7/23/2019 12:00:00 AM
This article was originally published by The New York Times.
The credit bureau Equifax will pay about $650 million — and perhaps much more — to resolve most claims stemming from a 2017 data breach that exposed sensitive information on more than 147 million consumers and demonstrated how little control Americans have over their personal data.
The settlement is vast in its scope, resolving investigations by two federal agencies and 48 state attorneys general and covering every American consumer whose data was stolen — or just under half the population of the United States. It does not just compensate victims who lost money: People who suffered through the hassles of bank phone trees and credit-card customer service lines can bill Equifax $25 an hour for their time.
A federal judge gave the agreement preliminary approval on Monday, and once finalized, it will be the largest settlement of a data breach case in terms of dollar amount and number of victims, surpassing the $115 million the health care company Anthem paid to settle claims from 79 million people who had their personal information stolen in 2015.
“Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk,” said the New York attorney general, Letitia James, who helped lead the states’ investigation.
Almost half the settlement — $300 million — will go toward American consumers who were harmed by the breach, according to settlement documents filed in federal court in Atlanta. The company also agreed to pay $275 million in fines to end investigations by the Consumer Financial Protection Bureau, the Federal Trade Commission and 48 states, plus the District of Columbia and Puerto Rico.
Equifax agreed to provide up to 10 years of free credit monitoring services to all victims of the breach in the United States, an offer that could prove costly. Equifax is paying one of its competitors, Experian, to provide that service for the first four years, but the settlement assumes only about seven million people will sign up.
That means the ultimate size of the settlement could change. Every additional million consumers who opt in would cost Equifax more than $16 million, according to the settlement documents. If all 147 million victims of the breach were to take part, the monitoring services would cost Equifax more than $2 billion.
“If people want Equifax to pay more, sign up for credit monitoring,” said Norman E. Siegel, a lawyer representing consumers in the settlement.
In addition to the potential costs for credit monitoring, Equifax said it would add up to $125 million to the claims fund if the initial $300 million is depleted.
Information for consumers will be posted at equifaxbreachsettlement.com, a website set up by the group that will handle claims. The site will begin accepting claims as soon as Tuesday, according to Amy E. Keller, one of the lead lawyers representing consumers in the settlement. Those who already signed up for identity theft protection will be eligible for reimbursement.
The breach not only exposed private information but also put a spotlight on the loosely regulated role credit bureaus play in the day-to-day lives of Americans. Equifax makes money by selling its vast trove of information to auto loan, mortgage and credit card issuers. Consumers can exercise some control over how their files are used — for example, by freezing them to prevent new credit lines from being opened — but they cannot choose to have the bureaus stop collecting their information.
Law enforcement officials have never publicly identified who was behind the hack. Although the thieves did not steal Equifax’s crown jewels, its credit files, they used a flaw that was left unfixed to gain access to dozens of databases. According to a government report, the attackers siphoned off information for about 76 days until Equifax discovered the intrusion in late July 2017. The company waited more than a month to disclose the breach.
As bad as the loss of so much sensitive information was, the company’s bungled response also infuriated consumers. Equifax created an information website that barely functioned. It struggled to keep up with the deluge of phone calls and messages from worried consumers. At one point, it even accidentally pointed those seeking information on the breach toward a fake website.
The turmoil led to the ouster of Equifax’s chief executive, Richard F. Smith, and the company’s chief information officer and chief security officer. Last year, Equifax named Mark W. Begor, an outsider who had worked in private equity, as its new chief executive.
Equifax, based in Atlanta, has been negotiating for months to finalize the settlement and set aside $690 million last quarter to cover the anticipated costs. “We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement,” Mr. Begor said in a statement.
Some aspects of the settlement — particularly who exactly will be approved for compensation because their identities were stolen — remain to be seen.
Lawyers representing the consumers in the settlement say people who were victims of fraud after the breach will be eligible for settlements even if they cannot prove that the Equifax theft directly caused their loss. The settlement documents say anyone who experienced fraud that was “fairly traceable” to the stolen information will be able to make a claim. But applying that definition will be up to the settlement’s administrator, JND Legal Administration, which will follow a detailed written protocol laid out in the settlement.
It has been difficult to determine how much harm the breach did to consumers, because cybersecurity experts have not seen any sign of victims’ stolen names, Social Security numbers and addresses surfacing in the kinds of online marketplaces where such stolen information is often trafficked.
“We continue to monitor the Dark Web and identity theft,” Mr. Begor said at a news conference on Monday. “To date, we haven’t seen any instances of the data that was stolen being sold.”
The current settlement figure of about $650 million is a bit less than one typical quarter of sales for Equifax. Last year, the company earned $300 million, a 49 percent drop from its income a year earlier, on sales of $3.4 billion. Equifax’s stock price tumbled after the breach but has since recovered most of its losses.
Some consumer advocates wish the punishment had been more harsh.
“The Equifax fine is grievously low, particularly given the scope of the identity problems they created,” said Pam Dixon, the executive director of the World Privacy Forum.
But the sum “is not insignificant,” said Christopher Peterson, a law professor at the University of Utah and a former enforcement lawyer at the Consumer Financial Protection Bureau. Settling the case quickly is probably a better outcome for consumers than years of legal battling, he added.
“My perspective is that this is a win for the various consumer protection agencies that are involved, but that over the long term, it creates only a relatively mild incentive for the big credit reporting agencies to strengthen their data security,” Mr. Peterson said. “The underlying law itself here does not provide as much protection as I think most Americans deserve and want.”
Major data breaches have become an almost routine occurrence. Last year, the Marriott hotel chain disclosed that thieves had stolen personal details on roughly 500 million guests, an attack that has been attributed to a Chinese intelligence-gathering effort. In May, a security journalist revealed that a major title insurance company, First American Financial Corporation, had left nearly 900 million documents related to mortgage deals online and unprotected.
But the Equifax breach had perhaps the most potential for damage. Equifax, one of the three largest credit bureaus in the United States alongside Experian and TransUnion, has files on hundreds of millions of people worldwide that contain extensive details about their financial accounts and transactions. Equifax even receives copies of millions of Americans’ paychecks, which are fed into its Work Number database.
After a series of fiery congressional hearings, in which lawmakers of both parties denounced Equifax for its missteps — “I can’t fix stupid,” Representative Greg Walden, Republican of Oregon, told Mr. Smith in one memorable exchange — lawmakers passed new restrictions on credit bureaus, including a law making credit freezes free. But there have been no major changes to the federal laws covering what information credit bureaus can collect and what steps they must take to safeguard it.
The settlement on Monday is still not the final word on claims that resulted from the breach. Two states, Massachusetts and Indiana, sued Equifax separately. Those cases have not been resolved.