COMMITMENTS AND CONTINGENCIES
|3 Months Ended
Mar. 31, 2020
|Commitments and Contingencies Disclosure [Abstract]
|COMMITMENTS AND CONTINGENCIES
|COMMITMENTS AND CONTINGENCIES
Litigation, Claims and Government Investigations Related to the 2017 Cybersecurity Incident. In fiscal 2017, we experienced a cybersecurity incident following a criminal attack on our systems that involved the theft of certain personally identifiable information of U.S., Canadian and U.K. consumers. Following the 2017 cybersecurity incident, hundreds of class actions and other lawsuits were filed against us typically alleging harm from the incident and seeking various remedies, including monetary and injunctive relief. We were also subject to investigations and inquiries by federal, state and foreign governmental agencies and officials regarding the 2017 cybersecurity incident and related matters. Most of these lawsuits and government investigations have concluded or been resolved, including pursuant to the settlement agreements described below, while others remain ongoing. The Company’s participation in these settlements does not constitute an admission by the Company of any fault or liability, and the Company does not admit fault or liability.
We believe it is probable that we will incur losses associated with certain of the proceedings and investigations related to the 2017 cybersecurity incident. In 2019, we recorded expenses, net of insurance recoveries, of $800.9 million in other current liabilities and selling, general, and administrative expenses in our Consolidated Balance Sheets and Statements of Income (Loss), respectively, exclusive of our legal and professional services expenses. The amount accrued represents our best estimate of the liability related to these matters. The Company will continue to evaluate information as it becomes known and adjust accruals for new information and further developments in accordance with ASC 450-20-25. While it is reasonably possible that losses exceeding the amount accrued may be incurred, it is not possible at this time to estimate the additional possible loss in excess of the amount already accrued that might result from adverse judgments, settlements, penalties or other resolution of the proceedings and investigations described below based on a number of factors, such as the various stages of these proceedings and investigations, including matters on appeal, that alleged damages have not been specified or are uncertain, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues. The ultimate amount paid on these actions, claims and investigations in excess of the amount already accrued could be material to the Company’s consolidated financial condition, results of operations, or cash flows in future periods.
Consumer Settlement. On July 19, 2019 and July 22, 2019, we entered into multiple agreements that resolve the U.S. consolidated consumer class action cases, captioned In re: Equifax, Inc. Customer Data Security Breach Litigation, MDL No. 2800 (the “U.S. Consumer MDL Litigation”), and the investigations of the FTC, the CFPB, the Attorneys General of 48 states, the District of Columbia and Puerto Rico (the "MSAG Group") and the NYDFS (collectively, the “Consumer Settlement”). Under the terms of the Consumer Settlement, the Company will contribute $380.5 million to a non-reversionary settlement fund (the “Consumer Restitution Fund”) to provide restitution for U.S. consumers identified by the Company whose personal information was compromised as a result of the 2017 cybersecurity incident as well as to pay reasonable attorneys’ fees and reasonable costs and expenses for the plaintiffs’ counsel in the U.S. Consumer MDL Litigation (not to exceed $80.5 million), settlement administration and notice costs. The Company has agreed to contribute up to an additional $125.0 million to the Consumer Restitution Fund to cover certain unreimbursed costs and expenditures incurred by affected U.S. consumers in the event the $380.5 million in the Consumer Restitution Fund is exhausted. The Company also agreed to various business practice commitments related to consumer assistance and its information security program, including conducting third party assessments of its information security program.
On January 13, 2020, the Northern District of Georgia, the U.S. District Court overseeing centralized pre-trial proceedings for the U.S. Consumer MDL Litigation and numerous other federal court actions relating to the 2017 cybersecurity incident (the “MDL Court”), entered an order granting final approval of the settlement in connection with the U.S. Consumer
MDL Litigation. The MDL Court entered an amended order granting final approval of the settlement on March 17, 2020. Several objectors have appealed the final approval order. Until the appeals are finally adjudicated or dismissed, we can provide no assurance that the U.S. Consumer MDL Litigation will be resolved as contemplated by the settlement agreement. If the MDL Court’s order approving the settlement is reversed by an appellate court, there is a risk that we would not be able to settle the U.S. Consumer MDL Litigation on acceptable terms or at all, which could have a material adverse effect on our financial condition.
Securities Class Action Litigation. On February 12, 2020, we entered into a settlement agreement to resolve a consolidated putative class action lawsuit pending in the U.S. District Court for the Northern District of Georgia alleging violations of certain federal securities laws in connection with statements and alleged omissions regarding our cybersecurity systems and controls. Under the settlement, the Company agreed to create a settlement fund for the benefit of a settlement class consisting of persons and entities who purchased or otherwise acquired publicly-traded Company stock from February 25, 2016 through September 15, 2017, subject to certain exclusions. On February 25, 2020, we received preliminary court approval of the settlement. The settlement is subject to a number of other conditions, including final court approval. We can provide no assurance that all conditions will be satisfied or that final court approval will be obtained.
