COMMITMENTS AND CONTINGENCIES
|12 Months Ended
Dec. 31, 2018
|Commitments and Contingencies Disclosure [Abstract]
|COMMITMENTS AND CONTINGENCIES
COMMITMENTS AND CONTINGENCIES
2017 Cybersecurity Incident.
In fiscal 2017, we experienced a cybersecurity incident following a criminal attack on our systems that involved the theft of certain personally identifiable information of U.S., Canadian and U.K. consumers. Criminals exploited a software vulnerability in a U.S. website application to gain unauthorized access to our network. In March 2017, the U.S. Department of Homeland Security distributed a notice concerning the software vulnerability. We undertook efforts to identify and remediate vulnerable systems; however, the vulnerability in the website application that was exploited was not identified by our security processes. We discovered unusual network activity in late-July 2017 and upon discovery promptly investigated the activity. Once the activity was identified as potential unauthorized access, we acted to stop the intrusion and engaged a leading, independent cybersecurity firm to conduct a forensic investigation to determine the scope of the unauthorized access, including the specific information potentially impacted. Based on our forensic investigation, the unauthorized access occurred from mid-May through July 2017.
Below is a rollforward of accrued liabilities and insurance receivable associated with the 2017 cybersecurity incident, beginning with the event date:
Product Liability. As a result of the 2017 cybersecurity incident, we offered TrustedID® Premier, a credit file monitoring and identity theft protection product, for free to all eligible U.S. consumers who signed up through January 31, 2018. We also provided free credit reports and scores, credit monitoring and identity theft protection for twenty four months to impacted consumers in Canada and the U.K. We have recorded the expenses necessary to provide this service to those who signed up. Through December 31, 2017, we recorded $50.7 million of product costs in selling, general and administrative expenses in the accompanying Consolidated Statements of Income. In 2018, the Company extended the free credit monitoring services for an additional twelve months for eligible consumers impacted by the 2017 cybersecurity incident by providing them the opportunity to enroll in Experian® IDNotify™ at no cost. We recorded $20.4 million related to these services in selling, general, and administrative expenses in the accompanying Consolidated Statements of Income for the twelve months ended December 31, 2018.
Expenses Incurred. Through December 31, 2017, the Company recorded $113.3 million of pre-tax expenses related to the 2017 cybersecurity incident. Expenses include costs to investigate and remediate the 2017 cybersecurity incident and legal and other professional services related thereto, all of which were expensed as incurred. We have included these costs in the above table through December 31, 2017. Beginning in 2018, expenses included in the above table include only costs incurred as part of the delivery of the free product.
Future Costs. We are currently executing substantial initiatives in security and consumer support, and a company-wide transformation of our technology infrastructure, which we refer to as our technology transformation, and incurred substantial increased expenses and capital expenditures in 2018 related to these initiatives. We expect to again incur significant expenses and capital expenditures in 2019 and 2020 related to these initiatives, although at levels slightly below those incurred in 2018.
We incurred significant legal and professional services expenses related to the lawsuits, claims and government investigations to which we are a party in 2018, and expect to continue to incur these expenses until these items are resolved. We will recognize the expenses and capital expenditures referenced herein as they are incurred. In 2018, we incurred elevated costs for insurance, finance and compliance activities, and expect to incur costs at these levels again in 2019.
Insurance Coverage. At the time of the 2017 cybersecurity incident, we had $125.0 million of cybersecurity insurance coverage, above a $7.5 million deductible, to limit our exposure to losses such as those related to this incident. During the twelve months ended December 31, 2018 and 2017, the Company recorded insurance recoveries of $75.0 million and $50.0 million, respectively, and received payments of $110.0 million and $15.0 million, respectively, for reimbursable costs incurred to date. Since the announcement of the 2017 cybersecurity incident in September 2017, we have received the maximum reimbursement under the insurance policy of $125.0 million.
Litigation, Claims and Government Investigations. As a result of the 2017 cybersecurity incident, we are subject to a significant number of proceedings and investigations. Since the 2017 cybersecurity incident, hundreds of class actions and other lawsuits have been filed against us typically alleging harm from the 2017 cybersecurity incident and seeking various remedies, including monetary and injunctive relief. We dispute the allegations in the complaints described below and intend to defend against such claims. In addition, numerous governmental agencies are investigating us in connection with the 2017 cybersecurity incident, which may result in fines, settlements or other relief. Set forth below are descriptions of the main categories of these lawsuits and investigations.
