Equifax Inc. Quarterly report pursuant to Section 13 or 15(d)

Quarterly report pursuant to Section 13 or 15(d)

COMMITMENTS AND CONTINGENCIES

COMMITMENTS AND CONTINGENCIES

6 Months Ended

Jun. 30, 2018

Commitments and Contingencies Disclosure [Abstract]

Cybersecurity Incident. In fiscal 2017, we experienced a cybersecurity incident following a criminal attack on our systems that involved the theft of certain personally identifiable information of U.S., Canadian and U.K. consumers. Criminals exploited a U.S. website application vulnerability to gain unauthorized access to our network. Based on our forensic investigation, the unauthorized access occurred from mid-May through July 2017. The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, payment card numbers for approximately 209,000 U.S. and Canadian consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. The investigation also determined that personal information of approximately 19,000 Canadian consumers was impacted and approximately 860,000 potentially affected U.K. consumers were contacted regarding access to personal information.

The Company acted promptly to notify the approximately 145.5 million U.S. consumers whose personally identifiable information the Company had identified in 2017 as potentially accessed. As a result of an ongoing analysis of data stolen in the 2017 cybersecurity incident, the Company announced in March 2018, that it had identified approximately 2.4 million U.S. consumers whose name and partial driver's license information were stolen, but who were not in the affected population of approximately 145.5 million consumers previously identified by the Company in 2017.

Below is a rollforward of accrued liabilities and insurance receivable associated with the cybersecurity incident, beginning with the event date:



	Accrued Liabilities			Insurance Receivable
	(In millions)
Balance at September 7, 2017	$	—		$	—
(Expenses incurred) insurance receivable recorded	(87.5		)	—
Payments made (received)	—			—
Balance at September 30, 2017	$	(87.5	)	$	—
(Expenses incurred) insurance receivable recorded	(76.5		)	50.0
Payments made (received)	88.4			(15.0		)
Balance at December 31, 2017	$	(75.6	)	$	35.0
(Expenses incurred) insurance receivable recorded	(4.1		)	10.0
Payments made (received)	52.2			(35.0		)
Balance at March 31, 2018	$	(27.5	)	$	10.0
(Expenses incurred) insurance receivable recorded	—			35.0
Payments made (received)	17.8			(45.0		)
Balance at June 30, 2018	$	(9.7	)	$	—

Product Liability. As a result of the cybersecurity incident, we offered TrustedID® Premier, a credit file monitoring and identity theft protection product, for free to all U.S. consumers who signed up through January 31, 2018. We have recorded the expenses necessary to provide this service to those who signed up. Through December 31, 2017, we recorded $50.7 million of product costs in selling, general, and administrative expenses. We have not recorded any product expenses related to this service in the accompanying Consolidated Statements of Income for the three months ended June 30, 2018 and we have recorded $4.1 million related to this service in selling, general and administrative expenses in the accompanying Consolidated Statements of Income for the six months ended June 30, 2018.

Expenses Incurred. Through December 31, 2017, the Company recorded $113.3 million of pretax expenses related to the cybersecurity incident. Expenses include costs to investigate and remediate the cybersecurity incident and legal and other professional services related thereto, all of which are expensed as incurred. We have included these costs in the above table through December 31, 2017. Beginning in 2018, expenses included in the above table include only costs incurred as part of the delivery of the free product.

Future Costs. We expect to incur significant professional services expenses associated with the cybersecurity incident in future periods. We will recognize these expenses as services are received. Costs related to the cybersecurity incident that will be incurred in future periods will also include increased expenses and capital investments for IT and security. We also expect to incur increased expenses for insurance, finance, compliance activities and to meet increased legal and regulatory requirements.

Insurance Coverage. We maintain $125.0 million of cybersecurity insurance coverage, above a $7.5 million deductible, to limit our exposure to losses such as those related to the cybersecurity incident. During the three and six months ended June 30, 2018, the Company has recorded insurance recoveries of $35.0 million and $45.0 million, respectively. Since the announcement of the cybersecurity incident in September 2017, we have recorded and received insurance recoveries of $95.0 million for costs incurred through June 30, 2018.