Shareholder Derivative Litigation. On February 12, 2020, the Company, by and through a committee of independent directors, and individual defendants entered into a settlement agreement which, subject to court approval, will resolve a consolidated putative shareholder derivative action pending in the U.S. District Court for the Northern District of Georgia alleging claims for breaches of fiduciary duties, unjust enrichment, corporate waste and insider selling by certain defendants, as well as certain claims under the federal securities laws. The settlement agreement provides for the Company’s adoption of certain governance changes and obtaining an insurance recovery for the Company. On February 24, 2020, we received preliminary court approval for the settlement. We can provide no assurance that the necessary final court approval will be obtained.
Government Lawsuits. The Company reached an agreement with each of the Attorneys General of Indiana and Massachusetts to resolve the civil enforcement actions that were filed against us in Indiana and Massachusetts state court alleging violations of commonwealth/state consumer protection laws. These settlements, in which the Company has agreed to make a monetary payment and to injunctive relief consistent with the MSAG Group settlement, received court approval in each respective jurisdiction.
Financial Institutions MDL Class Action. The Company has reached an agreement in principle to enter into a class-wide settlement that, upon submission of the final settlement documents and necessary court approvals, will resolve the consolidated financial institutions class action cases pending before the MDL Court (the “Financial Institutions MDL Litigation”). The settlement contemplates payment for claims up to a maximum amount and certain non-monetary relief. The settlement is subject to a number of conditions, including notice, and preliminary and final court approvals. We can provide no assurance that all conditions will be satisfied or that the necessary court approvals will be obtained.
Pennsylvania State Court Financial Institution Class Action. The Company has reached an agreement in principle to resolve a purported class action lawsuit brought by one of the initial named plaintiffs in Financial Institutions MDL Litigation in the Court of Common Pleas of Lawrence County, Pennsylvania on behalf of financial institutions headquartered in Pennsylvania. The claims being asserted in this matter are substantially similar to claims that previously were dismissed in the MDL proceeding for lack of standing. The settlement is subject to court approval, and we can provide no assurance that the necessary court approval will be obtained.
Indian Tribes Class Actions and City of Chicago Lawsuit. The Company has settled separate lawsuits pending in the MDL Court that were brought by three Indian Tribes purportedly on behalf of themselves and other similarly situated federally recognized Indian Tribes and Nations, as well as a lawsuit brought by the City of Chicago related to the 2017 cybersecurity incident.
Other Matters. We face other lawsuits and government investigations related to the 2017 cybersecurity incident that have not yet been concluded or resolved. These ongoing matters may result in judgments, fines or penalties, settlements or other relief. We dispute the allegations in the remaining lawsuits and intend to defend against such claims. Set forth below are descriptions of the main categories of these matters.
Georgia State Court Consumer Class Actions. Four putative class actions arising from the 2017 cybersecurity incident were filed against us in Fulton County Superior Court and Fulton County State Court in Georgia based on similar allegations
and theories as alleged in the U.S. Consumer MDL Litigation and seek monetary damages, injunctive relief and other related relief on behalf of Georgia citizens. These cases were transferred to a single judge in the Fulton County Business Court and three of the cases were consolidated into a single action. On July 27, 2018, the Fulton County Business Court granted the Company’s motion to stay the remaining single case, and on August 17, 2018, the Fulton County Business Court granted the Company’s motion to stay the consolidated case. These cases remain stayed pending final resolution of the U.S. Consumer MDL Litigation.
Canadian Class Actions. Eight Canadian class actions, six of which are on behalf of a national class of approximately 19,000 Canadian consumers, have been filed against us in Ontario, Saskatchewan, Quebec, British Columbia and Alberta. Each of the proposed Canadian class actions asserts a number of common law and statutory claims seeking monetary damages and other related relief in connection with the 2017 cybersecurity incident. The plaintiffs in each case seek class certification/authorization on behalf of Canadian consumers whose personal information was allegedly impacted by the 2017 cybersecurity incident. In some cases, plaintiffs also seek class certification on behalf of a larger group of Canadian consumers who had contracts for subscription products with Equifax around the time of the incident or earlier and were not impacted by the incident.
