Equifax has agreed to pay $575 million to settle consumer as well as state and federal regulatory claims for its 2017 data breach. This is the largest data breach settlement to date.
2017 Data Breach
At the federal level, the FTC and CFPB both filed complaints against Equifax. The FTC complaint alleges Equifax was aware of a security vulnerability in a database containing consumer inquiries about their personal credit data. Equifax did not patch the reported vulnerability for four months, which allowed hackers to steal 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,900 payment card numbers and expiration dates. These allegations are largely mirrored in the consumer complaints filed throughout the country.
Federal regulators as well as consumers also alleged that Equifax did not implement other basic security measures that would have protected against this data breach. This includes failing to implement a policy to ensure that security vulnerabilities were patched; failing to segment its database servers to block access to other parts of the network once one database was breached; and failing to install robust intrusion detection protections for its legacy databases. In addition, claimants also allege that Equifax stored network credentials and passwords, as well as Social Security numbers and other sensitive consumer information, in plain text.
Settlement Funds and Other Relief
As part of the settlement, Equifax will pay $300 million to a fund that will provide affected consumers with credit monitoring services. The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 data breach. If the initial $300 million is not enough to cover the fund’s expenses, Equifax will contribute up to an additional $125 million to cover the costs.
Equifax will also pay $175 million in fines to forty-eight states, the District of Columbia, and Puerto Rico to bring an end to the investigations being conducted by their Attorneys General. $100 million will go to the CFPB for a civil money penalty. During the press call about the settlement, the FTC continued to ask Congress for more enforcement authority in data security cases, including the ability to impose civil penalties.
Beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years—in addition to the one free annual credit report that Equifax and the two other nationwide consumer reporting agencies currently provide.
In addition to these funds, Equifax will be required to put into action a comprehensive security program. This program has several requirements, including:
- Designating an employee to oversee the information security program;
- Conducting annual assessments of internal and external security risks and implementing safeguards to address potential risks, such as patch management and security remediation policies, network intrusion mechanisms, and other protections;
- Obtaining annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information security requirement;
- Testing and monitoring the effectiveness of the security safeguards;
- Ensuring that service providers that access personal information stored by Equifax also implement adequate safeguards to protect such data; and
- Participating in third party audits of its security program every two years.
- Under the terms of the proposed settlement of the consumer class action litigation, Equifax must spend a minimum of $1 billion to improve its data security program.
What This Means
The FTC has released guidance on what the Equifax Settlement means for businesses, citing the steps that Equifax could have taken to prevent and/or mitigate the effects of the data breach. Many of Equifax’s alleged security failures flow from the failure to implement or maintain policies for patch management, network segmentation or encryption – issues that the FTC has previously addressed through consent decrees and its Start with Security guidance.
Although the CFPB seemed willing to defer to the FTC in settling this case, the CFPB’s participation in this case is notable and could signal heightened scrutiny by the CFPB of financial institutions’ data security measures, especially national banks that are outside of the FTC’s jurisdiction.
The extent to which the Equifax settlement helps define the meaning of “reasonable” data security – the prevailing US standard – is an issue that security professionals will debate for the foreseeable future and will be addressed in future Ballard blog posts.
A version of this article also appears on Ballard Spahr’s CyberAdvisor blog.