Perhaps now Equifax, along with federal and state regulators, can close the chapter of the company’s history that included the 2017 data breach.
On Monday, the credit bureau announced a comprehensive $671 million resolution that includes settlement agreements that would resolve the multi-district consumer class action litigation, as well as investigations by the Federal Trade Commission, the Consumer Financial Protection Bureau, the attorneys general of 48 states, Puerto Rico and the District of Columbia and the New York Department of Financial Services (NYDFS).
If approved by the court, a consumer restitution fund of up to $425 million will be available to pay for three-bureau credit monitoring for consumers whose information was impacted in the 2017 breach, actual out-of-pocket losses related to the breach, and other consumer benefits such as identity restoration services.
Equifax said it has been providing free credit monitoring services to consumers since September 2017.
“This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company,” Equifax chief executive officer Mark Begor said.
“The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter,” Begor continued. “We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement while continuing our $1.25 billion EFX2020 technology and security investment program. We are focused on the future of Equifax and returning to market leadership and growth.”
In September of 2017, Equifax announced that a data breach at the company resulted in the exposure of approximately 147 million U.S. consumers’ sensitive personal information, including names, addresses, Social Security Numbers and dates of birth. The bureau coordinated its investigation with the FTC and attorneys general from across the country.
In total, the settlements with these entities would impose up to $700 million in relief and penalties.
Investigation and breach details
The FTC alleged that Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its ACIS database, which handles inquiries from consumers about their personal credit data. Even though Equifax’s security team ordered that each of the company’s vulnerable systems be patched within 48 hours after receiving the alert, the FTC said Equifax did not follow up to ensure the order was carried out by the responsible employees.
In fact, the FTC said Equifax did not discover that its ACIS database was unpatched until July 2017, when its security team detected suspicious traffic on its network. The regulator recapped that a company investigation revealed that multiple hackers were able to exploit the ACIS vulnerability to gain entry to Equifax’s network, where they accessed an unsecured file that included administrative credentials stored in plain text. These credentials allowed the hackers to gain access to vast amounts of consumers’ personally identifiable information and to operate undetected on Equifax’s network for months.
The hackers targeted Social Security numbers, dates of birth, and other sensitive information, mostly from consumers who had purchased products from Equifax such as credit scores, credit monitoring, or identity theft prevention services. For example, hackers stole at least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and expiration dates.
Hackers were able to access a “staggering” amount of data because Equifax failed to implement basic security measures, according to the complaint. This includes failing to implement a policy to ensure that security vulnerabilities were patched; failing to segment its database servers to block access to other parts of the network once one database was breached; and failing to install robust intrusion detection protections for its legacy databases.
In addition, the FTC also alleges that Equifax stored network credentials and passwords, as well as Social Security numbers and other sensitive consumer information, in plain text.
The FTC also alleged that Equifax violated the FTC Act’s prohibition against unfair and deceptive practices and the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement and maintain a comprehensive information security program to protect the security, confidentiality, and integrity of customer information.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” FTC chairman Joe Simons said in a news release. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.
“This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud,” Simons said.
More information about the settlement
According to a news release from the CFPB, the bureau alleged in its complaint that Equifax violated the law in several ways through its conduct both before and after the breach. Specifically, the bureau alleged, Equifax engaged in unfair and deceptive practices in violation of the Consumer Financial Protection Act of 2010 by:
— Failing to provide reasonable security for the massive quantities of sensitive personal information stored within its computer network, causing substantial injury to consumers whose data was stolen
— Deceiving consumers about the strength of its data security program in its privacy policies
— Engaging in acts and practices that caused additional harm or risk of harm to consumers in response to the breach.
To provide relief for consumers affected by the breach, the bureau’s proposed order requires Equifax to establish a consumer fund with up to $425 million available to provide affected consumers with a broad array of redress. The consumer fund would be used to provide reimbursements to affected consumers for time and money they spent related to the breach.
