On July 22, 2019 the Federal Trade Commission (FTC) announced that Equifax Inc. has agreed to pay at least $575 million, and potentially up to $700 million, as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories, which alleged that the credit reporting company’s failure to take reasonable steps to secure its network led to a data breach in 2017 that affected approximately 147 million people. A complaint filed by the FTC alleged Equifax failed to secure the massive amount of personal information stored on its network, leading to a breach that exposed millions of names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud.
As part of the proposed settlement, Equifax will pay $300 million to a fund that will provide affected consumers with credit monitoring services, and to compensate consumers for their losses. It will add up to $125 million to the fund if the initial payment proves insufficient. In addition, it also has agreed to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the CFPB in civil penalties. Equifax will also provide all U.S. consumers six free credit reports each year for seven years — in addition to the one free report each of the nationwide credit reporting agencies is required to provide by law.
According to the FTC, Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its ACIS database, which handles inquiries from consumers about their personal credit data. Even though Equifax’s security team ordered that each of the company’s vulnerable systems be patched within 48 hours after receiving the alert, Equifax did not follow up to ensure the order was carried out by the responsible employees. In fact, Equifax did not discover that its ACIS database was unpatched until July 2017, when its security team detected suspicious traffic on its network.
A copy of the proposed order appears at: https://www.ftc.gov/system/files/documents/cases/172_3203_equifax_proposed_order_7-22-19.pdf