Equifax Will Pay Up to $700M to Settle 2017 Breach Claims With FTC, AGs, CFPB

Lacking authority for first-time offenses, the FTC wasn’t able to impose civil penalties against Equifax, Commission Chairman Joe Simons said at a news conference after the 5-0 commission vote. The case underscores why Congress needs to pass legislation granting the FTC civil penalty authority on first offenses, he said: The FTC can’t always rely on other agencies to fill the gap.

“Our authority is actually pretty limited with privacy,” Simons told reporters after the news conference. The agency, for instance, has no authority to tell companies how to handle and share data, he said. Asked whether the FTC plans to partner with other agencies for future cases, he said, “We love to partner with the state” attorneys general. “We’re talking to them all the time.”

Equifax CEO Mark Begor called the settlement a “positive step for U.S. consumers” as the company continues its technology and security upgrade. Equifax plans to spend about $1.25 billion on company security systems and technology, he said. There is no admission of guilt in the settlement.

Democrats called the deal inadequate, as they did the recently reported Facebook privacy settlement (see 1907120054 and 1907190041). It doesn’t “come close to making consumers whole and, once again, shows the limitations on the FTC’s ability to seek strong penalties and effective redress for consumers,” said House Commerce Committee Chairman Frank Pallone, D-N.J. He urged passing a comprehensive data privacy and security bill.

“We need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again,” said Senate Intelligence Committee ranking member Mark Warner, D-Va. He claimed if his Data Breach Prevention and Compensation Act had been in place before the breach, Equifax would have paid at least $1.5 billion.

It wasn’t the FTC’s intention to bankrupt Equifax, said Consumer Protection Bureau Associate Director-Privacy and Identity Protection Division Maneesha Mithal at the news conference. The agency wants the company to be able to assist consumers moving forward, she said.

The agreement stipulates Equifax pay up to $425 million to affected consumers, $175 million to states and territories and $100 million to the CFPB. The company will pay a minimum of $300 million to consumers and potentially an additional $125 million “if the initial payment is not enough to compensate consumers for their losses,” the FTC said.

Equifax violated the FTC Act’s rules for unfair and deceptive practices and the Gramm-Leach-Bliley Act’s Safeguards Rule by failing to maintain a comprehensive data security program, the FTC said. Information stolen in the breach included 147 million names and dates of birth, 145.5 million Social Security numbers and 209,000 payment card numbers and expiration dates, the agency said. The complaint cites a failure to implement basic security measures like vulnerability patches, database server segmentation to protect the network and a lack of “robust intrusion detection protections for its legacy databases.” The agency alleged the company “stored network credentials and passwords, as well as Social Security numbers and other sensitive consumer information, in plain text.”

This is one of the largest breaches in U.S. history, and perhaps the most dangerous, given the type of information exposed, said Maryland AG Brian Frosh (D) at the joint news conference with Simons. He noted hackers penetrated Equifax systems unnoticed for 76 days. Most victims weren’t even Equifax customers, he said: “We didn’t choose Equifax; Equifax chose us and sold our raw data.”

The settlement also includes nonmonetary penalties. Equifax will complete FTC-approved, third-party assessments of its data security program every two years, which involves independent sampling, employee interviews and document examination. The company will provide annual updates to the agency about consumer claims processing and payments. It will have to designate an employee to oversee its data security program. It’s required to implement and test data protection measures like patch management and security remediation policies and network intrusion safeguards. The FTC order directs the Equifax board to certify annually that the company is following the order. The company also will need to verify that related service providers are securing Equifax-related data.

Starting in January, Equifax will offer U.S. consumers six free credit reports annually for seven years as part of the agreement. That’s in addition to a free credit report Equifax and two other credit reporting agencies currently offer consumers.

In a “just world,” Equifax executives would be going to jail, said Sen. Ron Wyden, D-Ore. “No one should be able to collect deeply sensitive information on 200 million people without their consent, treat it with reckless disregard and then just pay a fine when a predictable, easily avoidable hack takes place,” he said.

Sen. Ed Markey, D-Mass., will reintroduce his Data Broker Accountability and Transparency Act, which would allow consumers to block data brokers from selling data for marketing purposes and require data brokers to implement “comprehensive privacy and data security programs.” The Equifax breach “wreaked havoc on consumers’ security and well-being and shed light on the need to regulate this ‘shadow’ industry of surreptitious data collection,” he said.

“Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk,” said New York Attorney General Letitia James, noting her state can collect about $9 million from the settlement. If Congress can’t “move quickly” to pass privacy legislation, “the individual states should follow the example of California and fill in the gap left by congressional inaction,” said Public Knowledge Senior Vice President Harold Feld.