Nearly two years after the catastrophic Equifax data breach of 2017 was announced, it looks like the company is readying to cough up damages to the millions of people whose personal information was exposed in the breach - or at least to those in the US.
The proposed deal would put the credit reporting agency out as much as $700 million (£561 million) to settle with federal agencies and 50 American states and territories, the US Federal Trade Commission announced Monday, in what will be the largest-ever settlement related to a data breach. Equifax will be required to pay at least $300 million (£240 million) but as much as $425 million (£325 million) and provide free credit monitoring services to victims of the breach. The settlement still requires court approval.
“This comprehensive settlement is a positive step for US consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company,” Equifax CEO Mark Begor said in a statement. “The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data—and reflects the seriousness with which we take this matter.”
Victims will be able to claim up to 10 years of free credit monitoring services for adults and up to 18 years for victims who were minors in May of 2017 (those who already have credit monitoring can instead opt for a payout of $125/£100). Equifax will also pay up to $20,000 (£16,000) to compensate for documented breach-related expenses, including time victims spent dealing with fraud or theft fallout and out-of-pocket costs, the FTC said. Additionally, Equifax will provide free resources for those recovering from identity theft as well as six free credit reports per year for all US consumers beginning in 2020. The settlement states that class members will have six months to claim benefits once the settlement is approved, though the claims window will be extended to four years if the fund for victims has not yet been depleted.
In addition to providing payouts and services to affected parties, the settlement also requires Equifax to overhaul its security protocols and institute safeguards to prevent a similar incident from occurring in the future. It’s a painfully delayed requirement of a company that handles extremely sensitive consumer data like Social Security numbers, dates of birth, home addresses, and other personal information, all of which was exposed in the breach that lawmakers last year determined was “entirely preventable.” But here we are.
In a statement this week, FTC Chairman Joe Simons said in a statement this week that companies like Equifax that “profit from personal information have an extra responsibility to protect and secure that data.”
“Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers,” Simons said. “This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
Featured image: Carolyn Kaster (AP)