Equifax's $700 million data breach settlement spurs calls for new rules

By Pete Schroeder

WASHINGTON (Reuters) - Credit-reporting company Equifax Inc will pay up to $700 million to settle claims it broke the law with a massive 2017 data breach and to repay harmed consumers, in a landmark settlement that could spur new consumer data rules.

The largest-ever settlement for a data breach draws to a close multiple probes into Equifax by the Federal Trade Commission, the Consumer Financial Protection Bureau and nearly all state attorneys general. It also resolves pending class-action lawsuits against the company.

Shares in Equifax, which is one of three major credit reporting companies, were up 0.8 percent in late trading on Monday.

Roughly 147 million people had personal information, including Social Security numbers and driver’s licence data, compromised by the breach, one of the largest in history. The hackers have never been identified.

More from News & Analysis

What is the US HIRE Bill and why is India’s $250-billion IT sector worried? Is the internet dead? What's this theory that OpenAI's Sam Altman says might be true?

While Equifax said on Monday it saw no evidence the stolen information had been used in identity thefts, regulators ordered it to set aside funds to repay consumers who spent time or money protecting themselves as a result of the breach.

The company will establish a $300 million restitution fund which could climb to $425 million depending on how many people file claims. Only consumers who can show they suffered direct costs following the breach, either from identity theft or by purchasing credit-monitoring services, will be eligible for restitution, which will be capped at $20,000 per person.

Equifax CEO Mark Begor told reporters on Monday he expected that the initial $300 million, which will also cover the costs of a decade of free credit monitoring for affected consumers, would be sufficient. The company will set aside another $80.5 million to cover litigation costs.

In addition, the company will pay a $175 million fine to the states and $100 million to the CFPB.

Consumer advocates said the settlement was modest given the huge number of people affected.

“It’s a parking ticket, not a penalty,” said Ed Mierzwinski, a senior director at Washington-based U.S. Public Interest Research Group in an email, who added that consumers should not have to jump through hoops to receive compensation.

Others questioned if the fund would be sufficient given the long-term risks of having a Social Security number exposed.

“One huge concern is the long-term consequences of the Equifax breach. The settlement provides some compensation right now, but the risk of identity theft is forever,” said Chi Chi Wu, attorney for the National Consumer Law Centre.

Speaking to reporters, FTC chairman Joe Simons said the agency also wanted to impose a monetary penalty, but the law does not allow it to fine companies for their first offence, an issue he has called on Congress to fix.

“Fortunately, other agencies were able to fill in the gap this time. But under different circumstances, future breaches might not always be subject to civil penalties, which sends absolutely the wrong signal regarding deterrence,” he said.

POTENTIAL LEGISLATION

Equifax disclosed in 2017 that a data breach had compromised the personal information, including Social Security numbers, of 143 million Americans. Including Canadian customers, around 147 million consumers were affected in total.

The scandal sent the company into turmoil, leading to the exit of its then-chief executive, Richard Smith, and multiple congressional hearings as the company’s slowness to disclose the breach and security practices were challenged by lawmakers.

Policymakers and consumer groups have questioned how private companies could amass so much personal data, setting off efforts to bolster consumers’ ability to protect and control their information. Both the Senate Banking and House Financial Services Committees are currently considering legislation that would require companies to better protect consumer data.

“We need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again,” Democratic Senator Mark Warner said in a statement.

Equifax took a $690 million charge in the first quarter to cover the anticipated fine, and plans to set aside another $11 million in the second quarter. Begor told reporters on Monday the company was overhauling its processes and culture to put consumers first, and was committing $1.25 billion to bolster its data security.

Equifax has also agreed as part of the settlement to several new measures, including reviews of its security policies by a government-appointed third party. Equifax’s board will also be required to certify annually that the company has complied with standards laid out in the settlement, and could be fined if it falls short.

(Reporting by Pete Schroeder; additional reporting by Katanga Johnson; Editing by Peter Cooney, Michelle Price, Nick Zieminski and Jonathan Oatis)

This story has not been edited by Firstpost staff and is generated by auto-feed.