COMMITMENTS AND CONTINGENCIES |
12 Months Ended | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Dec. 31, 2017 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Commitments and Contingencies Disclosure [Abstract] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| COMMITMENTS AND CONTINGENCIES |
COMMITMENTS AND CONTINGENCIES
Cybersecurity Incident. In fiscal 2017, we experienced a cybersecurity incident following a criminal attack on our systems that involved the theft of certain personally identifiable information of U.S., Canadian and U.K. consumers. Criminals exploited a U.S. website application vulnerability to gain unauthorized access to our network. Based on our forensic investigation, the unauthorized access occurred from mid-May through July 2017. The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. and Canadian consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. The investigation determined that personal information of approximately 19,000 Canadian consumers was impacted and approximately 860,000 potentially affected U.K. consumers were contacted regarding access to personal information.
As a result of an ongoing analysis of data stolen in the 2017 cybersecurity incident, the Company recently announced that it has identified approximately 2.4 million U.S. consumers whose name and partial driver's license information were stolen, but who were not in the affected population of approximately 145.5 million consumers previously identified by the Company in 2017. The Company is in the process of notifying these additional consumers.
Upon discovery of the unauthorized access, we acted immediately to stop the intrusion and promptly engaged a leading, independent cybersecurity firm to conduct a comprehensive forensic investigation to determine the scope of the intrusion, including the specific data potentially impacted. The forensic investigation of the consumers potentially impacted by the cybersecurity incident was completed in the fourth quarter of 2017. We also reported the criminal access to law enforcement and continue to cooperate with law enforcement in connection with the criminal investigation into the actors responsible for the cybersecurity incident.
Expenses Incurred. Through December 31, 2017, the Company recorded $113.3 million of pretax expenses related to the cybersecurity incident. We have included $14.2 million of these expenses in Cost of services and $99.1 million in Selling, general and administrative expenses in the accompanying Consolidated Statements of Income for the year ended December 31, 2017. Expenses include costs to investigate and remediate the cybersecurity incident and legal and other professional services related thereto, all of which were expensed as incurred.
Product Liability. Additionally, as a result of the cybersecurity incident, we offered free credit file monitoring and identity theft protection to all U.S. consumers. We have recorded the expenses necessary to provide this service to those who signed up. We have recorded $50.7 million through December 31, 2017 included in Selling, general and administrative expenses in the accompanying Consolidated Statements of Income.
Litigation, Claims and Government Investigations. As a result of the cybersecurity incident, we are subject to a significant number of proceedings and investigations. Following the 2017 cybersecurity incident, hundreds of class actions were filed by consumers against us in federal, state and Canadian courts relating to the cybersecurity incident. The plaintiffs in these cases, who purport to represent various classes of consumers, generally claim to have been harmed by alleged actions and/or omissions by Equifax in connection with the cybersecurity incident and assert a variety of common law and statutory claims seeking monetary damages, injunctive relief and other related relief. In addition, certain class actions have been filed by financial institutions who allege their businesses have been placed at risk due to the cybersecurity incident and generally assert various common law claims such as claims for negligence and breach of contract, as well as, in some cases, statutory claims. The financial institutions class actions seek compensatory damages and other related relief. Furthermore, a lawsuit has been filed by the City of Chicago with respect to the cybersecurity incident alleging violations of state laws and local ordinances governing protection of personal data, consumer fraud and breach notice requirements and business practices. Beginning on December 6, 2017 and pursuant to multiple subsequent orders, the U.S. Judicial Panel on Multidistrict Litigation ordered the consolidation and transfer for pre-trial proceedings with respect to the U.S. cases pending in federal court discussed above to the Northern District of Georgia as the single U.S. District Court for centralized proceedings. Based on this order, consolidated pre-trial hearings with respect to U.S. consumer and financial institution federal class actions related to the cybersecurity incident have begun in the Northern District of Georgia. In addition to these federal court proceedings, four putative class actions arising from the cybersecurity incident have been filed in the Fulton County Superior Court in Georgia. We have also appeared or notified the appropriate parties of representation in the Canadian class actions, but such actions are all at the preliminary stages. In addition, a civil enforcement action has been filed by the Attorney General of Massachusetts and a lawsuit has been filed by the City of San Francisco, each of which are in the initial pre-trial stages. We dispute the allegations in the complaints described above and intend to defend against such claims.
