October 19, 2021

Volume XI, Number 292


October 18, 2021

Subscribe to Latest Legal News and Analysis

Equifax Reaches Historic $575 Million Settlement Agreement Arising from 2017 Data Breach

Equifax has agreed to pay $575 million to settle consumer as well as state and federal regulatory claims for its 2017 data breach. This is the largest data breach settlement to date.

2017 Data Breach

At the federal level, the FTC and CFPB both filed complaints against Equifax. The FTC complaint alleges Equifax was aware of a security vulnerability in a database containing consumer inquiries about their personal credit data. Equifax did not patch the reported vulnerability for four months, which allowed hackers to steal 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,900 payment card numbers and expiration dates. These allegations are largely mirrored in the consumer complaints filed throughout the country.

Federal regulators as well as consumers also alleged that Equifax did not implement other basic security measures that would have protected against this data breach. This includes failing to implement a policy to ensure that security vulnerabilities were patched; failing to segment its database servers to block access to other parts of the network once one database was breached; and failing to install robust intrusion detection protections for its legacy databases. In addition, claimants also allege that Equifax stored network credentials and passwords, as well as Social Security numbers and other sensitive consumer information, in plain text.

Settlement Funds and Other Relief

As part of the settlement, Equifax will pay $300 million to a fund that will provide affected consumers with credit monitoring services. The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 data breach. If the initial $300 million is not enough to cover the fund’s expenses, Equifax will contribute up to an additional $125 million to cover the costs.

Equifax will also pay $175 million in fines to forty-eight states, the District of Columbia, and Puerto Rico to bring an end to the investigations being conducted by their Attorneys General. $100 million will go to the CFPB for a civil money penalty. During the press call about the settlement, the FTC continued to ask Congress for more enforcement authority in data security cases, including the ability to impose civil penalties.

Beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years—in addition to the one free annual credit report that Equifax and the two other nationwide consumer reporting agencies currently provide.

Settlement Requirements

In addition to these funds, Equifax will be required to put into action a comprehensive security program. This program has several requirements, including:

  • Designating an employee to oversee the information security program;

  • Conducting annual assessments of internal and external security risks and implementing safeguards to address potential risks, such as patch management and security remediation policies, network intrusion mechanisms, and other protections;

  • Obtaining annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information security requirement;

  • Testing and monitoring the effectiveness of the security safeguards;

  • Ensuring that service providers that access personal information stored by Equifax also implement adequate safeguards to protect such data; and

  • Participating in third party audits of its security program every two years.

  • Under the terms of the proposed settlement of the consumer class action litigation, Equifax must spend a minimum of $1 billion to improve its data security program.

What This Means

The FTC has released guidance on what the Equifax Settlement means for businesses, citing the steps that Equifax could have taken to prevent and/or mitigate the effects of the data breach. Many of Equifax’s alleged security failures flow from the failure to implement or maintain policies for patch management, network segmentation or encryption – issues that the FTC has previously addressed through consent decrees and its Start with Security guidance. The extent to which the Equifax settlement helps define the meaning of “reasonable” data security – the prevailing US standard – is an issue that security professionals will debate for the foreseeable future 

Copyright © by Ballard Spahr LLPNational Law Review, Volume IX, Number 204

About this Author

Philip Yannella, Ballard Spahr Law Firm, Philadelphia, Data Security Attorney

As Co-Practice Leader of Ballard’s Privacy and Data Security Group, and Practice Leader of the firm’s E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Mr. Yannella regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of...

Kim Phan, Ballard Spahr Law Firm, Washington DC, Business and Finance Law Attorney
Of Counsel

Kim Phan writes and speaks frequently about privacy and data security issues for a variety of industries, including consumer financial services, retail, hospitality, higher education, and utilities. Ms. Phan counsels clients on privacy and data security law in areas including the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Telephone Consumer Protection Act (TCPA), and other federal and state privacy and data security statutes and regulations. Her work in this area encompasses strategic planning and guidance for companies to incorporate...