Equifax To Pay Up To $700M In Data Breach Settlement
NEW YORK (AP) — Equifax has agreed to pay $700 million, potentially more, to settle with the federal authorities and states over its 2017 data breach that exposed the Social Security numbers and other private information of nearly 150 million people, roughly half of the U.S. population.
The settlement with the Consumer Financial Protection Bureau and the Federal Trade Commission, as well as 48 states, the District of Columbia and Puerto Rico, would provide up to $425 million in monetary relief to consumers, a $100 million civil money penalty, and other relief.
The breach was one of the largest ever to threaten the private information. The consumer reporting company, based in Atlanta, did not detect the attack for more than six weeks. The compromised data included Social Security numbers, birth dates, addresses, driver license numbers, credit card numbers and in some cases, data from passports. The breach resulted in the abrupt dismissal of Equifax's then CEO, as well as numerous other executives at the company.
"The (settlement) that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data - and reflects the seriousness with which we take this matter," said Equifax CEO Mark Begor.
Equifax stock, which plunged 30% in the days following the disclosure of the breach, have returned to levels where they traded before the incident. Shares of Equifax rose 2% to $140.26. A share cost $141.45 in the hours before the breach was disclosed on Sept. 7, 2017.
The relief is coming in multiple forms. Equifax will pay initially $380.5 million into a fund to cover potential identity theft that was caused as a result of the breach, as well as any costs that a potential victim had to pay for credit monitoring. An additional $125 million would be paid additionally by Equifax if victims' out-of-pocket expenses end up depleting the initial fund. Equifax could also potentially pay $2 billion to cover credit monitoring services if all 147 million victims sign up for credit monitoring services.
Victims of Equifax's breach will be eligible for up to 10 years of credit monitoring services for free, seven years of identity-restoration services, and six free copies of Equifax's credit reports per year for the next seven years. That's on top of the free credit reports each U.S. resident is eligible for from the credit reporting companies under U.S. law.
If consumers choose not to enroll in the free credit monitoring product, they may seek up to $125 as a reimbursement for the cost of a credit-monitoring product of their choice. Consumers must submit a claim in order to receive free credit monitoring or cash reimbursements.
Equifax will have to spend at least $1 billion over five years to enhance its cybersecurity practices.
On top of that, Equifax will have to pay a $100 million fine to the CFPB, and pay tens of millions of dollars to states and territories to settle those lawsuits as well.
"Companies that profit from personal information have an extra responsibility to protect and secure that data," said FTC Chairman Joe Simons. "Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud."
Consumer advocates were generally positive on the settlement, but had concerns on the timescale of the settlement. Because the thieves stole permanently identifiable information like Social Security numbers and birthdates, the data could be used for decades to commit identity theft.
"What happens if a consumer is the victim of ID theft in the fifth year resulting from the breach, which costs the consumer tens of thousands of dollars?," said Chi Chi Wu, staff attorney at National Consumer Law Center.
The settlement must still be approved by the federal district court in the Northern District of Georgia.
For information on the terms of the settlement, as well as to file a claim, potential victims should go to https://www.equifaxbreachsettlement.com .
BELOW is a press release from Attorney General Jeff Landry's Office about the news:
BATON ROUGE, LA – Louisiana Attorney General Jeff Landry today announced that a coalition of 50 Attorneys General has reached a settlement with Equifax as the result of an investigation into a massive 2017 data breach. The settlement is the largest data breach enforcement action in history and includes a Consumer Restitution Fund of up to $425 million, a $175 million payment to the states, and injunctive relief that contains a significant financial commitment.
“Equifax failed to maintain a reasonable security system, enabling hackers to penetrate its systems and expose the data of 56 percent of American adults,” said General Landry. “I am proud of our office’s work to get justice for Louisiana’s consumers and all Americans impacted this historic breach of consumer data.”
Following the 2017 breach that exposed social security numbers, names, dates of birth, addresses, credit card numbers, and/or driver’s license numbers – the coalition of Attorneys General launched a multi-state investigation. General Landry’s Office served on the Executive Committee of that investigation.
The investigation found that the breach occurred because Equifax failed to implement an adequate security program to protect consumers’ highly sensitive personal information. Despite knowing about a critical vulnerability in its software, Equifax failed to fully patch its systems. Moreover, Equifax failed to replace software that monitored the breached network for suspicious activity. As a result, the attackers penetrated Equifax’s system and went unnoticed for 76 days.
Under the terms of the settlement, Equifax agreed to provide a single Consumer Restitution Fund of up to $425 million—with $300 million dedicated to consumer redress. If the $300 million is exhausted, the Fund can increase by up to an additional $125 million. The company will also offer affected consumers extended credit-monitoring services for a total of 10 years.
Equifax has also agreed to take several steps to assist consumers who are either facing identity theft issues or who have already had their identities stolen including, but not limited to, terms:
· making it easier for consumers to freeze and thaw their credit;
· making it easier for consumers to dispute inaccurate information in credit reports; and
· requiring Equifax to maintain sufficient staff dedicated to assisting consumers who may be victims of identity theft.
Equifax has also agreed to strengthen its security practices going forward, including:
· reorganizing its data security team;
· minimizing its collection of sensitive data and the use of consumers’ Social Security numbers;
· performing regular security monitoring, logging and testing;
· employing improved access control and account management tools;
· reorganizing and segmenting its network; and
· reorganizing its patch management team and employing new policies regarding the identification and deployment of critical security updates and patches.
Equifax also agreed to pay the states a total of $175 million, which includes $3,073,524.95 for Louisiana.
Consumers who are eligible for redress will be required to submit claims online or by mail. Paper claims forms can also be requested over the phone. Consumers will be able to obtain information about the settlement, check their eligibility to file a claim, and file a claim on the Equifax Settlement Breach online registry. To receive email updates regarding the launch of this online registry, consumers can sign up at www.ftc.gov/equifax. Consumers can also call the settlement administrator at 1-833-759-2982 for more information. The program to pay restitution to consumers will be conducted in connection with settlements that have been reached in the multi-district class actions filed against Equifax, as well as settlements that were reached with the Federal Trade Commission and Consumer Financial Protection Bureau.
The Attorneys General participating in this settlement are from Louisiana, Pennsylvania, Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, Wyoming, the District of Columbia, and the Commonwealth of Puerto Rico.