In addition, we continue to cooperate with federal, state, city and foreign governmental agencies and officials investigating or otherwise seeking information and/or documents, including through Civil Investigative Demands, regarding the cybersecurity incident and related matters, including 49 state Attorneys General offices, as well as the District of Columbia, the Federal Trade Commission, the Consumer Finance Protection Bureau, the U.S. Securities and Exchange Commission (“SEC”), the U.S. Department of Justice, the New York Department of Financial Services, the New York Department of State - Division of Consumer Protection, other U.S. state regulators, including state banking regulators, the Financial Industry Regulatory Authority, certain Congressional committees of both the U.S. Senate and House of Representatives, the United Kingdom’s Financial Conduct Authority (“FCA”), the Information Commissioner’s Office in the United Kingdom and the Office of the Privacy Commissioner of Canada. Although we are actively cooperating with these investigations and inquiries, an adverse outcome to any such investigations and inquiries could subject us to fines or other obligations, which may have an adverse effect on how we operate our business or our results of operations. In addition, we continue to cooperate with the SEC and the U.S. Attorney’s Office for the Northern District of Georgia regarding investigations into the trading activities by certain of our employees in relation to the cybersecurity incident.
TransUnion Litigation. On November 27, 2017, Trans Union LLC and TransUnion Interactive, Inc. (collectively, “TransUnion”) filed a lawsuit in the U.S. District Court for the Northern District of Illinois against Equifax Information Services LLC, Equifax Inc., and Equifax Consumer Services LLC f/k/a Equifax Consumer Services, Inc. In its lawsuit, TransUnion asserts claims for declaratory relief, breach of contract, and anticipatory repudiation of contract based on our Reciprocal Data Supply Agreement (the “Agreement”), which sets forth the pricing terms for credit monitoring supplied by the parties to each other. TransUnion seeks a declaration regarding its contractual rights under the Agreement and monetary damages. On January 26, 2018, we moved to dismiss TransUnion’s claims, and discovery in the case has been stayed until a ruling on that motion is issued. We dispute the allegations by TransUnion and intend to defend against its claims.
Securities Class Action Litigation. A consolidated putative class action lawsuit alleging violations of the federal securities laws in connection with statements regarding our cybersecurity systems and controls is pending against us and certain of our current and former officers and directors in the Northern District of Georgia. The complaints seek certification of a class of all persons who purchased or otherwise acquired Equifax securities during a set period of time and unspecified monetary damages, costs and attorneys’ fees. We dispute the allegations in these complaints and intend to defend against the claims.
Shareholder Derivative Litigation. Four putative shareholder derivative lawsuits have been commenced in the Northern District of Georgia naming certain of our current and former officers and directors as defendants and naming us as a nominal defendant. Among other things, the complaints allege claims for breaches of fiduciary duties, unjust enrichment, corporate waste, and insider selling by certain defendants. Three of the complaints also allege claims for violations of certain federal securities laws. The Complaints seek unspecified damages on behalf of the Company, plus certain equitable relief. Certain plaintiffs have filed motions seeking consolidation of the actions and appointment as lead plaintiffs. We have appointed a committee of independent directors empowered to evaluate and respond in our best interests to the claims and related litigation demands.
While we believe it is reasonably possible that we will incur losses associated with these proceedings and investigations, it is not possible to estimate the amount of loss or range of possible loss that might result from adverse judgments, settlements, penalties or other resolution of such proceedings and investigations based on the early stage of these proceedings and investigations, that alleged damages have not been specified, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues. The Company will continue to evaluate information as it becomes known and will record an estimate for losses at the time or times when it is both probable that a loss has been incurred and the amount of the loss is reasonably estimable. The Company believes that the ultimate amount paid on these actions, claims and investigations could be material to the Company’s consolidated financial condition, results of operations, or cash flows in future periods.
Additional lawsuits and claims related to the 2017 cybersecurity incident may be asserted by or on behalf of consumers, customers, shareholders or others seeking damages or other related relief and additional inquiries from governmental agencies may be received or investigations by governmental agencies commenced.
