Consumer credit reporting agency Equifax will pay $700 million in monetary relief and penalties to settle allegations that it engaged in unfair and deceptive practices in connection with the 2017 data breach of its systems that impacted approximately 147 million consumers.
In a complaint filed in federal district court in the Northern District of Georgia, the Consumer Financial Protection Bureau (CFPB), the Federal Trade Commission (FTC), and 48 states, the District of Columbia and Puerto Rico allege that Equifax failed to provide reasonable security for the massive quantities of sensitive personal information stored within its computer network, causing substantial injury to consumers whose data was stolen.
The complaint further alleges that Equifax deceived consumers about the strength of its data security program in its privacy policies; and engaged in acts and practices that caused additional harm or risk of harm to consumers in response to the breach.
In a statement, Kathleen L. Kraninger, director of the CFPB, says “the incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers.”
“Too much is at stake for the financial security of the American people to make these protections anything less than a top priority,” Kraninger adds.
The proposed settlement with the CFPB, if approved by the court, will provide up to $425 million in monetary relief to consumers, a $100 million civil money penalty, and other relief.
The CFPB coordinated its investigation with the FTC and attorneys general from across the country. In total, the settlements with these entities would impose up to $700 million in relief and penalties.
The breach exposed sensitive personal information, including names, addresses, social security numbers and dates of birth.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” says Joe Simons, chairman of the FTC. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
Mark W. Begor, CEO of Equifax, says the settlement “is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company.”
“The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data – and reflects the seriousness with which we take this matter,” Begor says in a company statement. “We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement while continuing our $1.25 billion EFX2020 technology and security investment program. We are focused on the future of Equifax and returning to market leadership and growth.”