WASHINGTON (AP) — Equifax has agreed to pay $700 million, potentially more, to settle with the federal authorities and states over its 2017 data breach that exposed the Social Security numbers and other private information of nearly 150 million people, roughly half of the U.S. population.
The settlement with the Consumer Financial Protection Bureau and the Federal Trade Commission, as well as 48 states, the District of Columbia and Puerto Rico, would provide up to $425 million in monetary relief to consumers, a $100 million civil money penalty, and other relief.
The breach was one of the largest ever to threaten the private information. The consumer reporting company, based in Atlanta, did not detect the attack for more than six weeks. The compromised data included Social Security numbers, birth dates, addresses, driver license numbers, credit card numbers and in some cases, data from passports. The breach resulted in the abrupt dismissal of Equifax’s then CEO, as well as numerous other executives at the company.
“The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data - and reflects the seriousness with which we take this matter,” said Equifax CEO Mark Begor.
Equifax stock, which plunged 30% in the days following the disclosure of the breach, have returned to levels where they traded before the incident. Shares of Equifax rose 2% to $140.26. A share cost $141.45 in the hours before the breach was disclosed on Sept. 7, 2017.
What consumers might receive
Victims of Equifax’s breach will be eligible for up to 10 years of credit monitoring services for free, seven years of identity-restoration services, and six free copies of Equifax’s credit reports per year for the next seven years. That’s on top of the free credit reports each U.S. resident is eligible for from the credit reporting companies under U.S. law.
If consumers choose not to enroll in the free credit monitoring product, they may seek up to $125 as a reimbursement for the cost of a credit-monitoring product of their choice. Consumers must submit a claim in order to receive free credit monitoring or cash reimbursements.
Equifax will have to spend at least $1 billion over five years to enhance its cybersecurity practices.
On top of that, Equifax will have to pay a $100 million fine to the CFPB, and pay tens of millions of dollars to states and territories to settle those lawsuits as well.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
Consumer advocates were generally positive on the settlement, but had concerns on the timescale of the settlement. Because the thieves stole permanently identifiable information like Social Security numbers and birthdates, the data could be used for decades to commit identity theft.
“What happens if a consumer is the victim of ID theft in the fifth year resulting from the breach, which costs the consumer tens of thousands of dollars?,” said Chi Chi Wu, staff attorney at National Consumer Law Center.
The settlement must still be approved by the federal district court in the Northern District of Georgia.
Utah gets over $1 million
Equifax will pay $1,422,915.91 to Utah in the settlement, according to a press release from the Utah Attorney General's office.
“I’m pleased Equifax will take serious steps to protect and reimburse consumers, even if it comes only after one of the worst lapses of consumer data protection in our history,” Utah Attorney General Sean Reyes said in the release.
“While this is a historical settlement in terms of amount and conditions required, it is quite appropriate for the severity of the conduct.” - Sean Reyes, Utah Attorney General
He urged Utahns affected by the breach to take advantage of Equifax’s agreement to pay for credit monitoring, identity theft protection and other measures and reimbursements. The data breach affected over 1.2 million Utahns.
“Just the fear and uncertainty alone from a breach victimizes those whose data is compromised. I’m hopeful this offers some measure of relief to Utahns whose lives have been disrupted or even more significantly damaged," he said.
Once the settlement is approved, people can find out whether they're eligible for compensation and if so, submit claims at EquifaxBreachSettlement.com or call 1-833-759-2982, toll free.
The announcement Monday confirms a report by The Wall Street Journal that the credit reporting agency had reached a deal with the U.S.
- Q: How do I know if I am covered by the settlement?
A: Once the class action court approves the settlement, Equifax will provide a lookup tool on the settlement website (www.EquifaxBreachSettlement.com) that you can use to determine whether you are affected by the data breach. You will be required to input the last 6 digits of your Social Security Number that Equifax will use only to determine whether you are one of the affected consumers.
- Q: I am an eligible consumer who wants to make a claim from the settlement fund. How do I make a claim?
A: You can make a claim through the settlement website (www.EquifaxBreachSettlement.com) once the court approves the settlement. This is the simplest and quickest way to file a claim. However, you also can request a paper claim form via the settlement website or by calling (1-833-759-2982). The deadline to file all claims will be determined once the court approves the proposed settlement and will be posted on the settlement website as soon as that information becomes available, so please check the settlement website for updated information. When you file a claim, you will receive a claim number. Please record your claim number and retain it for future reference.
- Q: I am an eligible consumer who wants to make a claim from the settlement fund. What can I request in my claim?
A: You will be able to request after the court approves the settlement, and before the deadline to be announced by the court, free credit monitoring and reimbursement for money and time spent addressing the data breach. Specifically, you can:
- Sign up for the free 10 years of credit monitoring that Equifax is offering. It consists of at least 4 years of three-bureau credit monitoring that monitors your credit report with Equifax, Experian, and TransUnion, followed by up to 6 years of single bureau credit monitoring of your Equifax credit report;
- Request reimbursement for:
Time spent trying to avoid or recover from identity theft (up to 20 total hours at $25 per hour); Money spent trying to avoid or recover from identity theft (such as money paid to freeze or unfreeze your credit report, money paid to a professional for identity theft services, postage, etc.; and If you do not wish to utilize the offered free 10 years of credit monitoring, you can request reimbursement of up to $125 for what you spent to purchase alternative credit monitoring services. Also, all affected consumers are eligible to use the free offered Identity Restoration services at any time during the extended claims period. The court will determine the deadline to file a claim during the extended claims period once it approves the proposed settlement. Affected consumers do not need to enroll in this service in order to be able to use it.
- Q: When is the deadline to file a claim against the settlement fund?
A: The deadline is not yet set, but the court will determine the deadline if it approves the proposed settlement. Please check the settlement website (www.EquifaxSettlementBreach.com ) for updates on the claims deadlines and other documents associated with the settlement.
- Q: I filed a claim against the settlement fund. How can I find out about the status of the claim?
A: The settlement administrator will contact you when a decision is made about your claim. Also, you can check the status of your claim at www.EquifaxBreachSettlement.com. Please be prepared to enter your claim number that the settlement administrator provided to you when you filed your claim.
- Q: I have questions about the Equifax settlement. Where can I get information about the settlement?
A: You can go to www.EquifaxBreachSettlement.com for information about the settlement and to view important documents associated with the settlement. Also, you can call (1-833-759-2982) to obtain information about the settlement. Utah consumers who have questions that were not answered by the website or toll-free number may contact the Utah Office of the Attorney General, Constituent Services, at 801-366-0260 or firstname.lastname@example.org.
- Q: I am concerned about identity theft. How can I place a freeze on my credit report?
A: Credit freezes are free of charge, and in order to place a freeze on your credit report, you must contact each of the major consumer reporting agencies directly and identify yourself to them. A credit freeze prevents companies from viewing your credit report if they are considering granting credit unless you prove to them that you are who you say you are. It can help protect you from identity thieves who are trying to open a credit account in your name. The consumer reporting agencies are not permitted to charge you any fee to place or lift the freeze. You should know that if you plan to apply for credit when you have a freeze in place, there may be a delay in processing your credit application while you request that the credit freeze be lifted. You can find instructions on how to place a credit freeze here: https://www.consumer.ftc.gov/blog/2018/09/free-credit-freezes-are-here.
Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.