Today, the FTC announced that Equifax, Inc. will pay at least $575 million (and potentially up to $700 million) as part of a proposed global settlement with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories. Their complaint alleges that Equifax failed to take reasonable steps to secure its network in ways that led to a 2017 data breach affecting approximately 147 million people. The proposed settlement will be filed along with a complaint today in the U.S. District Court for the Northern District of Georgia.
As part of the proposed settlement, Equifax will pay $300 million to a fund which will provide affected consumers with credit monitoring. It will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the breach. Equifax will add up to $125 million if the initial payment proves insufficient. The company also has agreed to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the CFPB in civil penalties.
In addition to the monetary penalties, beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years—in addition to the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently provide.
Equifax must also implement a comprehensive information security program under which it will be required to, among other things, implement the following:
- Designate an employee to oversee the information security program;
- Conduct annual assessments of internal and external security risks and implementing safeguards to address potential risks, such as patch management and security remediation policies, network intrusion mechanisms, and other protections;
- Obtain annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information security requirements;
- Test and monitor the effectiveness of the security safeguards; and
- Ensure service providers that access personal information stored by Equifax also implement adequate safeguards to protect such data.
Under the proposed settlement, Equifax must obtain third-party assessments of its information security program every two years. The assessments must specify evidence supporting its conclusions and must include independent sampling, employee interviews, and document reviews. The order grants the FTC authority to approve the third-party assessor for each two-year assessment period. Equifax must also provide an annual update to the FTC about the status of the consumer claims process.
The Commission authorized the filing of the complaint and proposed order in a 5-0 vote.