While discovering unauthorized access of its servers nearly 40 days earlier, Equifax Inc., one of the three largest credit reporting agencies in the United States, reported for the first time yesterday that hackers had breached sensitive, private information held by the company. This included social security numbers, birth dates, addresses, and driver license numbers, information which could be used to fraudulently open accounts and access other proprietary information of consumers.
Furthermore, it is reported that nearly 209,000 credit card numbers were also exposed in the breach. Equifax reports that the data hack involved not only information about US residents, but also UK and Canadian residents. Equifax's Chairman and CEO is quoted as indicating that the breach “strikes at the heart of who we are and what we do.” Expectedly, stock prices plummeted upon release of the news.
It should be noted that after the Vidal-Hall v. Google Inc decision in the English courts in 2015, damages may also be recoverable at common law for distress caused by a breach of UK data protection law, without needing to prove financial loss. In the United States, several states have non-preempted laws that provide for a cause of action for the negligent handling of otherwise private information, e.g. social security numbers, and data breach in particular. In conjunction with commercial litigation team member, James Nealon, the Data Privacy Team stands ready to aid those that may suffer harm from such disclosures, or who may be unsure of their rights under the law in what is one of the largest breaches ever.