On Monday July 22, 2019, the Consumer Financial Protection Bureau (CFPB), the Federal Trade Commission (FTC), 48 states, the District of Columbia and Puerto Rico announced a settlement with credit agency Equifax for up to $700 million for its massive data breach in 2017. The breach occurred when hackers accessed Equifax’s servers through a vulnerability known by Equifax prior to the breach. Equifax’s failure to timely patch this known vulnerability resulted in the data breach that exposed the sensitive personal information of as many as 147 million people, including names, birth dates, addresses, and social security numbers.

As a result of this preventable breach, Equifax is now subject to one of the largest data breach settlements in U.S. history. Under the terms of the settlement (the proposed settlement, pending court approval, can be found HERE), Equifax must:

  1. Pay up to $425 million into a fund that will provide affected consumers with free credit monitoring and identity-restoration services, as well as reimbursements of up to $20,000 per person for any costs incurred by individuals as a result of the breach.
  2. Pay $175 million in civil penalties to 48 states, the District of Columbia and Puerto Rico, and $100 million in civil penalties to the CFPB.
  3. Establish a comprehensive information security program to protect the security, confidentiality and integrity of personal information, which includes conducting annual internal assessments of security risks, and undergoing third party security assessments every two years.

As the FTC Chairman Joe Simons stated, “companies that profit from personal information have an extra responsibility to protect and secure that data […] this settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.” This settlement is a clear indication of the FTC’s growing concern over consumer data protection, and serves as a heavy-handed reminder that companies should be ever-vigilant in updating and bolstering their internal security controls.

Keesal, Young & Logan Cybersecurity and Privacy Group

This information has been prepared by Keesal, Young & Logan for informational purposes only and is not legal advice. Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship between you and Keesal, Young & Logan. You should not act upon this information without seeking professional counsel.