Introduction
Everyone is aware of the enormous data breach(es) experienced by Equifax over the past few years. Millions of consumers' personal information was compromised, and Equifax paid multiple large fines. While the numbers affected and amounts paid out are staggering, we couldn't help but wonder how those amounts would have changed if state-level data privacy laws had been in place. For this specific exercise, CCPA (California Consumer Privacy Act) is used, as it was enacted directly after this breach, and was the first of its kind at the state-level in the United States.
Our goal is to highlight the scope of these privacy acts, in context of previous protections and fines to which we may have become somewhat desensitized.
Background
Equifax
As stated, Equifax experienced one of the largest and potentially most publicized breach in recent years. It was announced in September of 2017, when it was presumed that the attack had happened in March of 2017. As the investigation continued, all contributing factors to the breach were not identified until July of 2019. References
A detailed timeline and account of the breach is posted by CSO.
We will use Wikipedia's version of the incident(s), for consistency, as the numbers have been reported differently in multiple news outlets.
Just the facts
When all was said and done, information accessed in the breach included first and last names, social security numbers, birth dates, addresses, and, in some instances, driver's license numbers for an estimated 143 million Americans, based on Equifax' analysis. Information on an estimated range of under 400,000 up to 44 million British residents as well as 8,000 Canadian residents were compromised. An additional 11,670 Canadians were later found to be affected. Credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personally identifiable information for approximately 182,000 U.S. consumes were also accessed.
Ater the original disclosures, Equifax has expanded the numbers of records they discovered were accessed, bringing the total to 147.9 million. Equifax narrowed its estimate for UK customers to 15.2 million, of which 693,664 had sensitive personal data disclosed. Equifax also estimated that the number of drivers' licenses breached in the attack to be 10-11 million.
On July 22, 2019, Equifax agreed to a settlement with the Federal Trade Commision (FTC), CFPB, 48 U.S. states, Washington, D.C., and Puerto Rico totaling $300 million to a fund for victim compensation, $175 million to the states and territories in the agreement, and $100 million to the CFPB in fines.
The FTC reports the settlement including up to $425 million and became final in January 2022.
CCPA
Just the facts
Under CCPA, Californians would have the following avenues for compensation:
The Attorney General could fine Equifax "not more than $2,500 per violation;" and
Each Californian impacted could exercise their private right of action for damages between $100 and $750 per incident.
Disclaimer and assumptions
With the benefit of hindsight, no one can be sure whether the existence of the CCPA or other privacy laws may have impacted the sizes of those settlements. For our hypotheses, though, we will use the amounts as they were.
We will also ignore the fact that California is the largest state in the U.S. based on the population. All of our calculations will be as though each of the 50 states received equal amounts in the settlement. However, once we reach the state level, we will factor in California's actual population of 38,803,000, as it relates to the percentage of citizens affected.
In the review of CCPA's potential, we will continue to use the values found for the population and impacted citizens of California. Any other assumptions will be captured in-line.
Settlement details: current state
Reasoning and math-y stuff
Using the $175 million "to the states and territories in the agreement" and "$300 million to a fund for victim compensation," we create a starting payout assumption of $475 million.
$175,000,000 + $300,000,000 = $475,000,000Assuming that each state received equal amounts of these settlement funds, California would have received $9.5 million.
$475,000,000 / 50 = $9,500,000Given that the data breach affected approximately 40% of the U.S. population, the number of Californians affected would be 15.5 million citizens.
38,803,000 * 40% = 15,521,200If we then look at California's supposed settlement amount and presumably distributed damages to the affected population, each person would have received less than a dollar.
$9,500,000 / 15,521,200 = $0.61[20660773651522]While the full payout originally seems massive, it potentially took more effort and time to do this math than even a minimum wage would be worth.
Thoughts
When you consider the cost of a multi-year investigation, litigation, and managing the distribution of these settlement funds, it is difficult to see the point at all. From the consumer's standpoint, it would be a struggle to feel compensated for damages. (I was actually a member of the population impacted. My personal feeling is that they can "keep the change.")
Settlement details: potential hypothetical future state
Attorney General's rights
We cannot logically assume that the AG would have fined Equifax for the maximum allowed amount for each violation. Further, we have no way of knowing how many violations or breaches of data occurred for each individual's separate pieces of data, given the released details of the hack.
However, for the sake of illustration, we can determine the magnitude that CCPA could have had on this incident. If we assume a single violation for each of the citizens affected, at the maximum penalty, the AG would have had the right to fine Equifax upwards of $38.8 billion.
$2,500 * 15,521,200 = $38,803,000000Citizens' private rights of action
We will assume that the Californian's private rights of action are not superseded by any fines imposed by the Attorney General. If each Californian affected chose to exercise his/her private right of action for damages, Equifax could have additionally been fined between $1.5 and $11.6 billion.
$100 * 15,521,200 = $1,552,120,000 $750 * 15,521,200 = $11,640,900,000Thoughts
Given the rights provided by the state of California through CCPA, California alone could have fined Equifax between $1.5 billion and $50.4 billion.
$38,803,000,000 + $11,640,900,000 = $50,443,900,000I think that it is fair to say that California residents would have no issue in forfeiting the previously calculated $9.5 million that the state may have received in this case.
Conclusion
The Equifax data breach is one of the largest to date. In the lack of the U.S. enacting its own nationwide data privacy act, similar to the EU's GDPR, states are choosing to create their own legislation for residents' data protection. California was only the first. When using a single state like California for reference, this data breach and payout could have been, at minimum, more than four (4) times as large as it was.
For California consumers, one has to assume that $100 to $750 would be more gratifying than $0.61. For other U.S. consumers, this may provide some background reasoning for the recent push for a national privacy act (similar to the national cybersecurity efforts in progress). For businesses, failure to prioritize data privacy and cybersecurity processes can be disastrous.
Republished with permission from eruditeMETA, ©2022. All rights reserved.
留言