Equifax Agrees to Largest Ever Data Breach Settlement
In connection with the massive 2017 Equifax data breach which affected more than 147 million consumers, a global settlement has been reached to resolve a multi-district consumer action as well as a suit brought by the Federal Trade Commission. Equifax, one of the largest consumer reporting agencies, was allegedly aware of a critical security vulnerability in March 2017. However, it failed to address the issue until July 2017, when suspicious traffic was detected. Ultimately, on September 7, 2017, Equifax announced a data breach involving Social Security numbers, names, dates of birth, addresses, credit card information, and even driver’s licenses.
The scope of the preliminary settlement is substantial in that Equifax’s monetary obligations exceed well over $1 billion. To start, Equifax will create a $380.5 million fund to pay the consumer class, with an extra $125 million available, if needed. The class members will be specifically provided certain benefits, including credit monitoring and reimbursement for fairly traceable losses. A substantial $80.5 million will also be available for class counsel in the amount of attorneys’ fees and litigation expenses. In addition, $100 million in civil penalties will be paid to the Consumer Financial Protection Bureau and another $175 million will be paid to 48 states as well as the District of Columbia and Puerto Rico. Moreover, Equifax agreed to spend a minimum of $1 billion over the next five years in order to comply with comprehensive data security requirements.
This result further highlights the importance of keeping abreast with data security best practices and to react promptly to any potential vulnerabilities. It should also be noted that even despite this seemingly significant settlement, many commentators and members of Congress believe the settlement was insufficient. Changes in federal and state law may be forthcoming to stiffen the penalties in the event of data breaches and it is conceivable that federal and state agencies will be even more severe against future breaches.