The Federal Trade Commission announced that Equifax Inc. has agreed to pay at least $575 million, and potentially up to $700 million, as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB) and 50 states and territories, which alleged that the credit reporting company’s failure to take reasonable steps to secure its network led to a data breach in 2017 that affected approximately 147 million people.
As you may recall, Equifax discovered a data breach on July 29, 2017, but did not announce it until September of 2017. Hackers were able to access files that included personal information including dates of birth, Social Security numbers, addresses, and credit card numbers.
This is a nightmare scenario for not only a credit bureau, but also all the people who trusted Equifax to keep their personal information safe and secure. The FTC alleges that Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its ACIS database. That is the database which handles inquires from consumers about their personal credit data.
The proposed settlement:
- Equifax will pay $300 million to a fund that will provide affected consumers with credit monitoring services. The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 data breach.
- Equifax will add up to $125 million to the fund if the initial payment are not enough.
- Beginning in January of 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years – in addition to the one free annual credit report that all credit bureaus offer.
- Equifax will pay $174 million to 48 states, the District of Columbia, and Puerto Rico, as well as $100 million to CFPB in penalties.
- The settlement also requires Equifax to obtain third-party assessments of its information security program every two years.