Other than as specifically stated below, while we believe it is reasonably possible that we will incur losses associated with such proceedings and investigations, it is not possible at this time to estimate the amount of loss or range of possible loss that might result from adverse judgments, settlements, penalties or other resolution of the proceedings and investigations described below based on the various stages of these proceedings and investigations, that alleged damages have not been specified or are uncertain, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues. The Company will continue to evaluate information as it becomes known and will record an estimate for losses at the time or times when it is both probable that a loss has been incurred and the amount of the loss is reasonably estimable. The Company believes that the ultimate amount paid on these actions, claims and investigations could be material to the Company’s consolidated financial condition, results of operations, or cash flows in future periods.
Multidistrict Litigation. Hundreds of class actions were filed against us in federal and state courts relating to the 2017 cybersecurity incident. The plaintiffs in these cases, who purport to represent various classes of U.S. consumers and small businesses, generally claim to have been harmed by alleged actions and/or omissions by Equifax in connection with the 2017 cybersecurity incident and assert a variety of common law and statutory claims seeking monetary damages, injunctive relief and other related relief.
In addition, certain class actions have been filed by financial institutions that allege their businesses have been placed at risk due to the 2017 cybersecurity incident and generally assert various common law claims such as claims for negligence and breach of contract, as well as, in some cases, statutory claims. The financial institution class actions seek compensatory damages, injunctive relief and other related relief.
Furthermore, a lawsuit has been filed against us by the City of Chicago with respect to the 2017 cybersecurity incident alleging violations of state laws and local ordinances governing protection of personal data, consumer fraud, breach notice requirements and business practices and seeking declaratory and injunctive relief and the imposition of fines the aggregate amount of which the complaint does not specifically quantify. Three Indian Tribes filed suits in federal court asserting putative class actions relating to the 2017 cybersecurity incident brought on behalf of themselves and other similarly situated federally recognized Indian Tribes and Nations. Additionally, the Commonwealth of Puerto Rico filed an action on its own behalf and on behalf of the people of Puerto Rico arising out of the 2017 cybersecurity incident.
Beginning on December 6, 2017 and pursuant to multiple subsequent orders, the U.S. Judicial Panel on Multidistrict Litigation ordered the consolidation and transfer for pre-trial proceedings with respect to the U.S. cases pending in federal court discussed above, including the City of Chicago action, the Indian Tribal suits, and the Puerto Rico action, to the Northern District of Georgia as the single U.S. District Court for centralized pre-trial proceedings (the “MDL Court”). Based on these orders, consolidated proceedings with respect to U.S. consumer and financial institution federal class actions and other lawsuits related to the 2017 cybersecurity incident have been conducted in the MDL Court. The MDL Court has established separate tracks for the consumer and financial institution class action cases and appointed lead counsel on behalf of plaintiffs in both tracks. Certain individual plaintiffs with cases pending in the MDL consolidated proceedings, including Puerto Rico and the City of Chicago, have sought the establishment of additional tracks and other related relief. The MDL Court has not yet ruled on those requests.
The Company moved to dismiss the consolidated class action complaints filed by the U.S. consumer, small business and financial institution plaintiffs in their entirety. On January 28, 2019, the MDL Court dismissed the small businesses’ consolidated class action complaint in its entirety. The MDL Court dismissed certain claims brought by the consumer and financial institution plaintiffs, while allowing other claims by those plaintiffs to proceed. Pursuant to case management orders issued by the MDL Court, consolidated pre-trial proceedings, including discovery between the parties, will proceed on the remaining claims of the U.S. consumer and financial institution plaintiffs.
Georgia State Court Consumer Class Actions. Four putative class actions arising from the 2017 cybersecurity incident were filed against us in Fulton County Superior Court and Fulton County State Court in Georgia based on similar allegations and theories as alleged in the U.S. consumer class actions pending in the MDL Court and seek monetary damages, injunctive relief and other related relief on behalf of Georgia citizens. These cases have been transferred to a single judge in the Fulton County Business Court and three of the cases were consolidated into a single action. On July 27, 2018, the Fulton County Business Court granted the Company’s motion to stay the remaining single case, and on August 17, 2018, the Fulton County Business Court granted the Company’s motion to stay the consolidated case.
