Equifax Agrees to Pay up to $700 Million to Settle Data Breach Case

Share this article on:

Equifax has agreed to settle its federal data breach case for a minimum of $575 million. The settlement will potentially rise to $700 million and also requires considerable improvements to be made to enhance security and better protect consumer data.

In 2017, Equifax experienced a colossal data breach in which the personal data of 147 million Americans was compromised. Names, dates of birth, addresses, and Social Security numbers were potentially stolen in the attack and the breach victims now have to face an elevated risk of suffering identity theft and fraud.

Equifax announced the breach in September 2017. In the two years that followed, Equifax has been called before Congress on multiple occasions to explain how the breach occurred and how the response was being handled. Regulators also investigated Equifax to determine whether reasonable and appropriate security measures had been implemented to protect the vast amounts of consumer data that was stored on its network.

The Federal Trade Commission (FTC) determined there had been security failures at Equifax that left the door open to hackers. FTC chairman Joe Simons said, “Equifax failed to take basic steps that may have prevented the breach.” A financial penalty was therefore appropriate.

Under the terms of the settlement, Equifax has committed to pay up to $700 million and is required to implement a much stronger cybersecurity program. The company must undergo annual security audits and submit to external data security audits every two years. Any third party that is provided with access to Equifax’s consumer data must also be vetted to ensure they also have appropriate data security measures in place.

The settlement includes a $300 million fund to provide monetary relief to victims of the breach. The fund will be used for credit monitoring services and to cover victims’ out of pocket expenses that have arisen from the breach. A further $125 million must be added to the fund if the $300 million is not sufficient to cover all of the claims. Claims have been capped at $20,000 per person.

The Consumer Financial Protection Bureau (CFPB) will receive $100 million in civil penalties and $175 million will be split between the 48 states, Washington D.C., and Puerto Rico. From 2020, Equifax must provide consumers with 6 free credit reports a year for the next 7 years, in addition to the three years already provided.

The settlement is certainly sizeable, but there has been considerable criticism of the level of the fine. Many believe the penalty is not nearly severe enough for a publicly traded company the size of Equifax, especially considering the breach exposed the data of almost half of all Americans.

“This settlement does not come close to making consumers whole and, once again, shows the limitations on the FTC’s ability to seek strong penalties and effective redress for consumers,” said Rep. Frank Pallone, (D-N.J), Chairman of the House Energy and Commerce Committee. “It also shows that we need a comprehensive data privacy and security law to ensure companies are designing their systems to protect consumer privacy from the start, minimizing the personal information they keep, and are held appropriately accountable if they fail.”

“We don’t have a general privacy legislation like the GDPR in Europe. Our authority is actually pretty limited in privacy,” said FTC Chairman Joseph Simons. “We can’t go out and tell companies, ‘You can’t collect this, you can’t use it this way, you can’t use it that way.”

Equifax is pleased to have finally resolved the case. Equifax CEO Mark Begor said the settlement is a positive step for U.S. consumers and Equifax. “The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter.”

In addition to the $700 million settlement, Equifax was fined £500,000 by the UK Information Commissioner’s Office – The maximum fine permitted prior to the introduction of GDPR. Had the breach occurred a year later, the fine could have been as high as 4% of the company’s global annual turnover.

Equifax announced in May 2019 that so far the company has spent $1.4 billion remediating the breach, updating its computer systems, and strengthening security.

Author: HIPAA Journal

Share This Post On