Litigation, Claims and Government Investigations. As a result of the 2017 cybersecurity incident, we are subject to a significant number of proceedings and investigations. Following the 2017 cybersecurity incident, hundreds of class actions were filed against us in federal, state and Canadian courts relating to the 2017 cybersecurity incident. The plaintiffs in these cases, who purport to represent various classes of consumers and small businesses, generally claim to have been harmed by alleged actions and/or omissions by Equifax in connection with the 2017 cybersecurity incident and assert a variety of common law and statutory claims seeking monetary damages, injunctive relief and other related relief. In addition, certain class actions have been filed by financial institutions that allege their businesses have been placed at risk due to the 2017 cybersecurity incident and generally assert various common law claims such as claims for negligence and breach of contract, as well as, in some cases, statutory claims. The financial institution class actions seek compensatory damages and other related relief. Furthermore, a lawsuit has been filed against us by the City of Chicago with respect to the 2017 cybersecurity incident alleging violations of state laws and local ordinances governing protection of personal data, consumer fraud and breach notice requirements and business practices and seeking declaratory and injunctive relief and the imposition of fines the aggregate amount of which the complaint does not specifically quantify. Beginning on December 6, 2017 and pursuant to multiple subsequent orders, the U.S. Judicial Panel on Multidistrict Litigation ordered the consolidation and transfer for pre-trial proceedings with respect to the U.S. cases pending in federal court discussed above, including the City of Chicago action, to the Northern District of Georgia as the single U.S. District Court for centralized pre-trial proceedings. Based on this order, consolidated proceedings with respect to U.S. consumer, small business, and financial institution federal class actions related to the 2017 cybersecurity incident have been conducted in the U.S. District Court for the Northern District of Georgia (“MDL Court”). The MDL Court has established separate tracks for the consumer and financial institution cases and appointed lead counsel on behalf of plaintiffs in both tracks. Separate consolidated nationwide class action complaints have been filed on behalf of consumer, small business, and financial institution plaintiffs. The cases before the MDL Court are in preliminary stages. We have moved to dismiss the consolidated complaints filed by the U.S. consumers and the financial institutions, and intend to file a motion to dismiss the small business complaint. In addition to these federal court proceedings, several putative class actions arising from the 2017 cybersecurity incident have been filed against us in the Fulton County Superior Court in Georgia based on similar allegations and theories as alleged in the U.S. consumer class actions seeking monetary damages, injunctive relief and other related relief on behalf of Georgia citizens. These cases have been transferred to a single judge in the Fulton County Business Court and three of the cases were consolidated into a single action. Six Canadian class actions, four of which are on behalf of a national class, have been filed against us in Ontario, Saskatchewan, Quebec and British Columbia. Each of the proposed Canadian class actions asserts a number of common law and statutory claims seeking monetary damages and other related relief in connection with the 2017 cybersecurity incident. All such actions are at the preliminary stages and one action has been stayed. In addition, civil enforcement actions have been filed against us by the Attorneys General of Massachusetts and West Virginia alleging violations of state/commonwealth consumer protection laws. The Massachusetts action is pending in Suffolk Superior Court and seeks permanent injunctive relief, civil penalties, restitution, disgorgement of profits, costs, and attorneys’ fees. The West Virginia action is pending in the Circuit Court of Boone County and seeks civil penalties and attorneys’ fees. The Attorney General of Puerto Rico filed an action against us in the United States District Court for the District of Puerto Rico alleging negligence and seeking monetary damages on behalf of aggrieved residents of Puerto Rico, disgorgement of profits, costs, and attorneys’ fees. These three cases are all at the preliminary stages. Finally, a lawsuit has been filed against us by the City of San Francisco in Superior Court in the City of San Francisco alleging violations of California’s unfair competition law due to purported violations of statutory protections of personal data and statutory data breach requirements and seeking statutory penalties, injunctive relief, and restitution for California consumers among other relief. The City of San Francisco action has been stayed by the court. We dispute the allegations in the complaints described above and intend to defend against such claims.

