Settlement includes up to $425 million in consumer restitution following investigation into 2017 data breach
Attorney General T.J. Donovan today announced that a coalition of 50 attorneys general have reached a settlement with Equifax as the result of an investigation into the largest-ever breach of consumer data. The investigation found that Equifax’s failure to maintain a reasonable security system enabled hackers to penetrate its systems, exposing the data of 56 percent of American adults, including more than 250,000 Vermonters in 2017. The attorneys general, in concert with the Federal Trade Commission and the Consumer Financial Protection Bureau, secured a settlement with Equifax that includes a Consumer Restitution Fund of up to $425 million, a $175 million payment to the states, and numerous required actions Equifax must take to better protect consumer data. The State of Vermont will receive $1.85 million.
“This is a historic and unprecedented breach of consumer data. Vermonters deserve to have their most sensitive personal data protected by the companies who handle it, especially when obtained without their clearly expressed consent,” Attorney General Donovan said. “When a major corporation like Equifax, whose sole business is trading in other peoples’ data, does not take basic steps to protect that data, there must be serious legal consequences.”
On September 7, 2017, Equifax, one of the largest consumer reporting agencies in the world, announced a data breach affecting more than 147 million consumers. Breached information included Social Security numbers, names, dates of birth, addresses, credit card numbers, and in some cases, driver’s license numbers.
The attorneys’ general investigation found that the breach occurred because Equifax failed to implement an adequate security program to protect consumers’ highly sensitive personal information. Despite knowing about a critical vulnerability in its software, Equifax failed to fully patch its systems. Moreover, Equifax failed to replace software that monitored the breached network for suspicious activity. As a result, the attackers penetrated Equifax’s system and went unnoticed for 76 days.
Under the terms of the settlement, Equifax has agreed to take several steps to assist consumers who are either facing identity theft issues or who have already had their identities stolen. These steps include making it easier for consumers to freeze and thaw their credit; making it easier for consumers to dispute inaccurate information in credit reports; and requiring Equifax to maintain sufficient staff dedicated to assisting consumers who may be victims of identity theft.
Equifax has also agreed to strengthen its security practices going forward, including:
- minimizing its collection of sensitive data and the use of consumers’ Social Security numbers;
- performing regular security monitoring, logging and testing;
- employing improved access control and account management tools;
- reorganizing and segmenting its network; and
- reorganizing its patch management team and employing new policies regarding the identification and deployment of critical security updates and patches.
The $600 million settlement includes a Consumer Restitution Fund of up to $425 million, with $300 million dedicated to consumer compensation. Equifax will also offer affected consumers extended credit-monitoring services for a total of 10 years, and 18 years for affected minors.
The Consumer Restitution Fund will reimburse consumers for out-of-pocket costs that resulted from the breach (such as fees paid for credit freezes or professional fees paid to address identity theft) and compensate consumers for up to 20 hours of time spent remedying issues arising from the breach, at $25 per hour. Consumers will be able to obtain information about the settlement, check their eligibility to file a claim, and file a claim on the Equifax Settlement Breach online registry, www.EquifaxBreachSettlement.com. Some features on the site will not be available until the final approval of the settlement by the courts. To receive email updates regarding the launch of this online registry, consumers can sign up at www.ftc.gov/equifax-data-breach. Consumers can also call the settlement administrator at 1-833-759-2982 for more information.
Vermonters with questions or concerns about identity theft may also call the Vermont Consumer Assistance Program at 1-800-649-2424. More information can be found on the Vermont Attorney General’s website, https://ago.vermont.gov/consumer-settlements/.
Last modified: July 22, 2019