Credit scoring giant Equifax has settled a complaint with the Consumer Financial Protection Bureau over its handling of its 2017 data breach.
The settlement, which calls for up to $700 million in relief and penalties, also included the Federal Trade Commission, 48 states, the District of Columbia and Puerto Rico.
In a complaint and proposed stipulated judgment filed in federal district court in the Northern District of Georgia, the bureau alleges that Equifax engaged in unfair and deceptive practices in connection with the 2017 data breach of Equifax’s systems that impacted approximately 147 million consumers. The breach exposed names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud.
If approved, the settlement allots $425 million in monetary relief and $100 million in civil penalties along with other relief. It will additionally pay $175 million to 48 states, the District of Columbia and Puerto Rico.
Equifax violated the law in several ways through its conduct both before and after the breach, the CFPB said in the complaint. Specifically, Equifax engaged in unfair and deceptive practices in violation of the Consumer Financial Protection Act of 2010. The company failed to provide reasonable security for the massive quantities of sensitive personal information stored within its computer network, causing substantial injury to consumers whose data was stolen, the bureau said.
“The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers,” said CFPB Director Kathy Kraninger. “Too much is at stake for the financial security of the American people to make these protections anything less than a top priority.”
Equifax also allegedly deceived consumers about the strength of its data security program in its privacy policies, and engaged in acts and practices that caused additional harm or risk of harm to consumers in response to the breach.
All affected consumers would be eligible to receive at least 10 years of free credit-monitoring, at least seven years of free identity-restoration services, and, starting on December 31, 2019 and extending seven years, all U.S. consumers may request up to six free copies of their Equifax credit report during any 12-month period. These free copies will be provided to requesting consumers in addition to any free reports to which they are entitled under federal law.
If consumers choose not to enroll in the free credit monitoring product available through the settlement, they may seek up to $125 as a reimbursement for the cost of a credit-monitoring product of their choice.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chair Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.”