Today's Paper Latest Elections Sports Core Values Weather Newsletters Obits Puzzles Archive Story ideas iPad

Equifax to settle suits tied to breach

by COMPILED BY DEMOCRAT-GAZETTE STAFF WIRE REPORTS | July 23, 2019 at 2:55 a.m. | Updated July 23, 2019 at 2:55 a.m.
FILE - This July 21, 2012, file photo shows signage at the corporate headquarters of Equifax Inc., in Atlanta. Equifax will pay up to $700 million to settle with the Federal Trade Commission and others over a 2017 data breach that exposed Social Security numbers and other private information of nearly 150 million people. The proposed settlement with the Consumer Financial Protection Bureau, if approved by the federal district court Northern District of Georgia, will provide up to $425 million in monetary relief to consumers, a $100 million civil money penalty, and other relief. (AP Photo/Mike Stewart, File)

NEW YORK -- Equifax plans to pay at least $700 million -- and potentially much more -- to settle lawsuits over a 2017 data breach that exposed the Social Security numbers and similar sensitive information of roughly half of the U.S. population.

The settlement with federal authorities and states, reached Monday, includes up to $425 million in monetary relief to consumers, a $100 million civil penalty, and other offers to the nearly 150 million people who could have been affected. It can't, however, guarantee safety for individuals whose stolen information could circulate on the Internet for decades.

Forty-eight states -- all except Indiana and Massachusetts, which separately filed lawsuits against Equifax -- are part of the deal, along with the District of Columbia and Puerto Rico.

Arkansas' share of the settlement is more than $2.5 million, according to a release from Attorney General Leslie Rutledge's office. Consumers affected by the breach can call her office toll-free at (800) 482-8982 or email

The state's settlement share -- a total of $2,521,481.31 -- will go to the attorney general's consumer education fund and will be allocated at a later date, said Amanda Priest, the spokesman for Rutledge's office.

The breach was one of the largest to threaten Americans' private information. The Atlanta-based credit-reporting company didn't notice the intruders targeting its databases, by exploiting a known security vulnerability that Equifax hadn't fixed, for more than six weeks.

[Video not showing up above? Click here to watch »

The compromised data included Social Security numbers, birth dates, addresses, driver's license numbers, credit card numbers and, in some cases, data from passports. The resulting scandal led to the dismissal of Equifax's then-chief executive officer and many other executives at the company.

"Companies that profit from personal information have an extra responsibility to protect and secure that data," said Federal Trade Commission Chairman Joe Simons. "Equifax failed to take basic steps that may have prevented the breach."

The incident led to calls from Capitol Hill and from consumer advocates for more oversight of the three big consumer credit-rating companies: Equifax, TransUnion and Experian. At a hearing in February, Democrats and Republicans on the House Financial Services Committee slammed the companies, as Chairman Maxine Waters, D-Calif., promised to tighten regulation of the industry.

Rep. Frank Pallone, D-N.J., who leads the committee working on privacy legislation, said Monday that the settlement "shows the limitations on the FTC's ability to seek strong penalties and effective redress for consumers" and that it illustrates the need for a privacy bill to hold companies accountable if they fail to protect data.

Equifax CEO Mark Begor said in a statement that the settlement "reinforces our commitment to putting consumers first and safeguarding their data."

Consumer advocates were generally positive on the settlement but had concerns about its deadline. Claims can only be filed for the next four years, but the data could be used for decades to commit identity theft, as the thieves stole permanently identifiable information such as Social Security numbers and birth dates.

"What happens if a consumer is the victim of ID theft in the fifth year resulting from the breach, which costs the consumer tens of thousands of dollars?" said Chi Chi Wu, staff attorney at the National Consumer Law Center.

Shares of Equifax have rebounded since the disclosure of the breach, when they plunged 30%. On Monday, Equifax's stock price closed at $137.84 -- not far from its price of $141.45 where it was trading just before the breach was disclosed on Sept. 7, 2017. Business analysts say the settlement will remove a cloud of uncertainty over Equifax's business.

It also, however, underscores that U.S. consumers are still at the mercy of the credit-reporting companies when it comes to protecting their crucial personal details. Two years after the breach, Equifax, TransUnion and Experian remain the primary repositories of the data that banks use to make credit decisions.

They face little regulation and disclose few details about their operations, despite promises to tighten security and rebuild consumer trust. People have no easy way to opt out of the data collection that puts their personal details in corporate databases.

Equifax's CEO said he has seen no evidence that the stolen data has appeared for sale on the so-called dark web and no evidence of an increase in identity theft because of the breach. The company did not provide any evidence to back up that claim.

Security experts said there's no way to know, especially in the absence of third-party validation. "You cannot determine with certainty that the information will never wind up in the hands of people who are going to use it," said Ryan Calo, a law professor at the University of Washington.

"It is a lifetime risk exposure," said Rich Mogull, CEO of the security firm Securosis, who added that the data might be useful for surreptitious uses beyond direct identity fraud.

Settlement payments will flow through a number of complex channels. Equifax will initially pay $380.5 million into a fund to cover identity theft resulting from the breach, as well as any costs related to credit monitoring. The company will pay an additional $125 million if victims' out-of-pocket expenses deplete the initial fund.

Should all 147 million affected consumers sign up for credit-monitoring services, Equifax could be on the hook for $2 billion.

For those affected by the breach, Equifax will offer free credit-monitoring services for up to 10 years, identity-restoration services for seven years, and six Equifax credit reports annually for the next seven years. That's on top of the free report that all credit-reporting companies must offer U.S. residents every year.

Those affected can also seek up to $125 as a reimbursement for the cost of a credit-monitoring product of their choice. Consumers must submit claims for free credit monitoring or cash reimbursements. The settlement received preliminary approval from a federal judge Monday, and processing of claims can start today.

Equifax will have to spend at least $1 billion over five years to enhance its cybersecurity practices and will owe a $100 million fine to the Consumer Financial Protection Bureau and tens of millions of dollars to states and territories to settle their lawsuits.

For information on the terms of the settlement or to file a claim, consumers affected by the breach can go to

Information for this article was contributed by Sarah Skidmore Sell, Ken Sweet and Mae Anderson of The Associated Press; by David McLaughlin and Daniel Stoller of Bloomberg News; and by Noel Oman of the Arkansas Democrat-Gazette.

Business on 07/23/2019

Print Headline: Equifax to settle suits tied to breach


Sponsor Content