Equifax Negotiates Potential $700 Million Breach SettlementDeal Prepped With Feds and State Attorneys General Includes Victim Compensation
Credit reporting giant Equifax has negotiated a settlement to resolve U.S. federal and state probes into its massive 2017 data breach.
As part of the proposed settlement, Equifax has agreed to pay at least $575 million, and potentially up to $700 million, the Federal Trade Commission said on Monday. The settlement would resolve probes that were launched in September 2017 by the FTC, the Consumer Financial Protection Bureau, and state attorneys general as well as bring to a close a nationwide class action lawsuit.
"Companies that profit from personal information have an extra responsibility to protect and secure that data," said FTC Chairman Joe Simons. "Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud."
Under the proposed Equifax settlement, the company would pay:
- $300 million to a fund to provide data breach victims with credit monitoring services, or to reimburse them for credit or identity monitoring services that they paid for out of pocket, as well as other designated expenses arising from the breach;
- $125 million to bolster the victim fund if the initial $300 million outlay is insufficient to reimburse all claims;
- $175 million to 48 states, plus the District of Columbia and Puerto Rico;
- $100 million to the CFPB in civil penalties.
"For consumers impacted by the Equifax breach, today's settlement will make available up to $425 million for time and money they spent to protect themselves from potential threats of identity theft or addressing incidents of identity theft as a result of the breach," said CFPB Director Kathleen L. Kraninger. "We encourage consumers impacted by the breach to submit their claims in order to receive free credit monitoring or cash reimbursements."
In addition, the FTC says that as part of the settlement, "beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years - in addition to the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently provide."
The proposed, final order from the FTC was due to be submitted to court on Monday and must still be approved and signed by a District Court judge. Once that happens, the order would have the force of law.
Equifax's data breach, detected in September 2017, exposed not only Social Security numbers and other personal information for nearly half of all U.S. consumers, but also 15.2 million records pertaining to U.K. residents and about 8,000 Canadian residents' personal details.
In May, publicly traded Equifax reported that it had already spent nearly $1.4 billion on cleanup costs as well as overhauling its information security program and data security safeguards (see: Equifax's Data Breach Costs Hit $1.4 Billion).
The Wall Street Journal reports that Equifax has already overhauled how it secures personal data, in part in response to stipulations imposed by several states' regulators.
Post-Breach Outlay Could Exceed $2 Billion
Including the proposed settlement, Equifax likely will spend well more than $2 billion to respond to the data breach and overhaul its information security policies, practices and procedures.
Running from May 2017 until July 2017, the breach exposed sensitive data for about 147 million U.S. consumers. Within weeks of issuing the first public warning about the breach in August 2017, the company's CIO, CSO and then CEO all "retired," although former CEO Richard Smith subsequently faced excoriating questioning by U.S. lawmakers (see: Ousted Equifax CEO Faces 3 Congressional Hearings).
By September 2017, multiple state and federal probes, as well as investigations in Britain and Canada, had been launched. Numerous class action lawsuits have also been filed against Equifax.
Breach Lasted 76 Days
Federal and Congressional probes have traced a laundry list of missteps that paved the way for the breach, which lasted 76 days and exfiltrated data from 51 different databases before being detected and stopped.
Key failures included neglecting to find and patch key systems, failing to ensure employees complied with Equifax's own security policies, as well as executives failing to prioritize security or lead decision-making processes (see: Congressional Report Rips Equifax for Weak Security).
Those failures have been cited by the FTC, which "alleges that Equifax violated the FTC Act's prohibition against unfair and deceptive practices and the Gramm-Leach-Bliley Act's Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program to protect the security, confidentiality, and integrity of customer information." Companies that sign settlement agreements with the FTC do not admit to any guilt or wrongdoing. But violating an FTC order puts a company at risk a serious, follow-on sanctions or other repercussions.
'Multiple Failures' at Equifax
In September 2018, citing "multiple failures," the U.K. Information Commissioner's Office, which enforces the country's data breach laws, hit Equifax with a $625,000 fine, which was the maximum allowed for breaches that occurred before the EU's General Data Protection Regulation went into full effect in May 2018 (see: Equifax Hit With Maximum UK Privacy Fine After Mega-Breach).
In April, Canada's privacy commissioner concluded its investigation into Equifax's data breach, finding that the company's controls were "unacceptable." Although Canada did not fine Equifax, the company signed a compliance agreement that requires it to regularly submit third-party audit reports on the security of Equifax as well as its Canadian subsidiary for the next six years.
Further FTC Settlement Stipulations
The FTC's settlement agreement includes similar stipulations, such as Equifax being required to submit third-party security audits to the FTC every two years, with the commission getting final say on the firm that will be conducting each assessment.
Per its FTC settlement agreement, Equifax must also implement a comprehensive information security program, including:
- Oversight: Designating an employee to oversee the information security program;
- Assessments: Annually, Equifax must assess all external and internal security risks and implement appropriate safeguards, "such as patch management and security remediation policies, network intrusion mechanisms, and other protections";
- Sign-off: The company's board of directors must attest that the company has complied with the FTC order;
- Testing: The company must actively test and monitor its security controls;
- Supply chain: Equifax must ensure that all organizations that access the data it stores have taken adequate steps to protect the data.
CEO Cites Culture Change
In March, Equifax CEO Mark Bego, who joined the company after the data breach, told a Senate committee that he quickly moved to emphasize information security.
"I made a personal commitment internally and externally to build a culture within Equifax where security is a part of our DNA and committed that Equifax would be an industry leader in data security," Bego testified before senators.
"To truly transform into an industry leader, we must embed security into everything we do - from product development, to our merger and acquisition strategies, to our incentive compensation plans," he said. "To that end, in 2018, we implemented a companywide security goal in our annual bonus for the 3,900 bonus eligible employees across the company. This sort of 'shared-fate' mindset reinforces accountability and properly incentivizes our workforce - regardless of role or department - so that security is viewed as a responsibility not only of the security team, but also of the entire company."
Free Credit Freezes
Following investigations into Equifax, Congress last year passed legislation, which took effect on Sept. 21, 2018, prohibiting credit reporting agencies from charging individuals to freeze or unfreeze their credit reports. Individuals can now place, for free, a fraud alert on their account that will last a full year. Identity theft victims can also put in place fraud alerts that last for seven years.
But U.S. lawmakers have so far failed to pass any additional legislation to protect consumers before data breaches occur - for example, by strengthening regulators' ability to assess and crack down on organizations that fail to secure personally identifiable information (see: Cynic's Guide to the Equifax Breach: Nothing Will Change).
Update: The FTC's Equifax Data Breach Settlement page now links to a site run by the settlement administrator that enables Americans to see if they were affected by the breach, after entering their last name and the last six digits of their Social Security number.