The United States Federal Trade Commission on Monday announced that Equifax has agreed to pay a minimum of US$575 million as part of a global settlement of claims against it arising from a 2017 data breach that affected 147 million Americans.
The settlement with the FTC, the Consumer Financial Protection Bureau, and 50 states and territories potentially could reach $700 million.
In its complaint against Equifax the FTC alleged that the credit reporting agency failed to secure a massive amount of personal information stored on its network, leading to a breach that exposed millions of names and dates of birth, Social Security numbers, physical addresses, and other personal information, which could result in identity theft and fraud.
As part of the proposed settlement, Equifax will pay $300 million to fund credit monitoring services for consumers.
The fund also will compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the data breach.
An additional $125 million will be added if the initial funding level should fall short of the amount required to compensate consumers for their losses.
What’s more, starting in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years — in addition to the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently must provide upon request.
The company also has agreed to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the CFPB in civil penalties.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” FTC Chairman Joe Simons said.
“This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud,” he added.
More Than Big Money Payout
In addition to the financial terms in the settlement, Equifax has agreed to implement a comprehensive information security program, which includes the following measures:
- Designating an employee to oversee the information security program;
- Conducting annual assessments of internal and external security risks, and implementing safeguards to address potential risks, including patch management and security remediation policies, network intrusion mechanisms, and other protections;
- Obtaining annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information security requirements;
- Testing and monitoring the effectiveness of the security safeguards; and
- Ensuring service providers that procedures to access personal information stored by Equifax implement adequate safeguards to protect such data.
To ensure compliance with the agreement, Equifax must obtain third-party assessments of its information security program every two years. Assessors are required by the agreement to specify the evidence that supports their conclusions and conduct independent sampling, employee interviews, and document reviews. Moreover, the FTC has final say over any assessor chosen by Equifax.
The order also requires Equifax to provide an annual update to the FTC about the status of the consumer claims process.
The FTC has established an email address dedicated to Equifax whistelblowers: firstname.lastname@example.org.
Although the FTC pegs Equifax’s minimum payout at $525 million, the actual payout may be lower than that, maintained Ted Rossman, industry analyst atCreditCards.com.
“They’re going to be asking people to claim how they were harmed financially from this,” he told the E-Commerce Times.
“While this was a huge breach, the information never appeared on the dark Web, and people were not really harmed financially as much as we all feared,” Rossman observed.
“It seems that this was some sort of theft by a government or intelligence agency,” he continued. “It really wasn’t a monetary theft, as much as it was an information theft, so I don’t think people are going to be able to claim full financial benefits.”
A common offering to data breach victims is credit monitoring.
“It’s an empty gesture,” asserted Robert Cattanach, partner at Dorsey & Whitney, an international law firm based in New York City.
“I do a lot of these cases, and less than 10 percent of the people offered credit monitoring actually take it,” he told the E-Commerce Times.
“It’s of course important for consumers to monitor their credit, but if there are problems, the real challenge is in addressing fraud and proactively repairing damaged credit,” said Willy Leichter, vice president of marketing at Virsec, an applications security company.
“Free reporting does none of that,” he told the E-Commerce Times.
Guidelines for disbursements to consumers from the Equifax fund haven’t been established yet. “It will be interesting to see what kind of claims they will accept, what their criteria will be, and how much money they will pay out,” said Daniel Castro, vice president of ITIF, the Information Technology & Innovation Foundation, a research and public policy organization in Washington, D.C.
“There’s a lot money there, but it seems most of the money is going to lawyers,” he told the E-Commerce Times. “That’s one of the problems with creating a private right to action for these data breach cases. It creates more opportunities for lawyers to rake in massive fees on settlements. Consumers often see very little tangible impact.”
More Than a Wrist Slap
This latest big settlement over a data breach appears to be a signal to businesses that regulators are taking the issue seriously.
“When the Equifax and British Airways breaches happened in 2017, it seemed like regulators would let them off easy with a slap on the wrist,” observed Deepak Patel, security evangelist at PerimeterX, a Web security service provider in San Mateo, California.
“The FTC and GDPR are imposing meaningful fines to hold these large corporations accountable for breaches involving sensitive user data,” he told the E-Commerce Times.
British Airways recently was fined $230 million under the EU’s GDPR (General Data Protection Regulation) for a website failure that affected the personal data of some half a million customers.
GDPR fines are capped at 4 percent of global revenue, noted Pravin Kothari, CEO of CipherCloud, a cloud security provider in San Jose, California.
However, the FTC has reached settlements with some companies much higher than that. A settlement with Facebook was about 9 percent of revenue, and the Equifax deal is about 25 percent.
“This sets a new precedent and a wake-up call to all businesses to be extremely careful,” Kothari told the E-Commerce Times.
“However, many businesses are still not doing enough to protect their clients’ sensitive information. They do not realize that Internet and cloud services are not bullet-proof,” he said. “They assume that their information is safe with service providers, but a simple misconfiguration, a bug, or abuse of API could cause major exposure and havoc.”
Shifting Costs to Crooks
Large penalties do change the risk equations that many businesses use to decide on their level of security investment, noted Virsec’s Leicher, “but given the scale of the Equifax breach, this penalty is relatively light and may have little direct effect on other businesses and little direct effect on improving consumer security.”
Large fines may encourage some companies to invest more in cybersecurity, but what’s really needed is commitment, maintained Torsten George, cybersecurity evangelist at Centrify, an authentication and access control company in Santa Clara, California.
“Companies have to make a decisive commitment to protecting sensitive customer data,” he told the E-Commerce Times. “Without that commitment and an approach to cybersecurity that can make an actual difference in the modern threatscape and against modern attackers, these settlements won’t make a noticeable difference.”
Data protection has to become more personal, especially for corporate executives, suggested Tim Bedard, director of security product marketing at OneSpan, an authentication and fraud analysis company in Chicago.
“Until regulators implement new compliance and regulations holding organizations’ executive leadership personally responsible for the security and protection of consumers’ personal identifiable information, then future massive settlements will only go so far,” he told the E-Commerce Times.
“Consumers should not bear the costs of computer crime, but neither should other crime victims, like the vendor,” said Michael Clauser, global head of data and trust at Access Partnership, a global public policy firm serving the tech sector, with offices on five continents.
“Ultimately, governments, vendors and consumers will need to find a way to shift costs ‘upstack’ to the criminal actor,” he told the E-Commerce Times. “I think over time, emerging technology, including AI, will make that a reality.”