Skip to main content

Equifax Settles FTC, States' Breach Investigation

The Federal Trade Commission said Monday that Equifax has agreed to pay "at least" $575 million, and as much as $700 million, to settle with the FTC and all 50 states and U.S. territories for allegedly failing to reasonably protect its "massive amount of personal information" on its network against a 2017 data breach that affected about 147 million people.

But at least one high-profile Democrat saw it as another case of the FTC under-penalizing and Edge provider. Most of the money goes toward credit monitoring, with only $100 million in civil penalties.

The FTC said $300 million of the settlement will go toward a fund to pay for credit monitoring services for the affected people, including reimbursing those who paid Equifax or others for such monitoring after the breach.

The company will also pay $148 million to the states and territories and $100 to the CFPB in civil penalties.

Related: Data Breach Bill Introduced

Equifax will put in another $125 million if the initial $300 million doesn't cover all that credit monitoring, which would push it to $700 million.

The company will also provide six free credit reports per year to all U.S. consumers in addition to the one it advertises now.

“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC chair Joe Simons of the settlement. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”

As part of the settlement, Equifax is also required to:

1. Designate an employee to oversee the information security program;

2. Conduct annual assessments of internal and external security risks and implementing safeguards to address potential risks, such as patch management and security remediation policies, network intrusion mechanisms, and other protections;

3. Obtain annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information security requirements;

4. Test and monitoring the effectiveness of the security safeguards; and

5. Ensure service providers that access personal information stored by Equifax also implement adequate safeguards to protect such data.

The FTC launched the investigation back in 2017.

The information involved included "names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers," the company said at the time, adding: "In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed."

Re. Frank Pallone (D-N.J.), chairman of the powerful House Energy & Commerce Committee, was not assuaged by the government's response to that massive breach.

This settlement does not come close to making consumers whole and, once again, shows the limitations on the FTC’s ability to seek strong penalties and effective redress for consumers," he said. "It also shows that we need a comprehensive data privacy and security law to ensure companies are designing their systems to protect consumer privacy from the start, minimizing the personal information they keep, and are held appropriately accountable if they fail.”

Sen. Amy Klobuchar (D-Minn.) was similarly focused on what Congress should do.

"While this settlement may help compensate people affected by the breach, it doesn’t adequately address the broader problem of lax data security," said the senator. "Congress must act to ensure that a breach of this magnitude never happens again. We can start by passing my privacy legislation to protect online information, increase transparency and hold big companies like Equifax accountable when they fail to safeguard user information.”