Equifax Settles Data Breach Lawsuit

On July 22, 2019, Equifax, one of the nation’s three large credit reporting agencies, settled a lawsuit brought by the Federal Trade Commission (“FTC”), the Consumer Financial Protection Bureau (“CFPB”), and 50 U.S. states and territories.  The lawsuit alleged that Equifax’s failure to take reasonable steps to secure its network—which contained sensitive personal financial information (including social security numbers)—led to a 2017 data breach that impacted 147 million people.  Notably, Equifax failed to encrypt its data, instead storing sensitive consumer information in plain text, while misleadingly assuring customers that it had physical, technical, and procedural safeguards to protect this data.  The lawsuit specifically alleged that, as a result of these acts, Equifax violated the FTC Act’s prohibition against deceptive and unfair practices and the Gramm-Leach-Bliley Act’s Safeguards Rule.  

The $575 million settlement (which could potentially reach $700 million) requires the company to pay $300 million to a fund that will provide consumers with free credit monitoring services for at least 10 years or a $125 cash payment, and to pay civil penalties of $175 million to the U.S. States and territories and $100 million to the CFPB.  While the settlement did not force Equifax to admit fault, it does additionally require Equifax to:

• Designate an employee to oversee the information security program;
• Conduct annual assessments of internal and external security risks and implement safeguards to address potential risks;
• Obtain annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information security requirements;
• Test and monitor the effectiveness of the security safeguards; and
• Ensure service providers that access personal information stored by Equifax also implement adequate safeguards to protect such data.