Equifax set to pay out most expensive data breach settlement to date

Equifax faces a bill of slightly more than $2 billion to settle consumer complaints stemming from the credit reporting agency’s massive 2017 data breach.

In a staggered series of court filings today that describe what would be — by far — the most expensive data breach settlement in history, Equifax committed to paying up to $700 million in a settlement with two federal consumer protection agencies, 48 states and District of Columbia and Puerto Rico, and a class action lawsuit filed on behalf of consumers.

The states are set to get $175 million — except Indiana and Massachusetts, which have separate ongoing lawsuits against Equifax — with $100 million going to the Consumer Financial Protection Bureau in the form of civil penalties. Under the terms of the proposed settlement, the Atlanta-based credit reporting agency will also spend $1.25 billion over the next three years to improve its data security.

Attorneys in the class action are set to walk away with $80 million. The company will borrow more than $1.3 billion to finance the settlements.

Political jockeying over the settlement’s significance began almost immediately, led by Federal Trade Commission Chairman Joe Simons, who called on Congress to give his agency more power.

The consumer class-action settlements involving the FTC and the CFPB will have to be approved by the judge overseeing the case in the US District Court for the Northern District of Georgia, while the settlements with the states are subject to court approval in the relevant jurisdiction, Equifax executives said during a morning press call. They predicted it will likely be early next year before the consumer class-action and other regulator settlements gain final court approval. If approved by US District Judge Thomas W. Thrash Jr., the Equifax consumer settlement would be six times the size of previous record data breach settlement — the $117 million settlement of litigation over the Yahoo data breach that was approved by a federal judge over the weekend.

The settlements are a message to companies holding consumer data that they must take security seriously, said commission Chairman Joe Simons, speaking alongside CFPB Director Kathy Kraninger during a victory-lap press conference this morning. “If they don’t, the FTC and the CFPB and the attorneys general stand ready to act,” he said.

The FTC acting by itself likely wouldn’t have been able to get Equifax to pay out nearly as much, if anything. The agency doesn’t have authority to issue civil penalties for a first violation. “Fortunately, other agencies are able to fill in the gap, this time, but that will not always be the case, which sends the wrong signal when it comes to deterrence,” Simons said.

Congress should pass data-protection legislation granting the FTC civil penalty power for first-time violations, Simons said. Lawmakers in the House and the Senate have been working on a privacy bill for months, but the likelihood of passage this year is fading.

Representative Frank Pallone, the New Jersey Democrat who chairs the House Energy and Commerce Committee, mirrored Simons’ call for privacy legislation, adding a side of criticism of the FTC.

“This settlement does not come close to making consumers whole and, once again, shows the limitations on the FTC’s ability to seek strong penalties and effective redress for consumers,” he said in a statement.

Equifax first revealed back in February that it would face a significant financial penalty from both the FTC and the CFPB. The amount the company intends to spend on data security is "a lot of money for Equifax,” Begor told reporters on a press call today.

While 147 million Americans were affected by the breach — more than half the adult population of the US — Equifax expects that no more than 7 million will seek to have the company pay for credit-monitoring services under the proposed settlements. Consumers will be able to make claims of up to $20,000 for compensation on time and expenses spent responding to the data breach.

Agency staff decided on the compensation numbers taking into consideration Equifax’s ability to pay them, Simons said.

In California, more than 15 million people were affected by the Equifax breach, about the same number of people as the combined population of the 13 smallest US states and the District of Columbia. As part of its settlement with the states, Equifax will pay more than $18.7 million to California, to support continued oversight and enforcement of consumer protection laws.

Equifax will pay even more, about $19.2 million, to the state of New York, when a separate $10 million fine to the New York Department of Financial Services is added in.

Tracing any particular case of identity theft or financial loss to the Equifax breach, which saw hackers steal the social security numbers of 147 million consumers, could well be impossible, acknowledged FTC officials.

“What we can say,” said Maneesha Mithal, head of the privacy and identity protection division of the FTC’s Bureau of Consumer Protection, “is that many millions of consumers suffered harm."

Equifax said it has seen no increase in cases of identity theft or an increase in consumer data being sold on the dark web as a result of the breach.

Equifax did not admit any fault or liability as a part of any of the settlements, which also don't hold individual executives of Equifax responsible, in part because of company turnover since 2017.

The CEO of Equifax at the time of the breach, Richard Smith, resigned in September 2017 amid the outcry over the substandard security that led to the massive breach. Besides a new CEO, Equifax has made several key personnel changes, including hiring a new chief security officer and a new chief technology officer; both now report directly to the CEO, current CEO Mark Begor said during the company's morning call with reporters.

Equifax isn't a suitable candidate for individual executive accountability, Simons said. A typical case with penalties for executives is “a closely held company, it’s small, there’s not a lot of equity in the company,” meaning the operation could easily be reconstituted, he said.

As part of the settlement, Equifax will conduct annual cybersecurity assessments. The assessments will have the same force as an audit, Simons asserted. “It’s the same thing — we just call it an assessment,” Simons said.

Critics of the agency have said the agency’s preference for “assessments” rather than audits lets companies chose the terms of their own oversight.

But the agency has tightened its assessment standards, Simons said. “We’ve started to require that there be much more testing and sampling,” he said. Asked why not require an audit conducted under audit standards, Simons replied: “To me, it’s just semantics.”

- With reporting from Amy Miller in San Francisco.