Following a breach affecting 145 million consumers, the Federal Trade Commission has announced a settlement with Equifax for up to $700 million, the largest ever for a data breach. In the same action, Equifax also settled with the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories to resolve allegations related to the massive 2017 breach. This comes as the FTC announced another historic case against Facebook.
The FTC alleged that in March 2017 Equifax was alerted to a critical security vulnerability affecting its ACIS database that handles inquiries from consumers about personal credit data. While Equifax’s security team ordered the vulnerable systems be patched within 48 hours of receiving the alert, Equifax did not follow up to check the systems were in fact patched. Four months later, Equifax’s security team discovered the breach when it detected suspicious network traffic.
As a result of this patch failure, the FTC alleged that Equifax failed to provide reasonable security for sensitive personal information stored in its network resulting in exposure of the personal information of more than half of all U.S. consumers, including social security numbers, dates of birth, names and payment card information—all information that could lead to mass identity theft and fraud. The settlement highlighted the company’s failure to implement a policy to ensure security vulnerabilities were patched; block access to other parts of the network once one database was breached; implement detection protections; and its practice of storing both network credentials and sensitive consumer information, like Social Security Numbers, in plain text.
Under the agreement, Equifax will pay at least $575 million, and potentially up to $700 million, allocated as follows:
- $300 million for a fund that will provide affected customers with credit monitoring services.
- Up to an additional $125 million to that fund if the initial payment of $300 million is not enough to compensate customers for their losses.
- $100 million in civil penalties to the CFPB.
- $175 million to 48 states, D.C., and Puerto Rico.
In addition to the payments listed above, Equifax must also:
- Provide all U.S. consumers with six free credit reports each year for seven years starting in January 2020, in addition to the one free annual credit report that the three credit reporting agencies currently provide.
- Establish and implement an extensive internal security program, report on the program annually to the FTC for the next 20 years, and engage a third-party security assessor to evaluate the program every other year that, in turn, will share their findings with the FTC.
Interestingly, the settlement also includes a novel whistleblower mechanism mandating Equifax create an internal program that receives and addresses employee complaints and concerns about security practices. FTC Commissioner Rebecca Kelly Slaughter further cemented the provision by providing an email address that whistleblowers can turn to if Equifax doesn’t hold up its end of the bargain. We suspect this new requirement could become a standard feature of future data breach and privacy settlements.
Although this type of joint settlement involving multiple agencies and states is not unprecedented, it is unusual. Given the FTC and CFBP’s overlapping jurisdiction and the CFBP’s more expansive civil penalty authority, the case could serve as the model for future intra-agency settlements, particularly when the stakes are significant, the breach involves so many U.S. residents, and multiple regulators have jurisdiction, as well as a desire to act.
While the settlement is vast, comprehensive, and costly for Equifax, and regulators are touting their record monetary achievement, many consumer privacy advocates and others contend the settlement does not go far enough. Critics argue that Equifax did not admit liability; the company already had $690 million set aside for potential damages; and it is unclear how many consumers impacted will actually be able to receive reimbursement from the fund, particularly since for many the damage has not come to fruition. They also note that the penalty is a relatively low settlement amount for Equifax given that the deeply sensitive nature of the information stolen has the potential to lead to fraud, identity theft, and the conceivable damage to affected consumers’ livelihood.
The settlement with the regulators and corresponding resolution of the multi-district class action litigation appears to be both a carrot and stick for Equifax. Undoubtedly, the FTC used its power to impose hefty security provisions and security oversight, add whistleblower provisions, and partner with the CFPB and State AGs who, unlike the FTC in this case, do have authority the seek civil fines and exercised that authority here.
But the FTC’s agreement to partner with the other regulators and work with the class counsel and the court in the class action litigation in a way that allowed Equifax to resolve the vast majority of its potential massive liability from this breach in effectively one tidy package is certainly a benefit for Equifax. That is, not only did Equifax settle with the FTC, CFPB, and 50 states and territories (Indiana and Massachusetts did not join the global settlement), but the regulators and consumer class all agreed that the $300 million (plus potentially another $125M if needed) that will be provided to affected consumers for credit monitoring services will be the sole vehicle for all consumer redress necessitated by the breach. Further, the FTC did not hold any executives personally responsible for the breach, which seemed plausible in light of the facts and circumstances causing the breach and the sensitive data Equifax maintains. Wrapping up its liability in this global way may be the carrot that regulators hope will induce better behavior down the road.
Only time will tell whether the settlement amount, the relief sought, the level of inter-agency cooperation, and the corresponding resolution of the class action litigation will have the desired deterrent effect and be a model for future data breach enforcement actions to come. In the meantime, even more substantial changes to the data breach landscape are undoubtedly on the horizon as the private right of action and the statutory damages for data breaches under the California Consumer Protection Act (CCPA) go into effect in January 2020. Stay tuned as data breaches are not going away.