Equifax will pay up to $700 million in fines and monetary relief to consumers over a 2017 data breach at the credit reporting bureau that affected nearly 150 million people, including 15 million Californians.
The proposed settlement, which is subject to approval by a federal court, was announced Monday by the company, the Federal Trade Commission, the Consumer Financial Protection Bureau, 48 states, the District of Columbia and Puerto Rico.
“On top of holding Equifax accountable for one of the most devastating data breaches to face our nation, we have now recovered hundreds of millions of dollars to help our families who fell victim,” said California Attorney General Becerra, who led the multistate coalition, in a statement. “Equifax, one of only three major credit reporting agencies, had a responsibility to secure and protect Americans’ data. Instead, it breached public trust.”
The consumer data exposed in the breach included Social Security numbers, birthdates and addresses and, in some cases, driver’s license numbers.
CFPB Director Kathleen Kraninger said the settlement includes $425 million to cover the “time and money [people affected by the breach] spent to protect themselves from potential threats of identity theft or addressing incidents of identity theft as a result of the breach.”
Equifax also agreed to pay $175 million to the states, including more than $18.7 million to California, and $100 million to the CFPB in civil penalties.
And, starting in January, Equifax “will provide all U.S. consumers with six free credit reports each year for seven years,” the FTC said. That’s in addition to the free annual credit reports that Equifax, and the two other nationwide credit reporting agencies — Experian and TransUnion — currently provide.
Under the settlement, affected consumers will be eligible for free credit monitoring. Those who already have credit monitoring services for at least six months can request a $125 cash payment.
“Our credit status impacts nearly every aspect of our lives — from purchasing a home or a car to finding a job,” Becerra said. “The same Americans who had to immediately protect themselves from fraudsters or identify thieves will have to be vigilant for the rest of their lives. We encourage every eligible person to apply for the relief they are entitled to as part of our settlement.”
People affected by the breach may also qualify for cash payments of up to $20,000 for: the time they spent dealing with fraud, identity theft or other misuses of their personal information, or taking preventative steps such as placing or removing security freezes; for out-of-pocket losses; and for 25% of the cost of Equifax credit or identity-monitoring products they paid for in the year before the breach was announced.
“Equifax failed to take basic steps that may have prevented the breach,” FTC Chairman Joe Simons said in the agency’s announcement. “This settlement requires that the company take steps to improve its data security.”
