Outrage, lawsuits and justifiable anxiety exploded following disclosure of the 2017 Equifax breach. Authorities announced a record $650 million settlement of federal and state investigations, and class-action litigation.
The final price tag could grow to as much as $700 million for the Atlanta-based credit-reporting agency over the sensitive information exposure of an estimated 145-148 million Americans including Social Security numbers, birth dates and home addresses. Equifax admitted that hackers accessed certain files from mid-May through July 2017 but waited until Sept. 7, 2017, to warn consumers.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” FTC Chairman Joe Simons said. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
The largest settlement for a data breach settles numerous inquiries into Equifax by the Federal Trade Commission, the Consumer Financial Protection Bureau and almost every state attorney general. It also resolves pending class-action lawsuits against the company. “This company’s ineptitude, negligence and lax security standards endangered the identities of half the U.S. population,” New York Attorney General Letitia James said in a statement.
The deal announced Monday, which still needs court approval, would require Equifax to put a minimum of $380.5 million into a consumer restitution fund for Americans filing claims showing they were financially harmed. The compensation fund could reach $425 million. Equifax also agreed to 10 years of free credit monitoring services to data exposure victims. The settlement assumes that around 7 million people will sign up for that service.
Equifax will pay an additional $50 million to the CFPB and $175 million in fines to end investigations by 50 attorneys general. Forty-eight states — all except Indiana and Massachusetts, which separately filed their own lawsuits against Equifax — are part of the deal, along with the District of Columbia and Puerto Rico.
This untethered information could still come back to haunt financial institutions and their customers in the form of account takeovers, fraudulent charges and other criminal uses involving identity theft.