California Attorney General Xavier Becerra announced a nationwide settlement against Equifax resolving allegations that the credit reporting agency improperly exposed the personal information of 147 million consumers, including 15 million Californians, after a massive data breach in 2017. The breach occurred after Equifax failed to apply a critical software fix and implement security measures that would have protected and encrypted consumers’ data. Data exposed by the breach included names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers. Equifax did not disclose the breach, which lasted from mid-May through July 2017, until Sept. 2017. The settlement requires Equifax to pay up to $425 million into a restitution fund for affected consumers, pay another $175 million to states in penalties and offer additional benefits like credit monitoring and consumer assistance for eligible consumers. In addition to other robust injunctive terms, Equifax must implement and maintain critical data security enhancements.
“On top of holding Equifax accountable for one of the most devastating data breaches to face our nation, we have now recovered hundreds of millions of dollars to help our families who fell victim. Equifax, one of only three major credit reporting agencies, had a responsibility to secure and protect Americans’ data. Instead, it breached public trust,” said Attorney General Becerra. “Our credit status impacts nearly every aspect of our lives – from purchasing a home or a car to finding a job. The same Americans who had to immediately protect themselves from fraudsters or identify thieves will have to be vigilant for the rest of their lives. We encourage every eligible person to apply for the relief they are entitled to as part of our settlement.”
Affected consumers may get more information about the $425 million restitution fund by going to www.equifaxbreachsettlement.com or calling the settlement administrator at 1-833-759-2982. Eligible consumers may receive cash reimbursement for time or money spent trying to avoid or recover from fraud or identity theft because of the breach, as well as limited reimbursement for payments for Equifax credit monitoring or identity theft protection subscriptions. Eligible consumers may also receive free credit monitoring services for a period of up to ten years, or, alternatively, a cash payment for buying a different credit monitoring service.
As part of the injunctive terms of the settlement, Equifax agrees to:
Create a consumer assistance process responsive to claims of identity theft that includes affirmative assistance to consumers:
Make reasonable efforts to reduce its use and storage of consumer Social Security numbers, including when using a Social Security number to authenticate consumers;
Adhere to ban on profiting from data collected in connection with the breach or the remedies provided under the settlement;
Comply with requirements related to its collection, maintenance, and safeguarding of consumer personal information;
Implement and maintain a comprehensive and rigorous Information Security Program to protect the security of personal information; and
Employ a Chief Information Security Officer and additional staff, who will report directly to the company’s executive team, to oversee information security within each of the company’s business units.