The Atlanta-based credit reporting company Equifax has agreed to pay at least $650 million to settle most claims stemming from a massive data breach that exposed the highly sensitive personal information of more than 147 million consumers to cybercriminals.
The record settlement – the largest data breach resolution in terms of dollar amount and number of victims – ends claims brought by 48 state attorneys general, the District of Columbia, and Puerto Rico, and brings to a close two federal investigations.
Under the terms of the settlement announced July 22, Equifax is paying $275 million in government fines and allocating about $300 million to a fund that will provide consumers affected by the breach up to 10 years of free credit monitoring, identity theft protection, and individual cash payments for those who suffered financial losses. Individual claims are capped at $20,000. Legal fees were also calculated into the settlement.
According to The New York Times, the funds Equifax allocated for free credit reporting services, which its competitor Experian will provide, would cover just seven million people – less than 4% of the 187 million people affected by the data breach. Equifax would have to pay Experian more than $16 million for each additional 1 million consumers who opt into the credit monitoring service, so its costs could rise significantly.
“Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk,” said New York Attorney General Letitia James, who helped investigate the case for the litigant states.
Attorney General James’ statement reflects the consternation millions of people have expressed over the Equifax data breach. In addition to leaking the personal data of millions of people through its lax security measures, Equifax also bungled its response with a deficient and barely functioning website and couldn’t keep pace with the volume of phone calls it received from consumers worried about the breach.
The data breach also exposed an ugly side of credit reporting companies. Equifax, like its competitors, makes its money by selling the consumer data it collects and stores to auto loan, mortgage, and credit card issuers. Consumers who engage in just about any type of financial activity have no choice but to allow bureaus like Equifax to collect, store, and traffic their personal data.
This is especially troubling because cyberattacks on U.S. credit bureaus, banks, insurers, and other financial institutions have increased with alarming frequency in recent years. It should go without saying that any company that stores the sensitive information of millions of consumers should be required to take the strongest measures possible to guard that information, but unfortunately that is not the case. Most cybersecurity regulations exist in a loose patchwork of state rules.
To see if you were affected by the Equifax data breach or to file a claim, visit https://www.equifaxbreachsettlement.com/.