The credit reporting agency Equifax will pay up to $700 million to settle with regulators over 2017's mammoth breach.
While the settlement still requires a court's approval, if it goes through, it will be the largest ever paid by a company over a data breach.
As part of a proposed settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau and 50 states and territories, Equifax will have to make sure that at least $380.5M of that money goes into a Consumer Restitution Fund Account to pay for credit monitoring and financial help for victims of the breach.
The breach, which came to light in September 2017, exposed the personal data, including names, dates of birth, Social Security numbers, and physical addresses, of 148 million Americans. The company's undoing of course was failing to apply patches to Apache Struts, web application software, in an orderly manner, leading to a breach a House Oversight report called "entirely preventable." The report went on to suggest that a lack of visibility, especially into Equifax's complex legacy IT environment, compounded the issue.
As part of the settlement, Equifax will offer credit monitoring for consumers who had their exposed up to 10 years; they’ll also be granted up to $1M of identity theft insurance.
$175 million of the money will go to pay fines to end investigations by attorney generals in 48 states, the District of Columbia, and Puerto Rico.
One of those state AGs, New York Attorney General Letitia James, said it was time for the settlement.
“Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk,” James said Monday. “This company’s ineptitude, negligence, and lax security standards endangered the identities of half the U.S. population. Now it’s time for the company to do what’s right and not only pay restitution to the millions of victims of their data breach, but also provide every American who had their highly sensitive information accessed with the tools they need to battle identity theft in the future.”
We reached a historic $600M settlement with @Equifax for their 2017 data breach. The settlement includes up to $425M in consumer restitution.
— NY AG James (@NewYorkStateAG) July 22, 2019
Equifax put profits over privacy & greed over the people & now we’re holding them accountable for the millions they put at risk.
While $100 million of the settlement will go to the CFPB and $10 million will go to the New York Department of Financial Services, none will go to the Federal Trade Commission, which doesn’t have the authority to issue civil fines.
While the foundation of the settlement is $575M, it could add up. Under the settlement, Equifax will add up to $125 million to the victim's fund if there are "insufficient funds remaining in the Consumer Restitution Fund to pay valid Out-of-Pocket Losses."
Assuming it pays up to $700M, the settlement amounts to nearly a quarter of Equifax's annual revenue; the company made $3.4 billion in 2018 and $835.3 million in the fourth quarter of 2018.
Under the settlement, Equifax will be required to implement a comprehensive security program, one that assesses internal and external security risks, ensures effective data security safeguards are in place, and one that will be subject to a third-party assessment every two years.
"Companies that profit from personal information have an extra responsibility to protect and secure that data,” FTC’s Chairman Joe Simons said on Monday. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