In addition, we continue to cooperate with federal, state, city and foreign governmental agencies and officials investigating or otherwise seeking information and/or documents, including through Civil Investigative Demands and subpoenas, regarding the 2017 cybersecurity incident and related matters, including 48 state Attorneys General offices, as well as the District of Columbia, the Federal Trade Commission ("FTC"), the Consumer Financial Protection Bureau ("CFPB"), the U.S. Securities and Exchange Commission (“SEC”), the U.S. Department of Justice, the New York Department of Financial Services, the New York Department of State-Division of Consumer Protection, other U.S. state regulators, the Financial Industry Regulatory Authority, certain Congressional committees of both the U.S. Senate and House of Representatives, the United Kingdom’s Financial Conduct Authority (“FCA”), the Information Commissioner’s Office in the United Kingdom and the Office of the Privacy Commissioner of Canada. On June 13, 2018, the CFPB and FTC provided us with notice that the staff of the CFPB and FTC are considering recommending that their respective agencies take legal action against us, and that the agencies may seek injunctive relief against us, as well as damages and civil money penalties. We submitted a written response to the CFPB and FTC addressing their expected allegations and we continue to cooperate with the agencies in their investigation. Although we are actively cooperating with that above investigations and inquiries, an adverse outcome to any such investigations and inquiries could subject us to fines or other obligations, which may have an adverse effect on how we operate our business or our results of operations. In addition, we continue to cooperate with the SEC and the U.S. Attorney’s Office for the Northern District of Georgia regarding investigations into the trading activities by certain of our current and former employees in relation to the 2017 cybersecurity incident.

On June 25, 2018, we entered into a Consent Order with state banking regulators in response to their multi-state review of the Company's information technology and security controls.

TransUnion Litigation. On November 27, 2017, Trans Union LLC and TransUnion Interactive, Inc. (collectively, “TransUnion”) filed a lawsuit in the U.S. District Court for the Northern District of Illinois against Equifax Information Services LLC, Equifax Inc., and Equifax Consumer Services LLC f/k/a Equifax Consumer Services, Inc. In its lawsuit, TransUnion asserts claims for declaratory relief, breach of contract, and anticipatory repudiation of contract based on our Reciprocal Data Supply Agreement (the “Agreement”), which sets forth the pricing terms for credit monitoring supplied by the parties to each other. TransUnion seeks a declaration regarding its contractual rights under the Agreement and monetary damages. On January 26, 2018, we moved to dismiss TransUnion’s claims. On June 19, 2018, the court granted in part and denied in part our motion to dismiss, dismissing Equifax Inc. from the case. Discovery has now commenced and is scheduled to end in January 2019. We dispute the allegations by TransUnion and intend to defend against its claims.

Securities Class Action Litigation. A consolidated putative class action lawsuit alleging violations of the federal securities laws in connection with statements regarding our cybersecurity systems and controls is pending against us and certain of our current and former officers and directors in the U.S. District Court for the Northern District of Georgia. The consolidated complaint seeks certification of a class of all persons who purchased or otherwise acquired Equifax securities from February 25, 2016 through September 15, 2017 and unspecified monetary damages, costs and attorneys’ fees. The defendants have moved to dismiss the complaint. We dispute the allegations in the complaint and intend to defend against the claims.

Shareholder Derivative Litigation. A consolidated putative shareholder derivative action naming certain of our current and former executives, officers, and directors as defendants and naming us as a nominal defendant is pending in the U.S. District Court for the Northern District of Georgia. Among other things, the consolidated complaint alleges claims for breaches of fiduciary duties, unjust enrichment, corporate waste, and insider selling by certain defendants, as well as certain claims under the federal securities laws. The complaint seeks unspecified damages on behalf of the Company, plus certain equitable relief. We have appointed a committee of independent directors empowered to evaluate and respond in our best interests to the claims and related litigation demands.