Canadian Class Actions. Seven Canadian class actions, five of which are on behalf of a national class of approximately 19,000 Canadian consumers, have been filed against us in Ontario, Saskatchewan, Quebec and British Columbia. Each of the proposed Canadian class actions asserts a number of common law and statutory claims seeking monetary damages and other related relief in connection with the 2017 cybersecurity incident. The plaintiffs in each case seek class certification/authorization on behalf of Canadian consumers whose personal information was allegedly impacted by the 2017 cybersecurity incident. In some cases, plaintiffs also seek class certification on behalf of Canadian consumers who had contracts for subscription products with Equifax around the time of the incident. All purported class actions are at preliminary stages, and we are opposing class certification or authorization in cases where such motions are pending. In addition, one of the cases in Ontario as well as the Saskatchewan case have been stayed. The Court’s order staying the Saskatchewan case is on appeal.
TransUnion Litigation. On November 27, 2017, Trans Union LLC and TransUnion Interactive, Inc. (collectively, “TransUnion”) filed a lawsuit in the U.S. District Court for the Northern District of Illinois against Equifax Information Services LLC, Equifax Inc., and Equifax Consumer Services LLC f/k/a Equifax Consumer Services, Inc. In its lawsuit, TransUnion asserts claims for declaratory relief, breach of contract, and anticipatory repudiation of contract based on our Reciprocal Data Supply Agreement (the “Agreement”), which sets forth the pricing terms for credit monitoring supplied by the parties to each other. TransUnion seeks a declaration regarding its contractual rights under the Agreement and monetary damages. On January 26, 2018, we moved to dismiss TransUnion’s claims. On June 19, 2018, the court granted in part and denied in part our motion to dismiss, dismissing Equifax Inc. from the case. Discovery has now commenced and is scheduled to end in March 2019. We dispute the allegations by TransUnion and intend to defend against its claims.
Securities Class Action Litigation. A consolidated putative class action lawsuit alleging violations of various federal securities laws in connection with statements and alleged omissions regarding our cybersecurity systems and controls is pending against us and certain of our current and former executives, officers and directors in the U.S. District Court for the Northern District of Georgia. The consolidated complaint seeks certification of a class of all persons who purchased or otherwise acquired Equifax securities from February 25, 2016 through September 15, 2017 and unspecified monetary damages, costs and attorneys’ fees. The Company moved to dismiss the consolidated class action complaint in its entirety. On January 28, 2019, the court dismissed claims against certain individual defendants and claims challenging certain statements, but allowed other claims against Equifax and our former Chairman and Chief Executive Officer to proceed. Pursuant to scheduling and case management orders issued by the court, pre-trial proceedings, including discovery between the parties, will proceed on the remaining claims.
Shareholder Derivative Litigation. A consolidated putative shareholder derivative action naming certain of our current and former executives, officers and directors as defendants and naming us as a nominal defendant is pending in the U.S. District Court for the Northern District of Georgia. Among other things, the consolidated complaint alleges claims for breaches of fiduciary duties, unjust enrichment, corporate waste and insider selling by certain defendants, as well as certain claims under the federal securities laws. The complaint seeks unspecified damages on behalf of the Company, plus certain equitable relief. We have appointed a committee of independent directors empowered to evaluate and respond in our best interests to the claims and related litigation demands.
Government Lawsuits. In addition to the City of Chicago’s and Commonwealth of Puerto Rico’s lawsuits in the MDL Court, the City of San Francisco filed a lawsuit against us in Superior Court in the City of San Francisco on behalf of the People of the State of California alleging violations of California’s unfair competition law due to purported violations of statutory protections of personal data and statutory data breach requirements and seeking statutory penalties, injunctive relief, and restitution for California consumers, among other relief. The court has stayed the City of San Francisco action until March 29, 2019.
