It’s been nearly two years since Equifax first revealed that it had suffered a massive data breach that exposed the personal information of 148 million U.S. consumers to hackers, but the fallout from the breach is nowhere near over.
Earlier this week, the state of Ohio announced that it is suing Equifax over the breach, and earlier this year, Equifax said that it is expecting punishment from the Consumer Financial Protection Bureau and the Federal Trade Commission over the breach.
Equifax is also facing investigations from nearly every state, several other federal regulators, and authorities in Canada and the U.K, plus more than 1,000 lawsuits over the breach.
And Friday, Equifax revealed how much it’s expecting to pay out to deal with all of those issues.
As part of its first quarter earnings release, Equifax CEO Mark Begor disclosed that the company set aside $690 million during the first quarter that includes the losses it expects to take in connection with a “potential global resolution of the consumer class action cases and the investigations by certain federal and state regulators.”
According to the company, the accrual of $690 million is for “certain legal proceedings and investigations related to the 2017 cybersecurity incident,” and does not include the company’s legal and professional services expenses.
Overall, the company recorded $786.8 million in the first quarter for data breach costs. That amount also includes $82.8 million of technology and data security costs; $12.5 million of legal and investigative fees; and $1.5 million of product liability costs.
In total, Equifax said that the data breach has cost the company a total of $1.35 billion so far, including incremental technology and data security costs, and an accrual for losses associated with legal proceedings and investigations.
But the company notes that the $690 million it set aside may not be enough to cover its pending settlements, fines, etc.
“While it is reasonably possible that losses exceeding the amount accrued will be incurred, it is not possible at this time to estimate the additional possible loss in excess of the amount already accrued that might result from adverse judgments, settlements, penalties or other resolution of the proceedings and investigations related to the 2017 cybersecurity incident based on a number of factors, such as the various stages of these proceedings and investigations, that alleged damages have not been specified or are uncertain, the uncertainty and complexity of achieving a multi-party resolution, the uncertainty as to the certification of a class or classes and the size of any certified class, as applicable, and the lack of resolution on significant factual and legal issues,” Equifax said. “The ultimate amount paid on these actions, claims and investigations in excess of the amount already accrued could be material to the company’s consolidated financial condition, results of operations, or cash flows in future periods.”
According to Equifax, at the time of the breach, the company had $125 million in cybersecurity insurance coverage. The company has long since received the maximum reimbursement of $125 million on that insurance policy.