On October 21, 2019, the court in the Quebec case dismissed the plaintiff’s motion for authorization to institute a class action. On December 13, 2019, the court in the active Ontario case granted certification of a nationwide class that includes impacted Canadians as well as Canadians who had subscription products with Equifax between March 7, 2017 and July 30, 2017. We have sought leave to appeal this decision. All remaining purported class actions are at preliminary stages. In addition, one of the cases in Ontario as well as the Saskatchewan case have been stayed. The court’s order staying the Saskatchewan case is on appeal.
Individual Consumer Litigation. We have several hundred individual consumer actions pending against us in state (general jurisdiction and small claims) and federal courts across the U.S. related to the 2017 cybersecurity incident. The plaintiffs/claimants in these cases have generally claimed to have been harmed by alleged actions and/or omissions by Equifax in connection with the 2017 cybersecurity incident and assert a variety of common law and statutory claims seeking primarily monetary damages. Where possible, actions filed in or removed to federal court were noticed for transfer to the MDL Court. We believe that many of the remaining individual consumer actions will be subject to the settlement in the U.S. Consumer MDL Litigation discussed above, unless the individual consumers submitted a valid and timely request to be excluded from the settlement.
Government Investigations. We have cooperated with federal, state and foreign governmental agencies and officials investigating or otherwise seeking information, testimony and/or documents, regarding the 2017 cybersecurity incident and related matters and most of these investigations have been resolved as discussed in prior filings.
The U.K.’s Financial Conduct Authority (“FCA”) opened an enforcement investigation against our U.K. subsidiary, Equifax Limited, in October 2017. The investigation by the FCA has involved a number of information requirements and interviews. We continue to respond to the information requirements and are cooperating with the investigation.
The New York State Attorney General Investor Protection Bureau (“IPB”) issued a subpoena in September 2017 relating to its investigation of whether there has been a violation of the Martin Act. We have cooperated with the IPB in its investigation, and the IPB has not contacted us regarding the investigation since January 2019.
Although we continue to cooperate in the above investigations and inquiries, an adverse outcome to any such investigations and inquiries could subject us to fines or other obligations, which may have an adverse effect on how we operate our business or our results of operations.
Data Processing, Outsourcing Services and Other Agreements
We have separate agreements with Google, Amazon Web Services, IBM, Tata Consultancy Services and others to outsource portions of our network and security infrastructure, computer data processing operations, applications development, business continuity and recovery services, help desk service and desktop support functions, operation of our voice and data networks, maintenance and related functions and to provide certain other administrative and operational services. Annual payment obligations in regard to these agreements vary due to factors such as the volume of data processed; changes in our servicing needs as a result of new product offerings, acquisitions or divestitures; the introduction of significant new technologies; foreign currency; or the general rate of inflation. In certain circumstances (e.g., a change in control or for our
convenience), we may terminate these data processing and outsourcing agreements, and, in doing so, certain of these agreements require us to pay significant termination fees.
Guarantees and General Indemnifications
We may issue standby letters of credit and performance and surety bonds in the normal course of business. The aggregate notional amounts of all performance and surety bonds and standby letters of credit was not material at March 31, 2020 and generally have a remaining maturity of one year or less. We may issue other guarantees in the ordinary course of business. The maximum potential future payments we could be required to make under the guarantees in the ordinary course of business is not material at March 31, 2020. We have agreed to guarantee the liabilities and performance obligations (some of which have limitations) of a certain debt collections and recovery management variable interest entity under its commercial agreements.
We have agreed to standard indemnification clauses in many of our lease agreements for office space, covering such things as tort, environmental and other liabilities that arise out of or relate to our use or occupancy of the leased premises. Certain of our credit agreements include provisions which require us to make payments to preserve an expected economic return to the lenders if that economic return is diminished due to certain changes in law or regulations. In conjunction with certain transactions, such as sales or purchases of operating assets or services in the ordinary course of business, or the disposition of certain assets or businesses, we sometimes provide routine indemnifications, the terms of which range in duration and sometimes are not limited. Additionally, the Company has entered into indemnification agreements with its directors and executive officers to indemnify such individuals to the fullest extent permitted by applicable law against liabilities that arise by reason of their status as directors or officers. The Company maintains directors and officers liability insurance coverage to reduce its exposure to such obligations.
We cannot reasonably estimate our potential future payments under the guarantees and indemnities and related provisions described above because we cannot predict when and under what circumstances these provisions may be triggered.
In addition to the matters set forth above, we are involved in legal and regulatory matters, government investigations, claims and litigation arising in the ordinary course of business. We periodically assess our exposure related to these matters based on the information which is available. We have recorded accruals in our Consolidated Financial Statements for those matters in which it is probable that we have incurred a loss and the amount of the loss, or range of loss, can be reasonably estimated.
For additional information about these and other commitments and contingencies, see Note 6 of the Notes to Consolidated Financial Statements in our 2019 Form 10-K.