Maksim Kabakou - stock.adobe.com
Credit rating agency Equifax will pay up to $700 million in fines as part of a massive settlement over the company's 2017 data breach.
Equifax will pay at least $575 million under the data breach settlement, which was agreed to with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB) and 50 U.S. states and territories. Of that amount, $300 million will be devoted funding credit monitoring services for affected consumers and also reimburse individuals who purchased credit or identity monitoring services from Equifax or other parties as a result of the breach. The company may have to pay an additional $125 million if the initial fund isn't enough to compensate consumers, according to the settlement.
In addition, the data breach settlement will require Equifax to pay $175 million to 48 states, the District of Columbia and Puerto Rico, plus $100 million in civil penalties to the CFPB.
During a press conference Monday morning, FTC Chairman Joseph Simons said the data breach settlement with Equifax was only possible by partnering with the CFPB and various states and U.S. territories because despite the scope and severity of the Equifax breach, the FTC can't impose a civil penalty for a first time violation of the FTC Act, only for repeat offenders such as Facebook.
"Fortunately, other agencies were able to fill in the gap, this time. That will not always be the case, which sends the wrong signal regarding deterrence," Simons said, who urged Congress to pass legislation that will allow the FTC to seek civil penalties for first-time data security violations.
FTC allegations against Equifax
The 2017 Equifax breach exposed personal data of more than 145 million consumers, including names, birth dates, addresses and Social Security numbers, while more than 200,000 payment card numbers and expiration dates were also exposed. The breach was attributed to a critical Apache Struts vulnerability that was left unpatched on the company's Automated Consumer Interview System (ACIS).
The FTC said Equifax's inadequate infosec posture allowed the threat actors to move freely through the company's network and obtain and exfiltrate data without being detected. The FTC alleged the company engaged in unfair and deceptive practices because Equifax publicly claimed it had "safeguards" and policies that protected sensitive consumer data.
Brian FroshMaryland State Attorney General
Kathleen Kraninger, director of the CFPB, said in the days after Equifax's disclosure, more than 6,000 consumers contacted the bureau about the breach and the company's response.
"The bureau and the FTC and state partners launched an investigation into how the Equifax breach happened and the company's response," she said during the press conference. "After a 20-month investigation, we alleged that Equifax, through unfair and deceptive practices, broke the law before and after the breach."
Maryland State Attorney General Brian Frosh called the Equifax breach "one of the largest in U.S. history and perhaps the most dangerous," adding that the incident was "aggravating" because most consumers that were affected weren't Equifax customers and hadn't given their information directly to the company.
"Most of us did not sign up for Equifax's social network or email or use its search engine," Frosh said. "We didn't choose Equifax. Equifax chose us."
Equifax settlement requirements
Under the data breach settlement, Equifax agreed to "implement a comprehensive information security program" and meet additional requirements, including designating an employee to run the infosec program; conducting annual assessments of security risks; and implementing safeguards to address risks "such as patch management and security remediation policies, network intrusion mechanisms and other protections."
In addition, Equifax must ensure third-party service providers that access personal data in Equifax's network implement adequate safeguards to protect the data. The agreement also requires the company to obtain a third-party assessment of its infosec program every two years; the FTC has the authority to approve or reject the assessor Equifax selects.
The FTC voted 5-0 in favor of the proposed data breach settlement, which will be filed in U.S. District Court for the Northern District of Georgia for final approval.
Frosh said the settlement has implications beyond the penalties and requirements imposed on Equifax. "It sets a standard for credit reporting agents," he said. "We intend to hold other credit reporting agencies responsible for protecting our data just as we are holding Equifax responsible."