September 19, 2019

September 18, 2019

Subscribe to Latest Legal News and Analysis

September 17, 2019

Subscribe to Latest Legal News and Analysis

September 16, 2019

Subscribe to Latest Legal News and Analysis

Equifax to Pay Largest-Ever Data Breach Settlement

The Equifax data breach was one of the most massive data breaches of all time, and it has resulted in the biggest settlement for a data breach to date. After two years of investigations at the state and federal levels, credit reporting agency Equifax has agreed to a $675 million – up to possibly $700 million – settlement that puts to rest complaints from the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB), as well as multistate class action litigation.

In 2017, Equifax was hacked when it failed to secure its servers, leaving the personal information of 147 million people – including credit card numbers, driver’s license numbers, Social Security numbers, birth dates, and addresses – exposed. As we previously reported, the resulting theft of consumer data resulted in multistate litigation and investigations by Congress, the FTC, and European data protection authorities. A year after the breach, the Government Accountability Office (GAO) released a report on the breach, which found Equifax was using software with a known vulnerability in its online dispute portal that enabled hackers to penetrate the network and acquire personal information. According to the report, the company’s systemic deficits in the areas of identification, detection, segmentation, and data governance led to the breach.

The Order, which was approved by Chief Judge Thomas Thrash Jr. of the U.S. District Court for the Northern District of Georgia on July 22, 2019, requires Equifax to pay at least $175 million in civil penalties to the states, District of Columbia, and Puerto Rico, $300 million to a fund that will provide free credit monitoring services to consumers, and $100 million in fines to the CFPB. Equifax will contribute up to $125 million more to the fund if the initial payment isn’t adequate to compensate consumer losses. Consumers will also receive six free credit reports annually for seven years.

In addition to the payout, Equifax must implement a comprehensive information security program and must designate an employee to oversee it. The company is required to obtain third-party assessments of its information security program every two years, and the FTC can approve the assessor for each two-year assessment period. Equifax also must invest a minimum of $1 billion to improve its data security over the next five years.

In prepared remarks at a press conference on July 22, 2019, FTC chair Joseph Simons used the opportunity to reiterate a point he made previously in testimony to Congress – that the FTC needs greater enforcement powers:

“The [CFPB] and the states were able to obtain civil penalties for this breach by a major financial institution. The FTC could not. The FTC could not, because we do not have civil penalty authority for initial violations of the FTC Act or for violations of the Gramm-Leach-Bliley Safeguards Rule. Fortunately, other agencies were able to fill in the gap – this time. But under different circumstances, future breaches might not always be subject to civil penalties, which sends absolutely the wrong signal regarding deterrence. For this reason, I renew my call for Congress to enact federal data security legislation that gives the FTC authority to seek civil penalties for first-time violations.”

Simons has repeatedly pushed Congress to grant the FTC greater enforcement powers, including the ability to impose fines for violations of federal laws that fall within its jurisdiction. The FTC’s recent willingness to use new tools, such as holding company executives personally liable for data breaches, shows that the FTC is creatively expanding the use of its enforcement arsenal while awaiting Congressional action, at least in some instances. However, the recent Commission vote to fine Facebook $5 billion for violations of a prior consent agreement – a situation where the FTC does have civil penalty authority – did not impose responsibility on Facebook founder Mark Zuckerberg or other senior executives. The failure to do so drew dissents from the two Democrats on the Commission, and the question of senior manager accountability will likely loom larger in future data breach and privacy investigations.

© 2019 Keller and Heckman LLP

TRENDING LEGAL ANALYSIS


About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney
Partner

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

202-434-4646
Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer
Partner

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and commercial e-mail messages, contests and sweepstakes, endorsements and testimonials, marketing to children, and data breach notification. Ms. Marshall also helps clients establish best practices for collecting, storing, sharing, and disposing of data, and manage outsourcing arrangements and transborder data flows. In addition, she assists with drafting and implementing internal privacy, data security, and breach notification policies, as well as public privacy policies and website terms and conditions.

As to intellectual property matters, Ms. Marshall helps clients protect their copyrights and trademarks through registration, enforcement actions, and licensing agreements.

She also represents clients in proceedings before the Federal Communications Commission and Federal Trade Commission.

Ms. Marshall is a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP) and a contributing author of Beyond Telecom Law Blog and Consumer Protection Connection.

Education: Washington and Lee University (B.A., 1997); American University, Washington College of Law (J.D., 2002).

Admissions: District of Columbia; Maryland

Memberships: American Bar Association

202-434-4234