Equifax has reached a settlement for the 2017 data breach that exposed the Social Security numbers and personal information of nearly 150 million people.
The proposed deal with the U.S. Consumer Financial Protection Bureau (CFPB), the Federal Trade Commission and attorneys representing 48 states would cost the company a maximum of $700 million and would bring to a close several investigations as well as settle all class action lawsuits against the company.
$175 million of the proposed fine would be paid to U.S. states and $100 million to the CFPB in civil penalties. The remainder is earmarked for a restitution fund for consumers affected by the breach.
“First, Equifax will provide a total of up to 10 years in free credit monitoring services. The first 4 years will be provided for all three major CRAs – Equifax, TransUnion and Experian. Then Equifax will provide the services for monitoring their report for an additional 6 years. If you were a victim of the breach and a minor, even more services are available at no cost. If victims choose to opt-out of the free credit monitoring option, they may be eligible for a $125 cash payment,” explained the Identity Theft Resource center in an article about the settlement.
“Second, victims who have already dedicated resources to protecting their identity because of the Equifax breach could be reimbursed up to $20,000. This includes time spent protecting your identity or efforts to recover it. It also includes any money spent like the cost of lawyers or fraudulent financial charges. It’s unclear what the specifics behind how to obtain this reimbursement, but consumers will most likely bear the burden to prove the impact in order to receive compensation,” the article added.
“This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company,” said Equifax CEO Mark W. Begor in a press release.
“Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers,” said FTC Chairman Joe Simons in a statement announcing the proposed fine.
“This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud,” he added.
While the settlement represents a record fine in the U.S. for a data breach, it has drawn heavy criticism for being too lenient. As pointed out by an editorial in Fast Company, the total amount paid by the company amounts to roughly $4-$5 per person affected by the breach.
“This settlement is just a drop in the bucket of what Equifax’s disregard for privacy could cost American families,” said U.S. Senator Sherrod Brown in a statement.
Attorneys General from Indiana and Massachusetts have declined to participate in the settlement and are continuing litigation.