Credit-monitoring giant Equifax is being required to pay for alleged negligence in protecting consumer data. This week, Equifax agreed to pay at least $575 million, and potentially up to $700 million, as part of a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories, which alleged that the credit reporting company’s failure to take reasonable steps to secure its network led to a data breach in 2017 that affected approximately 147 million people.
This settlement requires that the company take steps to improve its data security going forward and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
In its complaint, the FTC alleges that Equifax failed to secure the massive amount of personal information stored on its network, leading to a breach that exposed millions of names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud.
As part of the proposed settlement, Equifax will pay $300 million to a fund that will provide affected consumers with credit monitoring services. The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 data breach. Equifax will add up to $125 million to the fund if the initial payment is not enough to compensate consumers for their losses. In addition, beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years—in addition to the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently provide.
The company also has agreed to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the CFPB in civil penalties.
The claims process will start once a judge approves the settlement.
CFPB director Kathleen Kraninger encouraged consumers impacted by the Equifax breach to take advantage of the settlement of up to $425 million for time and money they spent to protect themselves from potential threats of identity theft or addressing incidents of identity theft as a result of the breach. Consumers can submit claims in order to receive free credit monitoring or cash reimbursements.
In addition to the monetary relief to consumers, Equifax is also required to implement a comprehensive information security program requiring the company to take several measures including:
- Designating an employee to oversee the information security program;
- Conducting annual assessments of internal and external security risks and implementing safeguards to address potential risks, such as patch management and security remediation policies, network intrusion mechanisms, and other protections;
- Obtaining annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information security requirements;
- Testing and monitoring the effectiveness of the security safeguards; and
- Ensuring service providers that access personal information stored by Equifax also implement adequate safeguards to protect such data.
Individuals can find out more about the settlement at ftc.gov/Equifax.
LEVERAGE offers cybersecurity solutions to help product your credit union. Click here for details.