Equifax to pay $575M for data breach, promises to protect data next time

Equifax, the Federal Trade Commission, and other state and federal regulators have agreed on what Equifax owes in penalties, nearly two years after the company's massive breach of sensitive consumer information became public. The company will pay at least $575 million, according to the terms of a settlement the FTC announced today. At least $300 million goes into a fund to pay for credit monitoring services for "affected customers," which includes more than 40% of the entire US population. That fund can get boosted by another $125 million if the initial $300 million isn't enough to compensate all consumers who make claims. Equifax will pay another $175 million in fines to be split up among the 50 attorneys general who filed suit, representing 48 states, Washington DC, and Puerto Rico, and $100 million in penalties to the Consumer Financial Protection Bureau. The company will not pay any penalties to the FTC itself, because the commission does not have the authority to fine companies for violations of the FTC Act or the Safeguards Rule, which requires financial institutions to take special care with consumer data. "The CFPB and the states were able to obtain civil penalties for this massive breach by a major financial institution. The FTC could not," commission chairman Joseph Simons said. "Fortunately other agencies were able to fill in the gap this time. That will not always be the case, which sends the wrong signal regarding deterrence." Simons then renewed his call for Congress to pass some kind of data security legislation that would give the commission authority to seek penalties for first-time violations. But even without such legislation, he added, the FTC will continue its "vigorous data security enforcement program." In addition to possible cash compensation or credit monitoring—which may be provided by Equifax itself—beginning in 2020, Equifax must provide six additional free credit reports per year to all US consumers for a period of seven years, in addition to the three free credit reports per year consumers are already entitled to receive. It also must agree to a slate of process and security improvements, including regular third-party audits and reports to the FTC regarding its handling of internal and external security. Equifax generated $3.4 billion in revenue in 2017 and $3.81 billion in revenue in 2018, according to its financial filings. But the comparatively lenient fine was deliberate. "We want to make sure we don't bankrupt the company or have them go out of business," said Maneesha Mithal, a data and privacy subject matter expert with the FTC. "We want to make sure they have the funds and resources to protect consumers going forward." Maryland Attorney General Brian Frosh, speaking at a press conference, noted that of the approximately 144 million victims, most were not Equifax customers. "Most of them—most of us—did not sign up... We did not choose Equifax," Frosh said. "It chose us. It collected our personal information, it compiled it, analyzed that information, and sold the product and some of the raw data to other people. Their carelessness with our personal data will cause harm perhaps for millions of Americans." Frosh also strongly suggested consumers who aren't expecting a major credit transaction in the near future, like buying a car or home, freeze their credit as soon as possible, and also the credit of their children under 18, in order to prevent fraud from occurring. The settlement puts a cap on a story that began in September 2017, when Equifax said it had suffered a data breach affecting personal information, including Social Security numbers, for hundreds of millions of US customers. Later investigation and Congressional testimony revealed that the breach, which the company discovered in July of that year, was made possible because the company didn't patch a software vulnerability it found out about months earlier. A former senior executive for the firm was charged with insider trading for selling shares after the breach was discovered but before it was made public; he pleaded guilty and was sentenced to four months in prison last month. Equifax CEO Mark Begor, who took over the role in March, 2018, said in a written statement the settlement marked "a positive step" for both consumers and the company. Consumers can read more through the FTC. Once a court order is filed, consumers can also file claims at EquifaxBreachSettlement.com.