While we believe it is reasonably possible that we will incur losses associated with these proceedings and investigations, it is not possible to estimate the amount of loss or range of possible loss that might result from adverse judgments, settlements, penalties or other resolution of such proceedings and investigations based on the early stage of these proceedings and investigations, that alleged damages have not been specified, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues. The Company will continue to evaluate information as it becomes known and will record an estimate for losses at the time or times when it is both probable that a loss has been incurred and the amount of the loss is reasonably estimable. The Company believes that the ultimate amount paid on these actions, claims and investigations could be material to the Company’s consolidated financial condition, results of operations, or cash flows in future periods.

Additional lawsuits and claims related to the 2017 cybersecurity incident may be asserted by or on behalf of consumers, customers, shareholders or others seeking damages or other related relief and additional inquiries from governmental agencies may be received or investigations by governmental agencies commenced.

Data Processing, Outsourcing Services and Other Agreements. We have separate agreements with IBM, Tata Consultancy Services and others to outsource portions of our computer data processing operations, applications development, business continuity and recovery services, help desk service and desktop support functions, operation of our voice and data networks, maintenance and related functions and to provide certain other administrative and operational services. Annual payment obligations in regard to these agreements vary due to factors such as the volume of data processed; changes in our servicing needs as a result of new product offerings, acquisitions or divestitures; the introduction of significant new technologies; foreign currency; or the general rate of inflation. In certain circumstances (e.g., a change in control or for our convenience), we may terminate these data processing and outsourcing agreements and, in doing so, certain of these agreements require us to pay significant termination fees.

Guarantees and General Indemnifications. We may issue standby letters of credit and performance bonds in the normal course of business. The aggregate notional amount of all performance bonds and standby letters of credit was not material at June 30, 2018, and all have a remaining maturity of one year or less. We may issue other guarantees in the ordinary course of business. The maximum potential future payments we could be required to make under the guarantees in the ordinary course of business is not material at June 30, 2018. We have agreed to guarantee the liabilities and performance obligations (some of which have limitations) of a certain debt collections and recovery management variable interest entity under its commercial agreements.

We have agreed to standard indemnification clauses in many of our lease agreements for office space, covering such things as tort, environmental and other liabilities that arise out of or relate to our use or occupancy of the leased premises. Certain of our credit agreements include provisions which require us to make payments to preserve an expected economic return to the lenders if that economic return is diminished due to certain changes in law or regulations. In conjunction with certain transactions, such as sales or purchases of operating assets or services in the ordinary course of business, or the disposition of certain assets or businesses, we sometimes provide routine indemnifications, the terms of which range in duration and sometimes are not limited. Additionally, the Company has entered into indemnification agreements with its directors and executive officers to indemnify such individuals to the fullest extent permitted by applicable law against liabilities that arise by reason of their status as directors or officers. The Company maintains directors and officers liability insurance coverage to reduce its exposure to such obligations.

We cannot reasonably estimate our potential future payments under the guarantees and indemnities and related provisions described above because we cannot predict when and under what circumstances these provisions may be triggered. We had no accruals related to guarantees and indemnities on our Consolidated Balance Sheets at June 30, 2018 or December 31, 2017.

Contingencies. We are involved in legal and regulatory matters, government investigations, claims and litigation arising in the ordinary course of business other than those related to the 2017 cybersecurity incident. We periodically assess our exposure related to these matters based on the information which is available. We have recorded accruals in our Consolidated Financial Statements for those matters in which it is probable that we have incurred a loss and the amount of the loss, or range of loss, can be reasonably estimated.

For additional information about these and other commitments and contingencies, see Note 6 of the Notes to Consolidated Financial Statements in our 2017 Form 10-K.