupancy of the leased premises. This indemnity often extends to related liabilities arising from the negligence of the indemnified parties, but usually excludes any liabilities caused by either their sole or gross negligence and their willful misconduct.
 
Certain of our credit agreements include provisions which require us to make payments to preserve an expected economic return to the lenders if that economic return is diminished due to certain changes in law or regulations. In certain of these credit agreements, we also bear the risk of certain changes in tax laws that would be subject to payments to non-U.S. lenders to withholding taxes.
 
In conjunction with certain transactions, such as sales or purchases of operating assets or services in the ordinary course of business, or the disposition of certain assets or businesses, we sometimes provide routine indemnifications, the terms of which range in duration and sometimes are not limited.
 
The Company has entered into indemnification agreements with its directors and executive officers. Under these agreements, the Company has agreed to indemnify such individuals to the fullest extent permitted by law against liabilities that arise by reason of their status as directors or officers and to advance expenses incurred by such individuals in connection with the related legal proceedings. The Company maintains directors and officers liability insurance coverage to reduce its exposure to such obligations.
 
We cannot reasonably estimate our potential future payments under the indemnities and related provisions described above because we cannot predict when and under what circumstances these provisions may be triggered. We have no accrual related to indemnifications on our Consolidated Balance Sheets at December 31, 2019 and 2018.
 
Subsidiary Dividend and Fund Transfer Limitations

The ability of some of our subsidiaries and associated companies to transfer funds to us is limited, in some cases, by certain restrictions imposed by foreign governments, which do not, individually or in the aggregate, materially limit our ability to service our indebtedness, meet our current obligations or pay dividends.
 
Contingencies

In addition to the matters set forth above, we are involved in legal and regulatory matters, government investigations, claims and litigation arising in the ordinary course of business. We periodically assess our exposure related to these matters based on the information which is available. We have recorded accruals in our Consolidated Financial Statements for those matters in which it is probable that we have incurred a loss and the amount of the loss, or range of loss, can be reasonably estimated.
 
Although the final outcome of these matters cannot be predicted with certainty, any possible adverse outcome arising from these matters is not expected to have a material impact on our Consolidated Financial Statements, either individually or in the aggregate. However, our evaluation of the likely impact of these matters may change in the future. We accrue for unpaid legal fees for services performed to date.