Quarterly report pursuant to Section 13 or 15(d)


9 Months Ended
Sep. 30, 2017
Commitments and Contingencies Disclosure [Abstract]  
Cybersecurity Incident. In the third quarter of fiscal 2017, we announced a cybersecurity incident potentially impacting approximately 145.5 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on our forensic investigation, the unauthorized access occurred from mid-May through July 2017. The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. and Canadian consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. The investigation also determined that personal information of approximately 8,000 Canadian consumers was impacted and approximately 690,000 potentially affected U.K. consumers will be contacted regarding access to personal information in the cybersecurity incident.

Upon discovery of the unauthorized access, we acted immediately to stop the intrusion and promptly engaged a leading, independent cybersecurity firm to conduct a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. The forensic analysis of the consumers potentially impacted by the cybersecurity incident is now complete. We also reported the criminal access to law enforcement and continue to cooperate with law enforcement in connection with the criminal investigation into the actors responsible for the cybersecurity incident.

Expenses Incurred. In the third quarter of fiscal 2017, the Company recorded $27.3 million of pretax expenses related to the cybersecurity incident. These expenses are included in Selling, General and Administrative expenses in the accompanying Consolidated Statements of Income for the three and nine months ended September 30, 2017. Expenses include costs to investigate and remediate the cybersecurity incident and legal and other professional services related thereto, all of which were expensed as incurred.
Contingent Liability. Additionally, as a result of the cybersecurity incident, we are offering free credit file monitoring and identity theft protection to all U.S. consumers. We have concluded that the costs associated with providing this service are a contingent liability that is probable and estimable. We have therefore recorded an estimate of the expenses necessary to provide this service to those who have signed up or will sign up by the January 31, 2018 deadline. We have incurred $4.7 million through September 30, 2017 and have estimated a range of additional costs between $56 million and $110 million. In accordance with Accounting Standards Codification section 450-20-30-1, we have recorded a liability for the low end in the range as we do not believe that any amount within the range is a better estimate than any other amount.
Litigation, Claims and Government Investigations. As a result of the cybersecurity incident, we are subject to a significant number of proceedings and investigations as described in Part II, "Item 1. Legal Proceedings." While we believe it is reasonably possible that we will incur losses associated with these proceedings and investigations, it is not possible to estimate the amount of loss or range of possible loss, if any, that might result from adverse judgments, settlements, penalties or other resolution of such proceedings and investigations based on the early stage of these proceedings and investigations, that alleged damages have not been specified, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues.
Future Costs. We expect to incur significant legal and other professional services expenses associated with the cybersecurity incident in future periods. We will recognize these expenses as services are received. Costs related to the cybersecurity incident that will be incurred in future periods will also include increased expenses and capital investments for IT and security. We expect to incur increased expenses for insurance, finance, compliance activities, and to meet increased legal and regulatory requirements. We will also incur increased costs to provide free services to consumers including increased customer support costs.
Insurance Coverage. We maintain insurance coverage to limit our exposure to losses such as those related to the cybersecurity incident. Our coverage has a $7.5 million deductible. As of September 30, 2017, the Company has not recorded a receivable for costs the Company has incurred to date as we have not yet concluded that the costs are reimbursable and probable of recovery under our insurance coverage.
Data Processing, Outsourcing Services and Other Agreements.  We have separate agreements with IBM, Tata Consultancy Services and others to outsource portions of our computer data processing operations, applications development, business continuity and recovery services, help desk service and desktop support functions, operation of our voice and data networks, maintenance and related functions and to provide certain other administrative and operational services. Annual payment obligations in regard to these agreements vary due to factors such as the volume of data processed; changes in our servicing needs as a result of new product offerings, acquisitions or divestitures; the introduction of significant new technologies; foreign currency; or the general rate of inflation. In certain circumstances (e.g., a change in control or for our convenience), we may terminate these data processing and outsourcing agreements and, in doing so, certain of these agreements require us to pay significant termination fees.

Guarantees and General Indemnifications.   We may issue standby letters of credit and performance bonds in the normal course of business. The aggregate notional amount of all performance bonds and standby letters of credit was not material at September 30, 2017, and all have a remaining maturity of one year or less. We may issue other guarantees in the ordinary course of business. The maximum potential future payments we could be required to make under the guarantees in the ordinary course of business is not material at September 30, 2017. We have agreed to guarantee the liabilities and performance obligations (some of which have limitations) of a certain debt collections and recovery management VIE under its commercial agreements.

We have agreed to standard indemnification clauses in many of our lease agreements for office space, covering such things as tort, environmental and other liabilities that arise out of or relate to our use or occupancy of the leased premises. Certain of our credit agreements include provisions which require us to make payments to preserve an expected economic return to the lenders if that economic return is diminished due to certain changes in law or regulations. In conjunction with certain transactions, such as sales or purchases of operating assets or services in the ordinary course of business, or the disposition of certain assets or businesses, we sometimes provide routine indemnifications, the terms of which range in duration and sometimes are not limited. Additionally, the Company has entered into indemnification agreements with its directors and executive officers to indemnify such individuals to the fullest extent permitted by applicable law against liabilities that arise by reason of their status as directors or officers. The Company maintains directors and officers liability insurance coverage to reduce its exposure to such obligations.
We cannot reasonably estimate our potential future payments under the guarantees and indemnities and related provisions described above because we cannot predict when and under what circumstances these provisions may be triggered. We had no accruals related to guarantees and indemnities on our Consolidated Balance Sheets at September 30, 2017 or December 31, 2016.
Contingencies.   We are involved in legal and regulatory matters, government investigations, claims and litigation arising in the ordinary course of business. We periodically assess our exposure related to these matters based on the information which is available. We have recorded accruals in our Consolidated Financial Statements for those matters in which it is probable that we have incurred a loss and the amount of the loss, or range of loss, can be reasonably estimated.

For additional information about these and other commitments and contingencies, see Note 6 of the Notes to Consolidated Financial Statements in our 2016 Form 10-K.