Civil enforcement actions have been filed against us by the Attorneys General of Massachusetts and West Virginia alleging violations of commonwealth/state consumer protection laws. The Massachusetts action is pending in Suffolk Superior Court and seeks permanent injunctive relief, civil penalties, restitution, disgorgement of profits, costs and attorneys’ fees. The Suffolk Superior Court denied the Company’s motions to stay and dismiss the case, and the case is in discovery. The West Virginia action is pending in the Circuit Court of Boone County and seeks civil penalties and attorneys’ fees. Equifax’s motion to stay proceedings was granted on a temporary basis on December 21, 2018, and then continued on January 24, 2019, with the court scheduling a further hearing for February 28, 2019. The lawsuit filed by the Attorney General of Puerto Rico was transferred to the MDL proceeding, as described above. The Puerto Rico Department of Consumer Affairs has issued Notices of Infraction related to the Company’s alleged failure to give timely notice of the data breach under Puerto Rico law to the Department and Puerto Rico consumers.
Individual Consumer Litigation. Over 1,000 individual consumer actions, including multi-plaintiff actions, have been filed against us in state (general jurisdiction and small claims) and federal courts across the U.S. related to the 2017 cybersecurity incident. These claims include more than 2,500 individual plaintiffs. In addition, there are approximately 50 individual arbitration claims. The plaintiffs/claimants in these cases generally claim to have been harmed by alleged actions and/or omissions by Equifax in connection with the 2017 cybersecurity incident and assert a variety of common law and statutory claims seeking primarily monetary damages. Where possible, actions filed in federal court or removed to federal court have been noticed for transfer to the MDL Court. Some of these matters have been finally resolved, and others are in various stages.
Government Investigations. We continue to cooperate with federal, state, city and foreign governmental agencies and officials investigating or otherwise seeking information, testimony and/or documents, including through Civil Investigative Demands and subpoenas, regarding the 2017 cybersecurity incident and related matters, including 48 state Attorneys General offices, the District of Columbia, the Federal Trade Commission (“FTC”), the Consumer Financial Protection Bureau (“CFPB”), the U.S. Securities and Exchange Commission (“SEC”), the U.S. Department of Justice, other U.S. state regulators, certain Congressional committees of both the U.S. Senate and House of Representatives, the Office of the Privacy Commissioner of Canada (“OPC”) and the U.K.’s Financial Conduct Authority (“FCA”). The Financial Industry Regulatory Authority, Inc. conducted an investigation that has now been concluded.
With respect to state Attorneys General investigations, the Company is cooperating with a consolidated multi-state investigation involving the Attorneys General of 46 states and the District of Columbia. As noted above, the Attorneys General of Massachusetts, West Virginia and Puerto Rico are not participating in the multi-state process and have filed suit. The Attorneys General of Indiana and Texas are each conducting separate investigations.
The staffs of the CFPB and FTC have informed us that their respective agencies intend to seek injunctive relief damages and, with respect to the CFPB, civil money penalties against us based on allegations related to the 2017 cybersecurity incident. We have submitted written responses to the CFPB and FTC addressing their allegations, and we continue to cooperate with the agencies in their investigations. On October 2, 2018, the Enforcement Staff of the NYDFS provided us with notice that it is considering recommending that the NYDFS take legal action against us, potentially seeking consumer relief and civil money penalties. We continue to cooperate with the NYDFS in its investigation.
The staff of the OPC has informed us that the OPC intends to make certain findings and recommendations in connection with its investigation of the 2017 cybersecurity incident. We have submitted written responses to the OPC and we continue to cooperate in its investigation.
The SEC issued a subpoena on May 14, 2018 regarding disclosure issues relating to the 2017 cybersecurity incident. We continue to cooperate with the SEC in its investigation. In addition, we continue to cooperate with the SEC and the U.S. Attorney’s Office for the Northern District of Georgia regarding investigations into the trading activities by certain of our current and former employees in relation to the 2017 cybersecurity incident.
The New York State Attorney General Investor Protection Bureau (“IPB”) issued a subpoena on September 20, 2017 relating to an investigation of whether there has been a violation of the Martin Act. We continue to cooperate with the IPB in its investigation.
The FCA served an Enforcement Notice and Information Requests. We have provided responses to these requests and continue to cooperate with the FCA.
Although we are actively cooperating with the above investigations and inquiries, an adverse outcome to any such investigations and inquiries could subject us to fines or other obligations, which may have an adverse effect on how we operate our business or our results of operations.
