Security news that informs and inspires

Equifax Settles Data Breach Lawsuits


More than $300 million for a consumer restitution fund set aside, but no structural change in how companies collect and store user data.

The credit monitoring agency Equifax has agreed to pay between $575 million to $700 million as part of a settlement to end multiple state, federal and consumer lawsuits related to the 2017 data breach which exposed sensitive information of more than 147 million people.

Equifax has agreed to pay at least $575 million, of which $300 million will go into a restitution fund for consumers who file claims showing they were financially harmed by the data breach, $100 million in fines to the Consumer Financial Protection Bureau to end the federal regulator's investigation, and $175 million in fines to end investigations brought by the attorneys-general of 48 states and by the representatives of District of Columbua and Puerto Rico, according to the Federal Trade Commission. There is a provision for Equifax to add up to $125 million more if the fund runs out before all claims are settled.

Under the terms of the settlement, Equifax will provide victims with up to 10 years of free credit monitoring services and change how it handles and safeguards individual data, such as performing annual assessments of security risks and having the board certify that the company has complied with the FTC's order. Starting in January, Equifax "will provide all U.S. consumers with six free credit reports each year for seven years," the FTC said. The reports are in addition to the one report Equifax already provides for free every year (as well as Experian and TransUnion).

Equifax failed to take basic steps that may have prevented the breach," FTC Chairman Joe Simons said in a statement. "This settlement requires that the company take steps to improve its data security.

The settlement amount is based on the assumption that 7 million victims will sign up for credit monitoring services. As Indiana and Massachusetts filed their own lawsuits against Equifax, they are not included in the deal. Equifax will not pay a fine to the FTC because the agency has limited legal power to impose big financial penalties.

While the maximum settlement, which still needs to be approved in federal court, would be the largest ever paid by a company over a data breach, it is still less than what the credit bureau typically makes in sales in one quarter. Equifax set aside $690 million last quarter to cover the anticipated costs of this settlement.

Also, this: “Equifax denies any wrongdoing, and no judgment or finding of wrongdoing has been made,” the company said.

In the aftermath of the breach, Equifax has spent hundreds of millions of dollars on the investigation, improving its security controls and rebuilding the technical infrastructure, providing free credit monitoring services, and covering its legal fees. Credit ratings service Moody’s revised its outlook on Equifax. The settlement means the end is in sight for Equifax as it tries to recover from the breach ordeal, that isn't the case for consumers.

The data is still out there and consumers have to remain on guard for whenever that information will get used against them. "The shelf life of financial DNA is forever so this sounds like a sweetheart deal for a company that failed to do its basic job: protect consumer data," the U.S. Public Interest Research Group said in a statement.

The fund will cover consumer claims, but it may prove to be difficult for consumers to prove financial harm and get a payment. Despite the fact that the breach occured two years ago, the stolen data has yet to surface in criminal forums or marketplaces where stolen information is typically traded or sold. According to the settlement documents, consumers can file a claim if they can show they were affected by the breach and was a victim of identity theft or fraud afterwards. They do not have to prove the Equifax breach was the direct cause, which is a good thing, since linking a breach to a case of fraud is rarely possible. Any one who already have credit monitoring services for at least six months can file a claim to request a $125 cash payment. They can also request reimbursements for the time spent discussing or resolving issues ralated to the breach—at a rate of $25 per hour, for up to 20 hours.

Many of Equifax's victims have already spent time and energy taking steps to freeze their credit files, signing up for credit monitoring and identity theft protection services, and scouring their financial statements and credit reports for signs of fraud. They will have to find the documentation showing the amounts spent and time taken in order to file a claim, but that may be a challenge if they haven't already been tracking that information. (And who knew they would be expected to?)

Several Congressional hearings and a scathing audit report outlining Equifax's mistakes (the issues go beyond not updating a server with a vulnerable version of Apache Struts) later, nothing much has changed. Lawmakers passed a law that require credit bureaus to offer credit freezes for free and imposed some new restrictions on credit bureaus, but there have been no major changes governing what information credit breaus can collect or how they should protect what they collect. There was talk of replacing Social Security numbers, giving the Federal Trade Commission greater authority to inspect and supervise cybersecurity at credit reporting agencies, imposing mandatory fines for data breaches, and passing new privacy laws that would give consumers greater control over their data.

As one of the three largest credit bureaus in the U.S., Equifax has extensive information on hundreds of millions of consumers, including financial transactions and personal details. Other organizations use the information to assess the consumer's credit history before making loans and opening financial accounts. While consumers can somewhat restrict access to their records, they do not have any way to opt-out and demand their information not be collected or stored. That hasn't changed.

“Americans don’t choose to have companies like Equifax collecting their data – by the nature of their business models, credit bureaus collect your personal information whether you want them to or not," said U.S. Sen. Mark R. Warner (D-VA) in a statement. "[We] need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again.”