Ranking the Equifax Data Breach (Updated)

Equifax [EFX] is the latest casualty of a massive data breach. Equifax recently disclosed that a cybersecurity incident may have affected 145.5 million U.S. consumers. According to Equifax, the incident occurred between May and July 2017. The breached information included names, Social Security numbers, birth dates, addresses and, in some cases, driver’s license numbers. Around 209,000 credit card numbers and 182,000 dispute documents were also accessed.

As can be seen above, Equifax’s breach ranks among the largest cyber data breaches of all time, and the largest of 2017, so far. Further, Equifax’s breach is the largest involving Social Security or credit card numbers.

Breaches of financial information and Social Security numbers can often be very expensive to remediate. Of public company breaches costing more than $50 million to remediate, six compromised financial information and two compromised Social Security numbers. Equifax is included in both the financial information and Social Security numbers counts.

The two most costly breaches, Home Depot and Target, were the result of compromised point-of-sales equipment. In each case, the companies were required to update their in-store equipment in order to enhance security of payment transactions. Equifax is unlikely to incur these types of equipment costs; however, they may face substantial legal costs. Already, over 240 class action suits have been filed against Equifax due to the breach, according to their latest quarterly filing. Equifax’s breach is also being investigated by a broad range of federal, state and foreign regulators.

Historically, legal settlement costs associated with breaches have not been substantial. In 2016, Sony settled a class action for just $15 million associated with their massive 2014 breach. Additionally, Target paid just $67 million to settle three separate suits related to its 2013 breach of more than 100 million records.

However, Equifax’s breach may be more comparable to Anthem’s than Sony’s or Target’s. Both Anthem and Equifax lost enormous numbers of consumer Social Security numbers, along with other personally identifiable information. Earlier this year Anthem agreed to pay $115 million; the largest settlement ever for a data breach. And Equifax’s breach could be even more costly as they lost almost twice as many consumer records.

Already the Equifax breaches has cost the company $87.5 million – making it one of the most expensive breaches of all times. These costs consist of $27.3 million towards investigations, extra staffing and legal & professional fees; $4.7 million for credit monitoring & identity theft protection; and a $56 million accrual for further credit monitoring & identity theft protection costs.

Equifax’s accrual is interesting for two reasons. First, the $56 million accrual is the low end of Equifax’s estimated range and could have been as high as $110 million. In accordance with ASC section 450-20-30-1, Equifax is allowed to record the lower end of the estimate range under generally accepted accounting principles as they did “not believe that any amount within the range is a better estimate than any other amount.” But using the $110 million estimated accrual would put Equifax’s current costs at $142 million.

Second, credit monitoring services are typically outsourced to companies that specialize in credit monitoring, so a company’s cost is based on what is paid to the third-party service provider. As Equifax is a company that specializes in credit monitoring, they will be providing these services. It is unclear how Equifax determined the cost for these services (market value or incremental cost).

Going forward, Equifax expects significant costs, including legal & professional services, and capital investments for IT & security. The current costs and accruals do not include an estimate for any of these costs.

Equifax has not yet recorded a receivable for estimated insurance recovers, however, the company does hold an insurance policy that should be able to cover some of the cost. The policy has a $7.5 million deductible and, according to Bloomberg, covers between $100 -$150 million.

Audit Analytics tracks all public company cyber data breaches and is available for purchase as Exploratory Research. Our analysts engage in this research to help better understand current market conditions, and track the latest disclosure trends and regulations as they impact financial reporting.

For more information or to purchase any exploratory research, please email us at info@auditanalytics.com or call (508) 476-7007.