Public Records Litigation
Equifax has been named as a defendant in 19 putative class action lawsuits pending in federal courts across the country relating to its reporting of civil judgments and tax liens on consumers’ credit files. In October 2018, Equifax and the plaintiffs’ attorneys who filed the lawsuits reached an agreement in principle to settle the public records-related claims at issue on behalf of a nationwide class of consumers and we accrued an estimate of $18.5 million for our liability for these matters in the third quarter of 2018. The amount accrued represents our best estimate of the liability related to this matter. The parties have filed notices of settlement in the pending lawsuits and have begun drafting a settlement agreement and preliminary approval papers to file with the requisite court. If the final terms of a settlement agreement cannot be agreed upon, or if the settlement is not ultimately approved by the court, Equifax believes it has valid defenses to each of these actions and will continue to defend against them.
Our operating leases principally involve office space and office equipment. Rental expense for operating leases, which is recognized on a straight-line basis over the lease term, was $41.3 million, $34.5 million and $29.1 million for the twelve months ended December 31, 2018, 2017 and 2016, respectively. Our headquarters building ground lease has purchase options exercisable beginning in 2019, renewal options exercisable in 2048 and escalation clauses that began in 2009. Expected future minimum payment obligations for non-cancelable operating leases exceeding one year are as follows as of December 31, 2018:
We have no material sublease agreements and as a result, expected sublease income is not reflected as a reduction in the total minimum rental obligations under operating leases in the table above.
Data Processing, Outsourcing Services and Other Agreements
We have separate agreements with IBM, Tata Consultancy Services, Fidelity Information Services, and others to outsource portions of our computer data processing operations, applications development, business continuity and recovery services, help desk service and desktop support functions, operation of our voice and data networks, maintenance and related functions and to provide certain other administrative and operational services. The agreements expire between 2019 and 2024. The estimated aggregate minimum contractual obligation remaining under these agreements is approximately $134 million as of December 31, 2018, with no future year’s minimum contractual obligation expected to exceed approximately $102 million. Annual payment obligations in regard to these agreements vary due to factors such as the volume of data processed; changes in our servicing needs as a result of new product offerings, acquisitions or divestitures; the introduction of significant new technologies; foreign currency; or the general rate of inflation. In certain circumstances (e.g., a change in control or for our convenience), we may terminate these data processing and outsourcing agreements, and, in doing so, certain of these agreements require us to pay significant termination fees.
Under our agreement with IBM (which covers our operations in North America and Europe), we have outsourced certain of our mainframe and midrange operations, help desk service and desktop support functions, and the operation of our voice and data networks. The scope of services provided by IBM, and the term of our agreement with respect to such services, varies by geography and location. The estimated future minimum contractual obligation under the revised North America (US and Canada) and Europe (UK and Spain) agreements is approximately $30 million for the remaining term, with no individual year’s minimum expected to exceed approximately $26 million. We may terminate certain portions of this agreement without penalty in the event that IBM is in material breach of the terms of the agreement. During 2018, 2017 and 2016, we paid approximately $49 million, $40 million and $45 million, respectively, for these services.
Change in Control Agreements
We have entered into change in control severance agreements with certain key executives. The agreements provide for, among other things, certain payments and benefits in the event of a qualifying termination of employment (i.e., termination of employment by the executive for “good reason” or termination of employment by the Company without “cause,” each as defined in the agreements) following a change in control of the Company. In the event of a qualifying termination, the executive will become entitled to continuation of group health, dental, vision, life, disability, 401(k) and similar benefits for two or three years, depending on the eligibility, as well as a lump sum severance payment, all of which differs by executive.
The change in control agreements have a three-year term and automatically renew for another three years unless we elect not to renew the agreements. Change in control events potentially triggering benefits under the agreements would occur, subject to certain exceptions, if (1) any person acquires 20% or more of our voting stock; (2) upon a merger or other business combination, our shareholders receive less than two-thirds of the common stock and combined voting power of the new company; (3) we sell or otherwise dispose of all or substantially all of our assets; or (4) we liquidate or dissolve.
