Equifax to Pay Up to $700 Million in Data Breach Settlement

Equifax will pay up to $700 million in fines and monetary relief to consumers over a 2017 data breach at the credit reporting bureau that affected nearly 150 million people, including 15 million Californians.

The proposed settlement, which is subject to approval by a federal court, was announced Monday by the company, the Federal Trade Commission, the Consumer Financial Protection Bureau, 48 states, the District of Columbia and Puerto Rico.

"On top of holding Equifax accountable for one of the most devastating data breaches to face our nation, we have now recovered hundreds of millions of dollars to help our families who fell victim," said California Attorney General Becerra, who led the multistate coalition, in a statement. "Equifax, one of only three major credit reporting agencies, had a responsibility to secure and protect Americans' data. Instead, it breached public trust."

The consumer data exposed in the breach included Social Security numbers, birthdates and addresses and, in some cases, driver's license numbers.

CFPB Director Kathleen Kraninger said the settlement includes $425 million to cover the "time and money [people affected by the breach] spent to protect themselves from potential threats of identity theft or addressing incidents of identity theft as a result of the breach."

Equifax also agreed to pay $175 million to the states, including more than $18.7 million to California, and $100 million to the CFPB in civil penalties.

And, starting in January, Equifax "will provide all U.S. consumers with six free credit reports each year for seven years," the FTC said. That's in addition to the free annual credit reports that Equifax, and the two other nationwide credit reporting agencies — Experian and TransUnion — currently provide.

Under the settlement, affected consumers will be eligible for free credit monitoring. Those who already have credit monitoring services for at least six months can request a $125 cash payment.

"Our credit status impacts nearly every aspect of our lives — from purchasing a home or a car to finding a job," Becerra said. "The same Americans who had to immediately protect themselves from fraudsters or identify thieves will have to be vigilant for the rest of their lives. We encourage every eligible person to apply for the relief they are entitled to as part of our settlement."

People affected by the breach may also qualify for cash payments of up to $20,000 for: the time they spent dealing with fraud, identity theft or other misuses of their personal information, or taking preventative steps such as placing or removing security freezes; for out-of-pocket losses; and for 25% of the cost of Equifax credit or identity-monitoring products they paid for in the year before the breach was announced.

"Equifax failed to take basic steps that may have prevented the breach," FTC Chairman Joe Simons said in the agency's announcement. "This settlement requires that the company take steps to improve its data security."

The FTC alleges that Equifax "failed to patch its network after being alerted in March 2017 to a critical security vulnerability" and that the company didn't discover that its database was unpatched until four months later, when it detected suspicious traffic on its network. Multiple hackers were able to exploit the vulnerability, the FTC said.

In a statement, Equifax called the proposed settlement "a positive step for U.S. consumers." Equifax CEO Mark Begor said the $425 million consumer fund "reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter."

Some consumer advocates said the proposed settlement didn't go far enough, given the long-term harm the breach inflicted. "The shelf life of financial DNA is forever so this sounds like a sweetheart deal for a company that failed to do its basic job: protect consumer data," the U.S. Public Interest Research Group said in a statement.

But others praised the agreement. Justin Brookman, director of privacy and technology policy for Consumer Reports, said the FTC was able to force Equifax to "spend a fair amount of money as far as improving security, paying for credit monitoring, and reimbursing consumers for their expenses."

Sen. Mark Warner, D-Va., a member of the Senate Banking Committee, said in a statement that he was happy consumers will be compensated but added, "we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again." Warner is co-sponsoring legislation that would give the FTC more authority to supervise data security at the credit agencies.

KQED's Don Clyde contributed to this report.

Copyright 2019 NPR. To see more, visit https://www.npr.org.