Yesterday, the U.S. Federal Trade Commission (FTC) announced a proposed settlement agreement with Equifax, a national credit reporting agency, which has agreed to pay $575 million to resolve charges about its massive data breach in 2017. That breach exposed the sensitive personal and financial information of about half of all citizens in the United States. The announcement stated:
"In its complaint, the FTC alleges that Equifax failed to secure the massive amount of personal information stored on its network, leading to a breach that exposed millions of names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud..."
The global, proposed settlement agreement included the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories. The FTC announcement described Equifax's data security failures (emphasis added):
"The FTC alleges that Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its ACIS database, which handles inquiries from consumers about their personal credit data. Even though Equifax’s security team ordered that each of the company’s vulnerable systems be patched within 48 hours after receiving the alert, Equifax did not follow up to ensure the order was carried out... Equifax did not discover that its ACIS database was unpatched until July 2017... A company investigation revealed that multiple hackers were able to exploit the ACIS vulnerability to gain entry to Equifax’s network, where they accessed an unsecured file that included administrative credentials stored in plain text. These credentials allowed the hackers to gain access to vast amounts of consumers’ personally identifiable information... The hackers targeted Social Security numbers, dates of birth, and other sensitive information, mostly from consumers who had purchased products from Equifax such as credit scores, credit monitoring, or identity theft prevention services. For example, hackers stole at least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and expiration dates. Hackers were able to access a staggering amount of data because Equifax failed to implement basic security measures... the FTC also alleges that Equifax stored network credentials and passwords, as well as Social Security numbers and other sensitive consumer information, in plain text."
A truly staggering amount. The most sensitive personal and financial information, indeed. Terms of the proposed settlement:
"... Equifax will pay $300 million to a fund that will provide affected consumers with credit monitoring services. The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 data breach. Equifax will add up to $125 million to the fund if the initial payment is not enough to compensate consumers for their losses. In addition, beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years—in addition to the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently provide."
The settlement also requires Equifax implement a "comprehensive information security plan," and to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the CFPB in civil penalties. The comprehensive information security plan will: a) designate an employee to oversee the program; b) include annual assessment of security risks and safeguards; c) obtain "annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order;" d) monitor the effectiveness of security safeguards implemented; e) ensure service providers that access personal information stored by Equifax also implement adequate safeguards; and f) obtain third-party assessments every two years.
The CFPB also announced the proposed settlement on its website. CFPB Director Kathleen L. Kraninger said:
"Today’s announcement is not the end of our efforts to make sure consumers’ sensitive personal information is safe and secure. The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers. Too much is at stake for the financial security of the American people to make these protections anything less than a top priority."
Kraninger also encouraged consumers affected by the breach to submit their claims to receive free credit monitoring or cash reimbursements. Equifax Chief Executive Officer Mark W. Begor said:
"This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company. The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data... We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement while continuing our $1.25 billion EFX2020 technology and security investment program..."
Also, Equifax has set up a website about the settlement: www.equifaxbreachsettlement.com. However, the site says it won't be fully functional until after it receives the approved court order. So, it seems best for affected consumers to deal directly with the FTC.
And, several questions remain. The Identity Theft Resource Center (ITRC) discussed the proposed settlement:
"What victims will qualify for reimbursement? How will victims provide accurate evidence of their efforts and misfortunes? Is this fund only for victims who purchased identity theft services? What is the option for victims who did not have the resources then or now to purchase paid services or avail themselves of free services like those ITRC provides? If all victims filed claims and funds were distributed equally to all 148 million people, each would receive fewer than $3.00 in funds or cost of assistance. This does not accurately reflect the true value of the data that was compromised..."
Yep. More payments by Equifax may be required.
And, the ITRC article includes an important reminder. While the Equifax offer includes a long period of free credit monitoring services -- up to 10 versus the usual 2 years -- the risk to affected consumers never goes away:
"... identity theft has no expiration date. The threat of identity theft does not decrease as more time passes from the date of the breach."
This is why it is critical for companies to deploy the strongest data security measures possible. After data breaches, consumers bear the long-term risks.
Last, the FTC encourages Equifax employees who believe the company fails to comply with the settlement to contact the FTC at firstname.lastname@example.org. Affected consumers should contact the FTC directly at the website below: