The U.S. Federal Trade Commission, along with the Consumer Financial Protection Bureau and 50 states and territories, announced a settlement Monday morning with Equifax related to its 2017 data breach. In the settlement, Equifax agreed to pay at least $575 million — and potentially up to $700 million — as part of what the authorities are calling a "global settlement," though monetary relief will only go to U.S. citizens.
The 2017 data breach of Equifax affected at least 147 million consumers. During a four-month span, hackers accessed 145.5 million Social Security numbers and 209,000 payment card numbers and expiration dates. According to the FTC, Equifax did not patch a known security vulnerability to its ACIS database after it was alerted to the gap in March 2017. Though Equifax's security team required the vulnerability be patched within 48 hours, the company did not do so until July 2017.
According to the complaint, "Hackers were able to access a staggering amount of data because Equifax failed to implement basic security measures," including storing passwords and network credentials in plaintext. Specifically, the FTC alleges the company violated the FTC Act and the Gramm-Leach-Bliley Safeguards Rule.
In a joint press conference between the FTC, Consumer Financial Protection Bureau and the state of Maryland Monday morning, Maryland Attorney General Brian Frosh characterized the 2017 data breach as one of the largest in U.S. history "and perhaps the most dangerous." CFPB Director Kathy Kraniger said Equifax engaged in "unfair and deceptive practices" and "broke the law before and after the breach." She said all U.S. consumers can request up to six credit reports from Equifax in a 12-month period free of charge.
As part of the proposed settlement, the company will pay $300 million to a credit-monitoring fund for consumers affected by the breach. Equifax also agreed to pay an additional $125 million to the fund if the initial sum is not enough to compensate affected consumers.
An additional $175 million will go to 48 U.S. states, the District of Columbia and Puerto Rico, and another $100 million will go to the CFPB.
During the press conference Monday morning, the FTC's Maneesha Mithal said the agency wanted to balance the fine so that it was enough to compensate consumers while also allowing Equifax enough funds to bolster its data security operations. "We didn't want to bankrupt them," she said.
The settlement also institutes significant operational requirements and third-party assessments of Equifax's data security program. Frosh said the settlement includes "strong injunctive relief" and "enumerates all the actions Equifax must make." Significantly, FTC Chairman Joe Simons said, "We have control of the appointment of the third-party assessor and can fire and get a new one."
The FTC has also published a dedicated webpage that addresses frequently asked questions on its site for the settlement and a blog post to help businesses learn data security lessons from the incident.
Equifax must now implement a comprehensive information security program and designate an employee to oversee it. The company must also conduct annual assessments of internal and external risks and implement safeguards to address potential risks. Equifax will be required to obtain annual certifications from its board of directors confirming that the company is complying with the order and ensure service providers accessing personal information stored by Equifax also implement "adequate safeguards to protect such data."
Interestingly, in its announcement, the FTC "encourages Equifax employees who believe the company is failing to adhere to its data security promises" to email the agency.
The FTC's Simon also used the news conference to talk directly to the U.S. Congress. "I want to flag an important and key message to Congress," he said. "The CFPB and the states were able to obtain civil penalties for this breach. The FTC could not because we do not have civil penalty authority. ... I renew my call on Congress to pass federal data security legislation that would give the FTC civil penalty authority to fine companies on the first violation."
In comments provided to The Privacy Advisor, Consumer Union Consumer Privacy and Technology Policy Director Justin Brookman said, "I think it's a good settlement: The FTC can't get penalties under the Safeguards Rule, but they've managed to get Equifax to commit to spending a painful amount of money to improve security and monitor credit records." Brookman, who is a former policy director at the FTC, also reacted to the $300 million fund for credit monitoring: "I'm lukewarm on the merits of credit monitoring itself — credit freezes are more effective, and they're free now."
The Equifax news comes during a busy period for the FTC. Earlier this month, news leaked that the agency voted along party lines to fine Facebook a record $5 billion for privacy violations.
Also, over the weekend, The Washington Post reported the FTC is set to fine Google-owned YouTube for violating the Children's Online Privacy Protection Act. Like the reported Facebook settlement, the YouTube action appears to also run along party lines, with three Republican commissioners in favor and two Democrats opposed. According to the report, the settlement will range in a "multimillion-dollar" fine.
"Equifax and Facebook were always going to be high-profile cases for the FTC," Brookman said. "But it's encouraging to hear that they're looking into YouTube, too, which has terrible practices but hasn't gotten as much publicity (at least, not for this issue)." Brookman also pointed to the length of these major investigations, arguing that it demonstrates the agency "needs more resources, and maybe some streamlined internal processes as well."
For Monday's enforcement action against Equifax, Maryland Attorney General Frosh perhaps expressed the most pointed words, characterizing the company's response as "aggravating" and saying that this settlement is important in another way: "Most consumers affected by this breach didn't sign up to be customers of Equifax; we didn't choose Equifax; it chose us." As a result, Frosh fired a warning shot to other credit agencies.
"We think we're setting a standard for everybody who collects credit information, and we intend to hold them accountable."
Top image is a screen shot from Monday's press conference.