Equifax to Pay $700 Million in Data Breach Settlement

The Consumer Financial Protection Bureau, the Federal Trade Commission and 48 states, the District of Columbia and Puerto Rico announced a global settlement with Equifax that provides up to $700 million in monetary relief and penalties.

The settlement tentatively brings an end to a prolonged ordeal that began in September 2017, when Equifax, a nationwide credit reporting company headquartered in Atlanta, announced a data breach that ultimately exposed 147 million U.S. consumers’ sensitive personal information, including names, addresses, social security numbers and dates of birth.

Under the complaint and proposed stipulated judgment filed in federal district court in the Northern District of Georgia, the Bureau alleged Equifax engaged in unfair and deceptive practices in connection with the 2017 data breach. The proposed settlement with the Bureau, if approved by the court, provides up to $425 million in monetary relief to consumers and a $100 million civil money penalty.

CFPB Director Kathy Kraninger said the Bureau coordinated its investigation with the FTC and attorneys general from across the country. In total, the settlements with these entities would impose up to $700 million in relief and penalties.

“Today’s announcement is not the end of our efforts to make sure consumers’ sensitive personal information is safe and secure,” Kraninger said. “The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers. Too much is at stake for the financial security of the American people to make these protections anything less than a top priority.”

“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”

In a press release, Equifax CEO Mark Begor said the settlement was a “positive step for U.S. consumers and Equifax.”

“The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data–and reflects the seriousness with which we take this matter, Begor said. “We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement while continuing our $1.25 billion EFX2020 technology and security investment program. We are focused on the future of Equifax and returning to market leadership and growth.”

The Bureau alleged in its complaint that Equifax violated the law in several ways through its conduct both before and after the breach. Specifically, the Bureau alleged Equifax engaged in unfair and deceptive practices in violation of the Consumer Financial Protection Act of 2010 by:

–Failing to provide reasonable security for the massive quantities of sensitive personal information stored within its computer network, causing substantial injury to consumers whose data was stolen;

–Deceiving consumers about the strength of its data security program in its privacy policies; and

–Engaging in acts and practices that caused additional harm or risk of harm to consumers in response to the breach.

Under the settlement, all affected consumers would be eligible to receive at least 10 years of free credit-monitoring, at least seven years of free identity-restoration services, and, starting on December 31 and extending seven years, all U.S. consumers may request up to six free copies of their Equifax credit report during any 12-month period. These free copies will be provided to requesting consumers in addition to any free reports to which they are entitled under federal law. If consumers choose not to enroll in the free credit monitoring product available through the settlement, they may seek up to $125 as a reimbursement for the cost of a credit-monitoring product of their choice.

The FTC and attorneys’ general from 48 states, the District of Columbia and Puerto Rico also have reached agreements to resolve investigations of the data breach that are being announced today. The FTC’s and the states’ orders provide for relief for consumers consistent with the Bureau’s order.

A copy of the proposed stipulated order is available at https://files.consumerfinance.gov/f/documents/cfpb_equifax-inc_proposed-stipulated-order_2019-07.pdf.

A copy of the complaint is available at https://files.consumerfinance.gov/f/documents/cfpb_equifax-inc_complaint_2019-07.pdf.

A fact sheet containing information about the settlement and resources for consumers to learn more is available at www.consumerfinance.gov/equifax-settlement. Equifax has its own website for information, https://www.equifaxbreachsettlement.com/.