by Jeff Sovern
As has been widely reported, Equifax waited about six weeks to disclose its breach, which makes me wonder if we would ever have learned about the breach if the laws requiring disclosures of breaches didn’t exist. And in recent years, Equifax has lobbied aggressively on breach laws. All this left me curious about whether Equifax tried to block the original enactment of those laws.
First, some background: until 2003, companies rarely, if ever, disclosed data breaches. But everything changed in 2003 when California passed a statute (the current version is here), requiring companies conducting business in California to disclose breaches of unencrypted personal data of California residents. Many other states followed suit, and consumers began learning about disclosures of data about them. To date, the Privacy Rights Clearinghouse reports that there have been 7,725 breaches disclosed since 2005, totaling more than a billion records, of which the largest has been the Equifax breach.
Now on to Equifax and what has already been reported about its efforts. As has been extensively noted, the Equifax breach was disclosed the same day a congressional committee was considering legislation to reduce the damages credit bureaus would have to pay for misconduct. While Equifax representatives did not testify at that hearing, the Washington Post’s Renae Merle and Hamza Shaban have reported that Equifax lobbied for such legislation. As Merle and Shaban explain: “Since at least 2015, the credit reporting agency has repeatedly lobbied lawmakers on issues related to “data security and breach notification,” according to federal disclosure forms.”
So I asked my research assistant, Amanda M. Schaefer, to do a little digging. We chose Georgia for her to look at as Equifax is a Georgia corporation with its principal place of business in that state. Georgia enacted its data breach statute in 2005, and amended it in 2007. Amanda discovered that Equifax hired a Georgia lobbyist, Kirby A. Thompson, during that period. Thompson filed reports indicating that he paid for meals for Georgian legislators on behalf of Equifax in 2006 and 2007. Among these were meals described as “Senate Banking and Financial Institutions Dinner” and “House Banks & Banking Committee.”
The forms don’t indicate what Kirby was arguing on behalf of Equifax, and obviously Equifax could have had many reasons to lobby the legislature in its home state. And even if Georgia had not enacted its statute, Equifax would presumably have been obliged to disclose a breach under the laws of California and other states that had passed such statutes before Georgia. But it certainly raises questions about what Equifax was asking for, and what position Equifax took on breach disclosure laws. I have asked Amanda to see if she can dig up anything about Equifax lobbying in California on the grandparent of data breach laws, but in the meantime, perhaps some other enterprising blog reader will see what is out there. I very much hope that some member of Congress asks Equifax whether it lobbied against the original data breach laws during the many hearings Congress has scheduled on Equifax in the coming days (by my count, we are already up to four). Wouldn’t it be interesting to know if Equifax wanted to keep the breach a secret?