If the court approves the settlement, affected consumers may be eligible to receive money by filing one or more claims of up to $20,000 per individual for lost time and money for the following:
— $25 per hour for up to 20 hours for time spent protecting personal information or addressing identity theft after the breach
— Money spent purchasing credit monitoring or identity theft protection after the breach
— The cost of freezing or unfreezing credit reports at any consumer reporting agency after the breach
— Reimbursement for up to 25% of the amount paid to Equifax for credit or identity monitoring subscription products between Sept. 7, 2016 and Sept. 7, 2017
— Any unreimbursed costs, expenses, losses, or charges incurred as a result of identity theft
— Miscellaneous expenses associated with any of the above, such as notary, fax, postage, mileage and telephone charges
The CFPB said all affected consumers would be eligible to receive at least 10 years of free credit monitoring, at least seven years of free identity-restoration services, and, starting on Dec. 31, and extending seven years, all U.S. consumers may request up to six free copies of their Equifax credit report during any 12-month period.
These free copies will be provided to requesting consumers in addition to any free reports to which they are entitled under federal law, according to officials
If consumers choose not to enroll in the free credit monitoring product available through the settlement, the bureau indicated they may seek up to $125 as a reimbursement for the cost of a credit-monitoring product of their choice.
The CFPB noted a settlement administrator will manage the claims process. Consumers must submit a claim in order to receive free credit monitoring or cash reimbursements. After the court approves the settlement, consumers can submit a claim online at www.EquifaxBreachSettlement.com, or by mail. Consumers may visit this website to learn about the deadlines for filing claims.
In addition to consumer relief, Equifax would be required to pay the bureau a $100 million civil money penalty. Equifax also would be required to make significant improvements to its data security practices and would be subject to ongoing oversight by regulators.
“Today’s announcement is not the end of our efforts to make sure consumers’ sensitive personal information is safe and secure,” CFPB director Kathleen Kraninger said.
“The incident at Equifax underscores the evolving cybersecurity threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers,” Kraninger continued. “Too much is at stake for the financial security of the American people to make these protections anything less than a top priority.”
New York heavily involved on state level
New York attorney general Letitia James co-led the coalition of 50 attorneys general in reaching the settlement with Equifax.
“Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk,” James said in a news release. “This company’s ineptitude, negligence, and lax security standards endangered the identities of half the U.S. population.
“Now it’s time for the company to do what’s right and not only pay restitution to the millions of victims of their data breach, but also provide every American who had their highly sensitive information accessed with the tools they need to battle identity theft in the future,” James continued.
Additionally, the New York State Department of Financial Services (DFS) separately investigated Equifax’s security practices, and found that the company engaged in practices that violated the Dodd-Frank Act and Financial Services Law 408. As a result, Equifax will be fined an additional $10 million by DFS, bringing the total New York State will receive in fines to more than $19.2 million.
“First and foremost, the settlement announced today holds Equifax accountable for its egregious breach in its duty to consumers in safeguarding their sensitive personal identifying information and restores some peace of mind and protection to New Yorkers,” DFS superintendent Linda Lacewell said.
“Strengthening consumer protections for New Yorkers, DFS now requires credit rating agencies to be licensed and supervised by DFS, and comply with the Department’s landmark cybersecurity regulation to better guard against potential breaches,” Lacewell went on to say.
Some consumer advocates still not happy
U.S. PIRG said the “Equifax penalty is a sweetheart deal that leaves consumers at risk.” U.S. PIRG is the federation of state public interest research groups, which are non-profit, non-partisan public interest advocacy organizations.
“Equifax appears to have made a calculated decision that losing the Social Security Numbers and birth dates of some 148 million consumers to identity thieves was worth only about $700 million or a little less,” U.S. PIRG federal consumer program director Ed Mierzwinski said in a news release distributed late on Friday. “The shelf life of financial DNA is forever so this sounds like a sweetheart deal for a company that failed to do its basic job: protect consumer data.
“Failure to protect privacy has a real harm; we think Equifax should have paid real money, not ‘just go-away’ money, and promised real changes to its sloppy last-century practices,” Mierzwinski continued.