The consumer data exposed in the breach included Social Security numbers, birthdates and addresses and, in some cases, driver’s license numbers.
CFPB Director Kathleen Kraninger said the settlement includes $425 million to cover the “time and money [people affected by the breach] spent to protect themselves from potential threats of identity theft or addressing incidents of identity theft as a result of the breach.”
Equifax also agreed to pay $175 million to the states, including more than $18.7 million to California, and $100 million to the CFPB in civil penalties.
And, starting in January, Equifax “will provide all U.S. consumers with six free credit reports each year for seven years,” the FTC said. That’s in addition to the free annual credit reports that Equifax, and the two other nationwide credit reporting agencies — Experian and TransUnion — currently provide.
Under the settlement, affected consumers will be eligible for free credit monitoring. Those who already have credit monitoring services for at least six months can request a $125 cash payment.
“Our credit status impacts nearly every aspect of our lives — from purchasing a home or a car to finding a job,” Becerra said. “The same Americans who had to immediately protect themselves from fraudsters or identify thieves will have to be vigilant for the rest of their lives. We encourage every eligible person to apply for the relief they are entitled to as part of our settlement.”
People affected by the breach may also qualify for cash payments of up to $20,000 for: the time they spent dealing with fraud, identity theft or other misuses of their personal information, or taking preventative steps such as placing or removing security freezes; for out-of-pocket losses; and for 25% of the cost of Equifax credit or identity-monitoring products they paid for in the year before the breach was announced.
“Equifax failed to take basic steps that may have prevented the breach,” FTC Chairman Joe Simons said in the agency’s announcement. “This settlement requires that the company take steps to improve its data security.”