Equifax has actually consented to pay a minimum of $575 million to the United States Federal Trade Commission, the Consumer Financial Protection Bureau, 48 states, DC and Puerto Rico over its huge 2017 information breach. If that isn’t adequate to compensate individuals impacted by the breach, the credit reporting business might need to pay up to $700 million — a figure weon Friday.
Theannounced Monday, includes $300 million for a fund for affected consumers with credit monitoring services and those who bought credit or identity monitoring services in the wake of the breach. If that doesn’t cover the losses, Equifax will add up to $125 million to the fund. It’s also agreed to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million in civil penalties to the CFPB. Two states, Indiana and Massachusetts, are not part of the deal, according to The New York Times. Indiana and against Equifax over the breach.
Hackers— including Social Security numbers and home addresses — of nearly 148 million Americans from Equifax’s servers in a data breach that ran from May to July in 2017. A December 2018 House Oversight Committee report called the breach “entirely preventable,” saying Equifax didn’t and wasn’t prepared for the aftermath.
“Equifax’s data breach put over 100 million Americans at risk by exposing their Social Security numbers and other personal information,” Rep. Frank Pallone, chairman of the House Energy and Commerce committee, said in a statement. “This settlement does not come close to making consumers whole and, once again, shows the limitations on the FTC’s ability to seek strong penalties and effective redress for consumers.”
Equifax suffered its hack after failing to patch a vulnerability that it was warned about in March 2017. It didn’t learn that its systems were exposed to attacks until four months later, in July 2017, when it was hacked.
Part of the settlement will require Equifax to implement security standards like annual tests to address its vulnerabilities and risks, including making sure its systems’ patches are updated. Equifax will also need to ensure that third parties that work with it are safe from cyberattacks.
In addition, the settlement will require Equifax to get third-party audits on its security every two years, and the FTC must approve the testing.
“Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers,” FTC Chairman Joe Simons said in a statement. “This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
The FTC also required Equifax to have a designated employee in charge of its cybersecurity program. At the Black Hat cybersecurity conference in 2018,, told CNET the company was going through a major shift to regain the public’s trust, spending $200 million on its cybersecurity program last year.
The agencies decided on that amount for the settlement so that Equifax had enough money to improve its cybersecurity, Kathy Kraninger, the CFPB’s director, said at a press conference on Monday.
“We do want to make sure that we’re not bankrupting the company or making the company go out of business,” she said.
Equifax didn’t, and two before the hack was public knowledge. In June, and sentenced to four months in prison.
New York Attorney General Letitia James criticized Equifax for “putting profits over privacy and greed over people.”
“This company’s ineptitude, negligence, and lax security standards endangered the identities of half the US population,” she said in a statement.
At a press conference, Maryland’s attorney general, Brian Frosh, said the settlement would set the standard for other credit reporting agencies if they suffer a breach in the future.
“The principle cause of the breach was Equifax’s failure to patch critical vulnerabilities in its network. That persisted for 76 days,” Frosh said. “Maybe even more aggravating, is the fact that most of the victims were not Equifax customers.”
Equifax was also publicly criticized for how it responded to the hack’s aftermath, especially ato check if they were affected, which returned random results. Security researchers found that the website could easily be spoofed, allowing for potential hackers to trick more Equifax victims.
The FTC set up a page for Equifax breach victims to file claims against the company, which could mean up to $20,000 in cash payments for people affected by the hack. Victims would receive the money for expenses from the breach, including losses from accounts, fees paid for accountants and attorneys, as well as time spent dealing with the breach. The settlement requires Equifax to pay up to $25 per hour for victims who can prove they were affected by the hack.
“Any identity theft that occurred with the same type of data stolen after the breach will be reimbursable,” Kraninger said.
Equifax CEO Mark Begor said in a release that the settlement is “a positive step” for US consumers and the company.
“The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter,” he said.
Sens. Elizabeth Warren and Mark Warnerthat would hold companies like Equifax accountable for future data breaches.
“Americans don’t choose to have companies like Equifax collecting their data — by the nature of their business models, credit bureaus collect your personal information whether you want them to or not,” Warner, a Democrat from Virginia, said in a statement. “In light of that, the penalties for failing to secure that data should be appropriately steep.”
He called for structural reforms on how credit reporting agencies are held accountable, to make sure that breaches like Equifax’s wouldn’t happen again.
Sen. Ron Wyden, a Democrat from Oregon, also said the FTC order wouldn’t be enough for Equifax.
“In a just world, these executives would be going to jail. No one should be able to collect deeply sensitive information on 200 million people without their consent, treat it with reckless disregard and then just pay a fine when a predictable, easily avoidable hack takes place,” Wyden said in a statement.
In November,that would jail CEOs for lying about privacy protections, and give the FTC more power to penalize companies.
Sen. Ed Markey, a Democrat from Massachusetts, also criticized the settlement, writing in a tweet that it was “far from an adequate solution.”
At a press conference, Simons noted that the settlement was only possible through working with the state attorneys general and the CFPB, pointing out that the FTC didn’t have power to seek civil penalties on first offenses.
“I renew my call for Congress to enact federal legislation that gives the FTC authority to seek penalties for first-time violations,” Simons said.
Originally published July 22, 5:02 a.m. PT.
Updates, 5:50 a.m. PT: Adds more detail. 6:23 a.m. PT: Adds information about the settlement and Equifax’s breach. 6:46 a.m. PT: Adds remarks from lawmakers. 7:45 a.m. PT: Adds details from the FTC’s press conference. 9:36 a.m. PT: Adds statement from Wyden. 11:43 a.m. PT: Adds statement from Markey.
Correction, 12:41 p.m. PT: An earlier version of this story misstated the number of states that are involved in the settlement. It’s 48.