Equifax has agreed to pay $700 million, potentially more, to settle with the federal authorities and states over its 2017 data breach that exposed the Social Security numbers and other private information of nearly 150 million people, roughly half of the U.S. population.
The settlement with the Consumer Financial Protection Bureau and the Federal Trade Commission, as well as 48 states, the District of Columbia and Puerto Rico, would provide up to $425 million in monetary relief to consumers, a $100 million civil money penalty, and other relief.
The breach was one of the largest ever to threaten the private information. The consumer reporting company, based in Atlanta, did not detect the attack for more than six weeks. The compromised data included Social Security numbers, birth dates, addresses, driver license numbers, credit card numbers and in some cases, data from passports. The breach resulted in the abrupt dismissal of Equifax’s then CEO, as well as numerous other executives at the company.
“The (settlement) that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data – and reflects the seriousness with which we take this matter,” said Equifax CEO Mark Begor.
Equifax stock, which plunged 30% in the days following the disclosure of the breach, have returned to levels where they traded before the incident. Shares of Equifax rose 2% to $140.26. A share cost $141.45 in the hours before the breach was disclosed on Sept. 7, 2017.
The relief is coming in multiple forms. Equifax will pay initially $380.5 million into a fund to cover potential identity theft that was caused as a result of the breach, as well as any costs that a potential victim had to pay for credit monitoring. An additional $125 million would be paid additionally by Equifax if victims’ out-of-pocket expenses end up depleting the initial fund. Equifax could also potentially pay $2 billion to cover credit monitoring services if all 147 million victims sign up for credit monitoring services.
Victims of Equifax’s breach will be eligible for up to 10 years of credit monitoring services for free, seven years of identity-restoration services, and six free copies of Equifax’s credit reports per year for the next seven years. That’s on top of the free credit reports each U.S. resident is eligible for from the credit reporting companies under U.S. law.
If consumers choose not to enroll in the free credit monitoring product, they may seek up to $125 as a reimbursement for the cost of a credit-monitoring product of their choice. Consumers must submit a claim in order to receive free credit monitoring or cash reimbursements.
Equifax will have to spend at least $1 billion over five years to enhance its cybersecurity practices.
On top of that, Equifax will have to pay a $100 million fine to the CFPB, and pay tens of millions of dollars to states and territories to settle those lawsuits as well.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
Consumer advocates were generally positive on the settlement, but had concerns on the timescale of the settlement. Because the thieves stole permanently identifiable information like Social Security numbers and birthdates, the data could be used for decades to commit identity theft.
“What happens if a consumer is the victim of ID theft in the fifth year resulting from the breach, which costs the consumer tens of thousands of dollars?,” said Chi Chi Wu, staff attorney at National Consumer Law Center.
The settlement must still be approved by the federal district court in the Northern District of Georgia.
For information on the terms of the settlement, as well as to file a claim, potential victims should go to https://www.equifaxbreachsettlement.com .