Equifax to pay tup to $700M following AG investigation

Equifax must provide up to $425M in restitution for consumers, improve security practices

OLYMPIA, WA (STL.News) – Washington State Attorney General Bob Ferguson, along with 49 other attorneys general, yesterday announced that credit-reporting agency Equifax will pay more than half a billion dollars because of a 2017 data breach affecting nearly 150 million individuals nationwide.  This is the largest data breach enforcement action in U.S. history.

“Equifax handles Washingtonians’ personal data, and we expect them to keep that information safe,” said Ferguson.  “This resolution holds Equifax accountable to the millions of individuals who had their information stolen.”

As part of resolutions with Washington, 49 other attorneys general, the Consumer Financial Protection Bureau (CFPB), the Federal Trade Commission and private parties, Equifax will pay $175 million to the states and up to $425 million to affected consumers, and a $100 million penalty to the CFPB. Washington will receive more than $3.7 million, which will go toward continued enforcement of state data security and privacy laws.  If the number of consumers filing claims results in less than the maximum restitution payments from the nationwide fund, the Attorney General’s Office may use its payment to provide additional funds to Washingtonians.

Affected consumers will have the opportunity to file a claim and receive a part of the up to $425 million in restitution.  The resolution and claims process are subject to the court’s approval.  Once approved, Washingtonians who believe they were victims of the Equifax breach can submit a claim at www.equifaxsettlementbreach.com or call 833-759-2982 for more information.

Equifax is one of three major credit-reporting agencies that provide credit ratings for individuals nationwide.  From May 2017 through July 2017, hackers had access to Equifax’s network, affecting approximately 148 million consumers across the United States.  The hackers accessed the private information of more than 3 million Washingtonians, including their social security numbers, birth dates, credit card numbers and addresses.

In a complaint to be filed today, Ferguson asserts that despite being alerted to a vulnerability in its network and ways to fix the vulnerability, Equifax failed to put procedures in place to fix security issues leading to the breach.  A multistate investigation also found that the credit-reporting agency failed to follow industry standards to protect individuals’ personal information, such as saving personal information in unsecure locations and not encrypting passwords.

The Attorney General asserts that Equifax’s failure to protect Washingtonians’ information violated the state Consumer Protection Act.

Corporate reforms

Affected Washingtonians can submit a claim online, or request a paper form to send by mail, at www.EquifaxBreachSettlement.com or by calling 833-759-2982.  To receive email updates regarding the launch of this online registry, consumers can sign up at www.ftc.gov/equifax-data-breach.  Today’s resolution proposes that the nearly 150 million individuals affected by the breach can request free credit monitoring provided by Equifax and reimbursement up to $20,000 per consumer for:

  • losses from unauthorized charges to your accounts;
  • time spent trying to avoid or recover from identity theft, up to 20 total hours at $25 per hour;
  • money spent trying to avoid or recover from identity theft, including fees to freeze or unfreeze credit, professional identity theft services costs or postage;
  • fees paid to professionals such as accountants or attorneys;
  • up to 25 percent of the cost of Equifax credit monitoring and related services between September 7, 2016, and September 7, 2017; and
  • reimbursement of $125 for those who already have credit monitoring and decline the credit monitoring services offered as part of the resolution.

The proposed restitution is subject to the court’s approval.

Equifax will provide free credit monitoring to affected individuals for ten years, including $1 million of identity theft insurance, and up to six additional years of free credit monitoring of the consumer’s Equifax credit report.  Individuals under 18 years old at the time of the breach will receive 18 years of free credit monitoring.

In addition to free credit monitoring, affected individuals who become victims of identity theft may be eligible for free services to help restore their identity for seven years.

Starting 2020, for at seven years, all consumers can request six additional credit reports from Equifax every 12 months at no cost. Federal law allows individuals to request one free report every 12 months.

For three years, Equifax must have adequate staffing and resources available for consumers affected by the breach.  It also must provide informational resources on how to request a fraud alert or security freeze and what consumers should do if they believe they are a victim of identity theft.

Equifax must improve security measures to prevent a data breach in the future.  Equifax must implement an “Information Security Program,” which will limit the collection and use of individuals’ private information, such as social security numbers.  The resolution requires Equifax to put technical safeguards in place to protect personal information and complete independent, third-party compliance assessments for the next six years.

Washington was a member of the executive committee in the multistate investigation.  Assistant Attorneys General Shidon Aflatooni and Tiffany Lee are lead attorneys on the case for Washington state.