On July 22, 2019, Equifax, one of the nation’s three large credit reporting agencies, settled a lawsuit brought by the Federal Trade Commission (“FTC”), the Consumer Financial Protection Bureau (“CFPB”), and 50 U.S. states and territories. The lawsuit alleged that Equifax’s failure to take reasonable steps to secure its network—which contained sensitive personal financial information (including social security numbers)—led to a 2017 data breach that impacted 147 million people. Notably, Equifax failed to encrypt its data, instead storing sensitive consumer information in plain text, while misleadingly assuring customers that it had physical, technical, and procedural safeguards to protect this data. The lawsuit specifically alleged that, as a result of these acts, Equifax violated the FTC Act’s prohibition against deceptive and unfair practices and the Gramm-Leach-Bliley Act’s Safeguards Rule.
The $575 million settlement (which could potentially reach $700 million) requires the company to pay $300 million to a fund that will provide consumers with free credit monitoring services for at least 10 years or a $125 cash payment, and to pay civil penalties of $175 million to the U.S. States and territories and $100 million to the CFPB. While the settlement did not force Equifax to admit fault, it does additionally require Equifax to:
- Designate an employee to oversee the information security program;
- Conduct annual assessments of internal and external security risks and implement safeguards to address potential risks;
- Obtain annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information security requirements;
- Test and monitor the effectiveness of the security safeguards; and
- Ensure service providers that access personal information stored by Equifax also implement adequate safeguards to protect such data.
About Faruqi & Faruqi, LLP
Faruqi & Faruqi, LLP focuses on complex civil litigation, including securities, antitrust, wage and hour, personal injury and consumer class actions as well as shareholder derivative and merger and transactional litigation. The firm is headquartered in New York, and maintains offices in California, Delaware, Georgia and Pennsylvania.
Since its founding in 1995, Faruqi & Faruqi, LLP has served as lead or co-lead counsel in numerous high-profile cases which ultimately provided significant recoveries to investors, direct purchasers, consumers and employees.
To schedule a free consultation with our attorneys and to learn more about your legal rights, call our offices today at (877) 247-4292 or (212) 983-9330.
About Dillon Hagius
Dillon Hagius's practice is focused on securities litigation. Dillon is an associate in the firm's New York office.