[BreachExchange] Equifax to Pay at Least $650 Million in Largest Data-Breach Settlement Ever

[Destry Winant]

https://www.nytimes.com/2019/07/22/business/equifax-settlement.html

The credit bureau Equifax will pay at least $650 million and
potentially significantly more to end an array of state, federal and
consumer claims over a data breach two years ago that exposed the
sensitive information of more than 148 million people. The breach was
one of the most potentially damaging in an ever-growing list of
digital thefts.

The settlement, which was announced on Monday and still needs court
approval, would be the largest ever paid by a company over a data
breach. The deal requires Equifax to put a minimum of $380.5 million
into a restitution fund for American consumers who file claims showing
that they were financially harmed.

A portion of that money will pay for lawyers’ fees, but at least $300
million must go to victims, according to settlement documents filed in
federal court in Atlanta. If the initial cash is depleted, the company
will add up to $125 million more to settle consumers’ claims, bringing
the total fund size to more than $500 million.

For people affected by the breach, a new website will soon be set up
to provide information and handle claims after the settlement receives
court approval, regulators said. For now, customers can sign up for
updates at ftc.gov/equifax.

Equifax also agreed to provide up to 10 years of free credit
monitoring services to those who had their data exposed. The
settlement assumes that around 7 million people will sign up for that
service. If more do, Equifax’s costs for providing it could rise
meaningfully.

Equifax will pay an additional $175 million in fines to end
investigations by 50 attorneys general. Forty-eight states — all
except Indiana and Massachusetts, which separately filed their own
lawsuits against Equifax — are part of the deal, along with the
District of Columbia and Puerto Rico.

“Equifax put profits over privacy and greed over people, and must be
held accountable to the millions of people they put at risk,” said
Attorney General Letitia James of New York, who helped lead the
states’ investigation. “This company’s ineptitude, negligence and lax
security standards endangered the identities of half the U.S.
population.”

The deal also settles investigations by two federal regulators: the
Consumer Financial Protection Bureau, to which Equifax will pay a $100
million fine, and the Federal Trade Commission, the primary federal
overseer of data security issues. The F.T.C. is not charging a fine;
unlike the consumer bureau, it has limited legal power to impose big
financial penalties.

Equifax, based in Atlanta, has been negotiating for months to finalize
this settlement, and it set aside $690 million last quarter to cover
the anticipated costs. Separately, the company has responded to the
breach by spending hundreds of millions of dollars on investigative
costs, technology improvements, free credit monitoring services and
legal fees.

Equifax did not immediately respond to a request for comment.

The settlement’s total price tag adds up to a bit less than one
typical quarter of sales for Equifax. Last year, the company earned
$300 million, a 49 percent drop from its income a year earlier, on
sales of $3.4 billion. Equifax’s stock price tumbled after the breach
but has since recovered most of its losses.

Some consumer advocates wish the punishment had been sharper.

“The Equifax fine is grievously low, particularly given the scope of
the identity problems they created,” said Pam Dixon, the executive
director of the World Privacy Forum.

But the sum “is not insignificant,” said Christopher Peterson, a law
professor at the University of Utah and a former enforcement lawyer at
the Consumer Financial Protection Bureau. Settling the case quickly is
probably a better outcome for consumers than years of legal battling,
he added.

“My perspective is that this is a win for the various consumer
protection agencies that are involved, but that over the long term, it
creates only a relatively mild incentive for the big credit reporting
agencies to strengthen their data security,” Mr. Peterson said. “The
underlying law itself here does not provide as much protection as I
think most Americans deserve and want.”

Equifax, one of America’s three largest credit bureaus, alongside
Experian and TransUnion, has files on hundreds of millions of people
worldwide that contain extensive details about their financial
accounts and transactions. Equifax even receives copies of millions of
Americans’ paychecks, which are fed into its Work Number database.

The company makes money by selling its vast trove of informationto
auto loan, mortgage and credit card issuers. Consumers can exercise
some control over how their files are used — for example, by freezing
them to prevent new credit lines from being opened — but they cannot
opt out of the system and demand that Equifax or its competitors stop
collecting and storing their personal information.

Law enforcement officials have never publicly identified who was
behind the Equifax theft, and cybersecurity experts say they have not
seen any sign of the information surfacing in the kinds of online
marketplaces where stolen personal information is often bought and
sold.

That has made it tricky to determine how much the attack has harmed
consumers. There is little known evidence of consumer fraud directly
attributed to the breach, but customers have spent countless hours
taking precautionary steps like freezing their credit files and
scouring them for signs of illicit activity.

Consumers seeking payments from the restitution fund will be required
to submit claims, with documentation, showing that they have been a
victim of fraud or have taken steps to set up credit monitoring
services. Fraud victims will not have to prove that Equifax’s breach
directly caused their loss; anyone who was affected by the breach and
subsequently experienced fraud involving personal information that was
stolen will be able to make a claim, according to settlement
documents.

People who paid for credit monitoring or identity theft protection
services will be eligible to have what they spent refunded. They will
also be eligible for compensation for the time they spent dealing with
the issues — such as hours on the phone talking to financial services
providers — at a rate of $25 per hour, for up to 20 hours.

The Equifax hackers used a flaw that was known but accidentally left
unfixed to gain access to dozens of databases. They did not steal
Equifax’s crown jewels, its credit files, but they did obtain
sensitive information like names, Social Security numbers, birth
dates, addresses and driver’s license numbers.

For about 76 days, according to a government report, the hackers
siphoned information out in small increments, until Equifax detected
the intrusion in late July 2017. It was not until six weeks later that
the company disclosed the breach.

Individuals, lawmakers and regulators responded with fury to both the
loss of so much sensitive information and to the company’s bungled
public response. Equifax created an information website that barely
functioned. It struggled to keep up with the deluge of phone calls and
messages from worried consumers and at one point, it even accidentally
pointed those seeking information on the breach toward a fake website.

The turmoil led to the ouster of Equifax’s chief executive, Richard F.
Smith, who retired shortly after the breach was revealed. Several
other top executives, including the chief information officer and
chief security officer, were also forced out. Last year, Equifax named
an outsider, Mark Begor, a private equity executive, as its new chief
executive.

After a series of fiery congressional hearings, in which lawmakers of
both parties denounced Equifax for its missteps — “I can’t fix
stupid,” Representative Greg Walden, Republican of Oregon, told Mr.
Smith in one memorable exchange — lawmakers passed a few new
restrictions on credit bureaus, including a law making credit freezes
free. But there have been no major changes to the federal laws
covering what information credit bureaus can collect and what steps
they must take to safeguard it.

Major data breaches have become an almost routine occurrence. Last
year, the Marriott hotel chain disclosed that thieves had stolen
personal details on roughly 500 million guests, an attack that has
been attributed to a Chinese intelligence-gathering effort. In May, a
security journalist revealed that a major title insurance company,
First American Financial Corporation, had left nearly 900 million
documents related to mortgage deals lying openly on the internet,
unprotected.