Banking and Finance Law Daily CFPB, FTC, and states settle with Equifax over massive data breach
News
Monday, July 22, 2019

CFPB, FTC, and states settle with Equifax over massive data breach

By Colleen M. Svelnis, J.D.

State Attorneys General, the CFPB and the FTC have announced a settlement with Equifax over the 2017 data breach, proposing relief and penalties that could add up to $700 million.

Forty-eight states, the District of Columbia and Puerto Rico, along with the Consumer Financial Protection Bureau and the Federal Trade Commission, have settled with Equifax over the massive 2017 data breach that exposed the personal information of approximately 147 million consumers. The proposed stipulated judgment, if approved by the court, will provide up to $425 million in monetary relief to consumers, a $100 million civil money penalty, and other relief. The total settlements with the state Attorneys General could potentially impose up to $700 million in relief and penalties.

Data breach. The information accessed in the breach primarily includes names, Social Security numbers, birth dates, addresses, and driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers were accessed (see Banking and Finance Law Daily, Sept. 8, 2019)

The Bureau alleged in its complaint that Equifax engaged in unfair and deceptive practices. The FTC alleged that Equifax violated the FTC Act’s prohibition against unfair and deceptive practices and the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program to protect the security, confidentiality, and integrity of customer information.

The investigations found that Equifax’s failure to maintain a reasonable security system enabled hackers to penetrate its systems. Under the proposed settlement, in addition to consumer relief, Equifax would be required to pay the Bureau a $100 million civil money penalty. Equifax must also make a $175 million payment to the states involved in the settlement. Equifax also would be required to make significant improvements to its data security practices and would be subject to ongoing oversight by regulators.

CFPB Director Kathleen Kraninger stated, "For consumers impacted by the Equifax breach, today’s settlement will make available up to $425 million for time and money they spent to protect themselves from potential threats of identity theft or addressing incidents of identity theft as a result of the breach. We encourage consumers impacted by the breach to submit their claims in order to receive free credit monitoring or cash reimbursements."

According to the FTC, as part of the proposed settlement, Equifax will pay $300 million to a fund that will provide affected consumers with credit monitoring services. The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the breach. Equifax will add up to $125 million to the fund if the initial payment is not enough to compensate consumers for their losses.

Additionally, beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years—this is in addition to the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently provide.

Equifax response. Equifax Chief Executive Officer, Mark W. Begor issued a statement in response, calling the settlement "a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company." According to Begor, the consumer fund "reflects the seriousness with which we take this matter."

The proposed settlement requires the company to obtain third-party assessments of its information security program every two years. Under the order, the assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document reviews. The order grants the Commission the authority to approve the assessor for each two-year assessment period. The order also requires Equifax to provide an annual update to the FTC about the status of the consumer claims process.

Settlement details. The Bureau’s proposed order requires Equifax to establish a consumer restitution fund (Consumer Fund) with up to $425 million available to provide affected consumers with a broad array of redress. The Consumer Fund would be used to provide reimbursements to affected consumers for time and money they spent related to the breach.

All affected consumers would be eligible to receive at least 10 years of free credit-monitoring and at least seven years of free identity-restoration services. In addition, starting on Dec. 31, 2019, and extending seven years, all U.S. consumers may request up to six free copies of their Equifax credit report during any 12-month period. These free copies will be provided to requesting consumers in addition to any free reports to which they are entitled under federal law.

If consumers choose not to enroll in the free credit monitoring product available through the settlement, they may seek up to $125 as a reimbursement for the cost of a credit-monitoring product of their choice.

In addition to the monetary relief to consumers, Equifax is also required to implement a comprehensive information security program requiring the company to take several measures including:

  • Reorganizing its data security team, including the designation of a Chief Security Officer;
  • Performing regular security monitoring, logging, and testing of its systems;
  • Reorganizing its patch management team, and subsequently employing new policies to identify and deploy critical security updates and patches.
  • Running regular simulated exercises to test its ability to respond to a security event;
  • Obtaining annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information security requirements;
  • Ensuring service providers that access personal information stored by Equifax also implement adequate safeguards to protect such data;
  • Encrypting personal information stored on their system or adopting similar control mechanisms;
  • Prohibiting the use of Social Security numbers as a sole authenticator, and otherwise limiting their use; and
  • Adopting two-factor authentication and password rotation policies.

The following states participated in the settlement: Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, Wyoming, the District of Columbia, and the Commonwealth of Puerto Rico.

New York Attorney General Letitia James and New York Governor Andrew M. Cuomo issued statements about the settlement. The data breach affected 8.5 million New York residents. Additionally, an investigation by the New York Department of Financial Services found that Equifax had inadequate information security practices, that they failed to ensure the safety of consumer data, and that they provided insufficient customer service following the breach. Under the settlement, Equifax will pay a fine of $10 million to DFS, along with the portion of $9.2 million to the New York Attorney General's Office as part of the settlement. The proposed settlement also provides New York Consumers credit monitoring services and free annual credit reports for five years.

According to Maryland Attorney General Brian E. Frosh, under the agreement, Maryland’s portion of the $175 million state fund will be $5.7 million.

Companies: Equifax Inc.

MainStory: TopStory AlabamaNews AlaskaNews ArizonaNews ArkansasNews CaliforniaNews ColoradoNews ConnecticutNews ConsumerCredit DelawareNews DistrictofColumbiaNews FloridaNews GeorgiaNews HawaiiNews IdahoNews IdentityTheft IllinoisNews IowaNews KansasNews KentuckyNews LouisianaNews MaineNews MarylandNews MichiganNews MinnesotaNews MississippiNews MissouriNews MontanaNews NebraskaNews NevadaNews NewHampshireNews NewJerseyNews NewMexicoNews NewYorkNews NorthCarolinaNews NorthDakotaNews OhioNews OklahomaNews OregonNews PennsylvaniaNews Privacy PuertoRicoNews RhodeIslandNews SouthCarolinaNews SouthDakotaNews TennesseeNews TexasNews UtahNews VermontNews VirginiaNews WashingtonNews WestVirginiaNews WisconsinNews WyomingNews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More
Banking and Finance Law Daily

Banking and Finance Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on banking and finance legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.

Free Trial Learn More