Case Studies and Examples

The following case studies show how the laws discussed in this chapter are used. These case studies are real-world examples of how regulatory agencies apply laws and rules to protect consumer information.

FTC Privacy and Safeguards Rule Enforcement

The FTC enforces the GLBA Privacy and Safeguards Rule against some types of financial institutions. The FTC can begin an investigation on its own or in response to a consumer complaint.

In July 2019, the FTC filed a complaint against Equifax, Inc., a credit-reporting agency. Equifax reported a data breach in 2017 in which hackers stole SSNs and other personal information on 143 million Americans. In its complaint, the FTC alleged that Equifax failed to secure customer personal information stored on its network. This is a violation of the GLBA Safeguards Rule.

The FTC argued that Equifax had a series of basic security failures that led to the breach. These failures happened over several months and included:

• Failure to patch critical vulnerabilities in Equifax information systems
• Failure to maintain a technology asset inventory, which meant that Equifax did not properly scan all its assets for vulnerabilities
• Failure to segment its computer network
• Failure to encrypt highly confidential information, such as SSNs, stored on its information systems
• Failure to detect intrusions into legacy information systems
• Failure to update expired security certificates on its information systems

The CFPB and 50 U.S. states and territories also filed complaints against Equifax. Their complaints alleged violations of different laws. Only the FTC had jurisdiction over Equifax for violations of the GLBA Safeguards Rule. The FTC, CFPB, and the states all worked together to solve their complaints against Equifax.

In late July 2020, Equifax agreed to pay at least $575 million to settle all claims with the CFPB, FTC, and the states. That settlement agreement amount could be increased by $125 million if the original settlement amount fails to compensate consumers for their losses related to the breach.

With respect to the GLBA Safeguards Rule, Equifax also agreed to:

• Comply with the GLBA Safeguards Rule and establish a comprehensive information security program that contains the requirements specified in the order.
• Provide yearly reports on the status of its information security program to its board of directors.
• Obtain an independent assessment of its information security program every 2 years. The assessor selected must be approved by the FTC in advance.
• Report yearly to the FTC that it is following the FTC’s settlement agreement.
• Notify the FTC within 10 days if it experiences an information security incident.

The FTC’s settlement agreement with Equifax ends in July 2039. Equifax must follow the terms in the settlement agreement until the agreement expires.

Credit Card Security Example

Target is a popular department store in the United States and Canada. On December 19, 2013, Target reported that the credit and debit card data of over 40 million customers was compromised in a security breach.⁶⁰ It reported that the compromise took place throughout the United States during the busy Thanksgiving-to-Christmas shopping season. Credit cardholders who shopped in Target stores from November 27 to December 15, 2013, were affected by the breach.

Target reported that it found malware on its cash registers on December 15. Company officials said that they immediately deleted the malware. They then began to notify their customers about the incident. On December 27, 2013, Target reported that encrypted personal identification number, or PIN, information was also compromised in the breach. PINs are passwords used in debit card transactions.

On January 17, 2014, Target reported that the attack it suffered during the height of the holiday shopping season may have affected an additional 70 million customers.⁶¹ Their personal information—names, addresses, and phone numbers—was stolen. The massive data breach was further reported to have extended beyond the 2013 holiday shopping season to people who had not shopped at Target for years.

Target’s costs associated with the breach were extensive. Visa, Mastercard, American Express, and Discover all made claims against Target for the data breach. Target paid $86 million to Visa and Mastercard to settle claims associated with the breach. In its 2016 annual report, Target reported that it had experienced $292 million in expenses related to the breach.