Credit-reporting company Equifax, Inc will pay up to $700m to compensate harmed consumers – and settle claims that it broke the law with a massive 2017 data breach – in a landmark settlement that could spur new consumer data rules in the United States.
The largest-ever settlement for a data breach brings to a close multiple probes into Equifax by the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB) and most state attorneys general. It also resolves pending class-action lawsuits against the company.
Shares in Equifax, which is one of three major credit reporting companies in the US, were up 0.8 percent in late trading on Monday.
Roughly 147 million people had information – including Social Security numbers and driver’s licence data – compromised by the breach, which was one of the largest in history. The hackers have never been identified.
While Equifax said on Monday that it saw no evidence the stolen information had been used in identity thefts, regulators said the company did not do enough to protect the data and misled consumers about how secure it was. Regulators ordered Equifax to set aside funds to repay consumers who spent time or money protecting themselves as a result of the breach.
The company will establish a $300m restitution fund that could climb to $425m depending on how many people file claims. Only consumers who can show they suffered direct costs following the breach – either from identity theft or by purchasing credit-monitoring services – will be eligible for restitution, which will be capped at $20,000 per person.
Equifax CEO Mark Begor told reporters on Monday that he expected the initial $300m, which will also cover the costs of a decade of free credit monitoring for affected consumers, would be sufficient. In an interview on Monday afternoon with CNBC, Begor said the fund could be up and running by the end of the year.
The company will also pay a $175m fine to the states and $100m to the CFPB.
Consumer advocates said the settlement was modest given the number of people affected.
“It’s a parking ticket, not a penalty,” Ed Mierzwinski, a senior director at Washington-based US Public Interest Research Group, said in an email. He added that consumers should not have to jump through hoops to receive compensation.
Others questioned whether the fund would be sufficient given the long-term risks of having a Social Security number exposed.
“The settlement provides some compensation right now, but the risk of identity theft is forever,” said Chi Chi Wu, an attorney for the National Consumer Law Center.
Speaking to reporters, FTC Chairman Joseph Simons said that the agency also wanted to impose a monetary penalty, but that the law does not allow it to fine companies for their first offence – an issue he has called on the US Congress to fix.
“Fortunately, other agencies were able to fill in the gap this time. But under different circumstances, future breaches might not always be subject to civil penalties, which sends absolutely the wrong signal regarding deterrence,” he said.
A spokeswoman for the attorney general of Massachusetts – which, along with Indiana, is not participating in the settlement – said its litigation against the company was ongoing. “Equifax must pay a penalty commensurate with the worst data breach in American history,” she said.
Equifax disclosed in 2017 that a data breach had compromised the personal information, including Social Security numbers, of 147 million people.
The scandal sent the company into turmoil, leading to the exit of its then-chief executive, Richard Smith, and multiple congressional hearings as the company’s slowness to disclose the breach and security practices were challenged by lawmakers.
Policymakers and consumer groups have questioned how private companies could amass so much personal data, sparking efforts to bolster consumers’ ability to control their information. Both the Senate banking and House financial services committees are considering legislation that would require companies to better protect consumer data.
“We need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again,” Democratic Senator Mark Warner said in a statement.
Equifax CEO Begor told reporters on Monday that the company was overhauling its processes to put consumers first and was committing $1.25bn to bolster its data security.
As part of the settlement, Equifax has also agreed to several new measures, including reviews of its security policies by a government-appointed third party. Equifax’s board also must certify annually that the company has complied with the settlement terms, and could be fined if it neglects to take this measure.