Future Costs. We expect to incur significant legal and other professional services expenses associated with the cybersecurity incident in future periods. We will recognize these expenses as services are received. Costs related to the cybersecurity incident that will be incurred in future periods will also include increased expenses and capital investments for IT and security. We expect to incur increased expenses for insurance, finance, compliance activities, and to meet increased legal and regulatory requirements. We will also incur increased costs to provide free services to consumers including increased customer support costs.
Insurance Coverage. We maintain $125 million of cybersecurity insurance coverage, above a $7.5 million deductible, to limit our exposure to losses such as those related to the cybersecurity incident. As of December 31, 2017, the Company has recorded a receivable of $35.0 million and received payments of $15 million for costs incurred to date that are reimbursable and probable of recovery under our insurance coverage.
At December 31, 2017, accrued liabilities and insurance receivable related to the cybersecurity incident consisted of the following:
Leases. Our operating leases principally involve office space and office equipment. Rental expense for operating leases, which is recognized on a straight-line basis over the lease term, was $34.5 million, $29.1 million and $24.2 million for the twelve months ended December 31, 2017, 2016 and 2015, respectively. Our headquarters building ground lease has purchase options exercisable beginning in 2019, renewal options exercisable in 2048 and escalation clauses that began in 2009. Expected future minimum payment obligations for non-cancelable operating leases exceeding one year are as follows as of December 31, 2017:
We have no material sublease agreements and as a result, expected sublease income is not reflected as a reduction in the total minimum rental obligations under operating leases in the table above.
Data Processing, Outsourcing Services and Other Agreements. We have separate agreements with IBM, Tata Consultancy Services, Fidelity Information Services, and others to outsource portions of our computer data processing operations, applications development, business continuity and recovery services, help desk service and desktop support functions, operation of our voice and data networks, maintenance and related functions and to provide certain other administrative and operational services. The agreements expire between 2018 and 2022. The estimated aggregate minimum contractual obligation remaining under these agreements is approximately $125 million as of December 31, 2017, with no future year’s minimum contractual obligation expected to exceed approximately $85 million. Annual payment obligations in regard to these agreements vary due to factors such as the volume of data processed; changes in our servicing needs as a result of new product offerings, acquisitions or divestitures; the introduction of significant new technologies; foreign currency; or the general rate of inflation. In certain circumstances (e.g., a change in control or for our convenience), we may terminate these data processing and outsourcing agreements, and, in doing so, certain of these agreements require us to pay significant termination fees.
Under our agreement with IBM (which covers our operations in North America and Europe), we have outsourced certain of our mainframe and midrange operations, help desk service and desktop support functions, and the operation of our voice and data networks. The scope of services provided by IBM, and the term of our agreement with respect to such services, varies by geography and location. The estimated future minimum contractual obligation under the revised North America (US and Canada) and Europe (UK and Spain) agreements is approximately $48 million for the remaining term, with no individual year's minimum expected to exceed approximately $24 million. We may terminate certain portions of this agreement without penalty in the event that IBM is in material breach of the terms of the agreement. During 2017, 2016 and 2015, we paid approximately $40 million, $45 million and $50 million, respectively, for these services.
Change in Control Agreements. We have entered into change in control severance agreements with certain key executives. The agreements provide for, among other things, certain payments and benefits in the event of a qualifying termination of employment (i.e., termination of employment by the executive for “good reason” or termination of employment by the Company without “cause,” each as defined in the agreements) following a change in control of the Company. In the event of a qualifying termination, the executive will become entitled to continuation of group health, dental, vision, life, disability, 401(k) and similar benefits for two or three years, depending on the eligibility, as well as a lump sum severance payment, all of which differs by executive.
The change in control agreements have a three-year term and automatically renew for another three years unless we elect not to renew the agreements. Change in control events potentially triggering benefits under the agreements would occur, subject to certain exceptions, if (1) any person acquires 20% or more of our voting stock; (2) upon a merger or other business combination, our shareholders receive less than two-thirds of the common stock and combined voting power of the new company; (3) we sell or otherwise dispose of all or substantially all of our assets; or (4) we liquidate or dissolve.
