Equifax has decided to resolve its federal data breach case by paying at least $575 million. The settlement could possibly go up to $700 million plus the need to make significant improvements to its security controls and better secure consumer information.
In 2017, Equifax encountered an enormous data breach compromising the personal information of 147 million US citizens. Their names, birth dates, addresses, and Social Security numbers were possibly stolen by the attacker and the victims were at risk of facing identity theft and fraudulence.
Equifax submitted a breach report in September 2017. In two years after the incident, Equifax has been to Congress several times to talk about the breach and its response. Regulators likewise investigated Equifax to find out if reasonable and proper security measures were implemented to secure the consumer information stored on its network.
The Federal Trade Commission (FTC) confirmed Equifax’s security failures, which opened the door to hackers. FTC chairman Joe Simons stated that Equifax did not do the basic steps to prevent the breach. And so it is just right to issue a financial penalty.
It is stated in the terms of settlement that Equifax will pay close to $700 million and must employ a much stronger cybersecurity program. The company need to have yearly security audits and send external data security audit reports every two years. When providing any third party with access to Equifax’s consumer information, it must be vetted to make certain their data security measures are appropriate.
The Equifax settlement consists of a $300 million fund for the breach victims’ monetary relief. The fund is allocated for credit monitoring services and the victims’ out of pocket expenditures caused by the breach. Equifax needs to add another $125 million to the fund in case the $300 million is not enough to pay for all of the claims. Each victim can claim up to $20,000.
Equifax will pay the Consumer Financial Protection Bureau (CFPB) $100 million in civil penalties. Then 48 states, Puerto Rico and Washington D.C. will split up another $175 million settlement fee. Starting 2020 and for 7 years, Equifax should give consumers 6 free credit reports per year, aside from the three years already given.
Though the Equifax settlement is without doubt substantial, many still think the penalty is not intense enough considering the size of Equifax and the data exposure of almost 50% of all Americans.
Equifax is happy to have settled the case at last considering it as a positive step for the company and U.S. consumers. Besides the $700 million settlement, the UK Information Commissioner’s Office fined Equifax the amount of £500,000, which is the maximum penalty acceptable before the GDPR launch. If the breach occurred one year later, the penalty may have been as much as 4% of the company’s global yearly revenues.
Equifax declared in May 2019 that the company already spent $1.4 billion in breach remediation, computer systems update, and security enhancement.