Equifax will pay $575 million in fines for the massive 2017 data breach that exposed sensitive information for 147 million people.
The sum is part of a settlement announced Monday morning with 50 U.S. attorneys general, the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB).
The settlement requires Equifax to pay $300 million to a compensation fund for victims of the breach and could end up paying an additional $125 million if the fund runs out — meaning the company could end up paying as much as $700 million.{mosads}
Equifax will also pay $175 million to a coalition of 50 states and territories, as well as $100 million to the CFPB.
“Equifax failed in its fundamental responsibility to safeguard consumers’ sensitive financial information,” Pennsylvania Attorney General Josh Shapiro (D) said in a statement. “Equifax knew that there were serious flaws in their system, but still they did not take appropriate steps to fix it. They left their system vulnerable to the biggest data breach in history and the financial futures of millions of Americans were put at risk—and it was entirely preventable.”
Attorneys general from 48 states, Washington, D.C., and Puerto Rico were involved in the settlement.
The fines come nearly two years after Equifax first announced the breach in September 2017. Since then, the company has been dragged before Congress numerous times to explain its handling of the incident, which compromised Social Security numbers, names, dates of birth and home addresses.
The agreement outlined in the FTC’s complaint with a federal court in Georgia faults Equifax for failing to “provide reasonable security for the massive quantities of sensitive personal information stored within Defendant’s computer network.”
The settlement will require Equifax to implement a stronger cybersecurity program and submit to annual assessments of its protections. And starting in 2020 it will also have to provide consumers with six free credit reports a year for the next seven years.
Rep. Frank Pallone Jr. (D-N.J.), the chairman of the House Energy and Commerce Committee, said in a statement that that settlement didn’t go far enough after Equifax put roughly half the nation’s adults at risk.
“This settlement does not come close to making consumers whole and, once again, shows the limitations on the FTC’s ability to seek strong penalties and effective redress for consumers,” he said in a statement. “It also shows that we need a comprehensive data privacy and security law to ensure companies are designing their systems to protect consumer privacy from the start, minimizing the personal information they keep, and are held appropriately accountable if they fail.”
FTC Chairman Joseph Simons acknowledged the limitations that his agency faces and used a press conference on Monday to call on Congress to give the commission more authority to be tougher in privacy cases.
“We don’t have a general privacy legislation like the GDPR in Europe. Our authority is actually pretty limited in privacy,” Simons told reporters after the conference.
“We can’t go out and tell companies, ‘You can’t collect this, you can’t use it this way, you can’t use it that way,’” he said.
Simons said that the agency didn’t push Equifax to pay more than $300 million to the consumer fund out of concerns that a larger sum would hurt the credit reporting bureau’s ability to invest more in cybersecurity and compete in the marketplace.
Consumers affected by the breach will soon be able to file claims to apply for monetary relief from the fund. Payouts to consumers will be capped at $20,000 per person.
Equifax CEO Mark Begor, who was not leading the company at the time of the breach, touted the company’s progress in investing in cybersecurity measures since the incident.
“This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company,” Equifax CEO Mark Begor said in a statement. “The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter.”
Updated at 12:17 p.m.