If these change in control agreements had been triggered as of December 31, 2017, payments of approximately $45.9 million would have been made (excluding tax gross-up amounts of $10.3 million). Under the Company’s existing director and employee stock benefit plans, a change in control generally would result in the immediate vesting of all outstanding stock options and satisfaction of the restrictions on any outstanding nonvested stock awards. With respect to unvested performance based share awards dependent upon the Company’s three-year relative total shareholder return, if at least one calendar year of performance during the performance period has been completed prior to the change in control event, the awards will be paid out based on the Company’s performance at that time; otherwise the payout of shares will be at 100% of the target award. For awards granted in 2017, the vesting described above occurs only if the awards are not assumed or continued in the change in control transaction or if the executive incurs a qualifying termination in connection with the change in control.
Guarantees. We will from time to time issue standby letters of credit, performance bonds or other guarantees in the normal course of business. The aggregate notional amount of all performance bonds and standby letters of credit is not material at December 31, 2017 and all have a remaining maturity of one year or less. We may issue other guarantees in the ordinary course of business. The maximum potential future payments we could be required to make under the guarantees is not material at December 31, 2017. We have agreed to guarantee the liabilities and performance obligations (some of which have limitations) of a certain debt collections and recovery management VIE under its commercial agreements. We cannot reasonably estimate our potential future payments under the guarantees and related provisions described above because we cannot predict when and under what circumstances these provisions may be triggered. We had no accruals related to guarantees on our Consolidated Balance Sheets at December 31, 2017.
General Indemnifications. We are the lessee under many real estate leases. It is common in these commercial lease transactions for us, as the lessee, to agree to indemnify the lessor and other related third parties for tort, environmental and other liabilities that arise out of or relate to our use or occupancy of the leased premises. This type of indemnity would typically make us responsible to indemnified parties for liabilities arising out of the conduct of, among others, contractors, licensees and invitees at or in connection with the use or occupancy of the leased premises. This indemnity often extends to related liabilities arising from the negligence of the indemnified parties, but usually excludes any liabilities caused by either their sole or gross negligence and their willful misconduct.
Certain of our credit agreements include provisions which require us to make payments to preserve an expected economic return to the lenders if that economic return is diminished due to certain changes in law or regulations. In certain of these credit agreements, we also bear the risk of certain changes in tax laws that would subject payments to non-U.S. lenders to withholding taxes.
In conjunction with certain transactions, such as sales or purchases of operating assets or services in the ordinary course of business, or the disposition of certain assets or businesses, we sometimes provide routine indemnifications, the terms of which range in duration and sometimes are not limited.
The Company has entered into indemnification agreements with its directors and executive officers. Under these agreements, the Company has agreed to indemnify such individuals to the fullest extent permitted by law against liabilities that arise by reason of their status as directors or officers and to advance expenses incurred by such individuals in connection with the related legal proceedings. The Company maintains directors and officers liability insurance coverage to reduce its exposure to such obligations.
We cannot reasonably estimate our potential future payments under the indemnities and related provisions described above because we cannot predict when and under what circumstances these provisions may be triggered. We have no accrual related to indemnifications on our Consolidated Balance Sheets at December 31, 2017 and 2016.
Subsidiary Dividend and Fund Transfer Limitations. The ability of some of our subsidiaries and associated companies to transfer funds to us is limited, in some cases, by certain restrictions imposed by foreign governments, which do not, individually or in the aggregate, materially limit our ability to service our indebtedness, meet our current obligations or pay dividends.
Contingencies. We are involved in legal proceedings, claims and litigation arising in the ordinary course of business. We periodically assess our exposure related to these matters based on the information which is available. We have recorded accruals in our Consolidated Financial Statements for those matters in which it is probable that we have incurred a loss and the amount of the loss, or range of loss, can be reasonably estimated.
Although the final outcome of these matters cannot be predicted with certainty, any possible adverse outcome arising from these matters is not expected to have a material impact on our Consolidated Financial Statements, either individually or in the aggregate. However, our evaluation of the likely impact of these matters may change in the future. We accrue for unpaid legal fees for services performed to date.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||