If these change in control agreements had been triggered as of December 31, 2018, payments of approximately $40.7 million would have been made (excluding tax gross-up amounts of $0.9 million). Under the Company’s existing director and employee stock benefit plans, a change in control generally would result in the immediate vesting of all outstanding stock options and satisfaction of the restrictions on any outstanding nonvested stock awards. With respect to unvested performance based share awards dependent upon the Company’s three-year relative total shareholder return, if at least one calendar year of performance during the performance period has been completed prior to the change in control event, the awards will be paid out based on the Company’s performance at that time; otherwise the payout of shares will be at 100% of the target award. For awards granted in 2018, the vesting described above occurs only if the awards are not assumed or continued in the change in control transaction or if the executive incurs a qualifying termination in connection with the change in control.
We will from time to time issue standby letters of credit, performance or surety bonds or other guarantees in the normal course of business. The aggregate notional amount of all performance bonds, surety bonds, and standby letters of credit is not material at December 31, 2018 and generally have a remaining maturity of one year or less. We may issue other guarantees in the ordinary course of business. The maximum potential future payments we could be required to make under the guarantees is not material at December 31, 2018. We have agreed to guarantee the liabilities and performance obligations (some of which have limitations) of a certain debt collections and recovery management VIE under its commercial agreements. We cannot reasonably estimate our potential future payments under the guarantees and related provisions described above because we cannot predict when and under what circumstances these provisions may be triggered. We had no accruals related to guarantees on our Consolidated Balance Sheets at December 31, 2018.
Many of our commercial agreements contain commercially standard indemnification obligations related to tort, material breach or other liabilities that arise during the course of performance under the agreement. These indemnification obligations are typically mutual.
We are the lessee under many real estate leases. It is common in these commercial lease transactions for us, as the lessee, to agree to indemnify the lessor and other related third parties for tort, environmental and other liabilities that arise out of or relate to our use or occupancy of the leased premises. This type of indemnity would typically make us responsible to indemnified parties for liabilities arising out of the conduct of, among others, contractors, licensees and invitees at or in connection with the use or occupancy of the leased premises. This indemnity often extends to related liabilities arising from the negligence of the indemnified parties, but usually excludes any liabilities caused by either their sole or gross negligence and their willful misconduct.
Certain of our credit agreements include provisions which require us to make payments to preserve an expected economic return to the lenders if that economic return is diminished due to certain changes in law or regulations. In certain of these credit agreements, we also bear the risk of certain changes in tax laws that would subject payments to non-U.S. lenders to withholding taxes.
In conjunction with certain transactions, such as sales or purchases of operating assets or services in the ordinary course of business, or the disposition of certain assets or businesses, we sometimes provide routine indemnifications, the terms of which range in duration and sometimes are not limited.
The Company has entered into indemnification agreements with its directors and executive officers. Under these agreements, the Company has agreed to indemnify such individuals to the fullest extent permitted by law against liabilities that arise by reason of their status as directors or officers and to advance expenses incurred by such individuals in connection with the related legal proceedings. The Company maintains directors and officers liability insurance coverage to reduce its exposure to such obligations.
We cannot reasonably estimate our potential future payments under the indemnities and related provisions described above because we cannot predict when and under what circumstances these provisions may be triggered. We have no accrual related to indemnifications on our Consolidated Balance Sheets at December 31, 2018 and 2017.
Subsidiary Dividend and Fund Transfer Limitations
The ability of some of our subsidiaries and associated companies to transfer funds to us is limited, in some cases, by certain restrictions imposed by foreign governments, which do not, individually or in the aggregate, materially limit our ability to service our indebtedness, meet our current obligations or pay dividends.
In addition to the matters set forth above, we are involved in legal and regulatory matters, government investigations, claims and litigation arising in the ordinary course of business. We periodically assess our exposure related to these matters based on the information which is available. We have recorded accruals in our Consolidated Financial Statements for those matters in which it is probable that we have incurred a loss and the amount of the loss, or range of loss, can be reasonably estimated.
Although the final outcome of these matters cannot be predicted with certainty, any possible adverse outcome arising from these matters is not expected to have a material impact on our Consolidated Financial Statements, either individually or in the aggregate. However, our evaluation of the likely impact of these matters may change in the future. We accrue for unpaid legal fees for services performed to date.