Credit reporting services provider Equifax has agreed to pay up to $650 million to settle federal and state investigations into a major data breach that took place in 2017.
Pete Schroeder had the news for Reuters:
Credit-reporting company Equifax Inc will pay up to a record $650 million to settle U.S. federal and state probes into a massive 2017 data breach of personal information, authorities said on Monday.
The largest-ever settlement for a data breach draws to a close multiple probes into Equifax by the Federal Trade Commission, the Consumer Financial Protection Board and nearly all state attorneys general. It also resolves pending class-action lawsuits against the company.
“This company’s ineptitude, negligence, and lax security standards endangered the identities of half the U.S. population,” New York Attorney General Letitia James said in a statement.
The BBC provided a breakdown of the settlement:
At least $300m will go towards paying for identity theft services and other related expenses run up by the victims.
This sum will expand to a maximum of $425m if required to cover the consumers’ losses.
The rest of the money will be divided between 50 US states and territories and a penalty paid to the Consumer Financial Protection Bureau.
“Equifax failed to take basic steps that may have prevented the breach,” said the FTC’s chairman Joe Simons.
“This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
Washington Post’s Tony Romm had the details on the agreement between the credit reporting company and state and federal authorities:
Under an agreement with the attorneys general from 48 states as well as the District of Columbia and Puerto Rico, Equifax will set aside up to $425 million to reimburse victims of the breach, including those who experienced identity theft. Equifax also will offer 10 years of credit-monitoring services to consumers who have been harmed, invest more heavily in its own cybersecurity and pay $175 million to the states themselves, officials said. They described the penalty as the most significant they’ve ever levied in response to an organization that broke state data-security laws.
Equifax also has agreed to pay an additional $100 million to settle a federal investigation at the Consumer Financial Protection Bureau, the agency said Monday. The Federal Trade Commission, meanwhile, is requiring the company to implement a new security program and submit to 20 years of regular, third-party checkups. Future security mishaps that violate the settlement could lead to additional fines from the agency.
