The Penalties of a Data Breach: Equifax to Pay Almost US$800m

BIIA reported recently that Equifax was close to a deal to pay around $700 million to settle data breach probes with U.S. regulators and states.  Now more precise numbers have become available. 

According to the Financial Times Equifax will be liable for almost $800m as part of a US settlement after a 2017 hack that exposed the personal data of nearly 150m people whose most sensitive financial information is tracked by the credit reporting agency. The settlement with several federal and state authorities, and claimants in a class-action lawsuit, draws a line under one of the largest breaches of US consumer data.

The resolution with the FTC, Consumer Financial Protection Bureau, 50 state attorneys-general and class-action claimants, requires Equifax to pay $380m into a fund to compensate affected consumers, $80m of which will be for attorneys’ fees. Equifax will also pay $290m in CFPB and state penalties, including $10m to the New York Department of Financial Services, and make available an extra $125m for the fund if it is used up.

The total amount $425m the amount Equifax will pay into a fund to compensate US consumers Mark Begor, Equifax chief executive, said he did not expect the company to make additional payments into the fund beyond the original amount. “We expect this will be enough, but we have made more money available because we recognize it may be necessary,” he told reporters.  Mr Begor said that Equifax had seen “no evidence” of the hacked personal information being sold online. The deal will require Equifax to boost its cyber security systems and obtain third-party assessments of its processes every two years. It also forces the company’s board to certify annually that it is complying with the settlement, a move that would make directors personally liable, FTC officials said.

FTC Rational:  The total sum for which Equifax is liable is more than double its 2018 net income of $300m — though substantially less than the $3.4bn in revenue it recorded last year. FTC officials said Monday that they weighed up Equifax’s ability to pay while continuing to invest in cyber security when deciding the appropriate penalty. “We do want to make sure that we’re not bankrupting the company,” said Maneesha Mithal, director of the division of privacy and identity protection at the FTC.

Last September, UK regulators fined Equifax £500,000, the maximum penalty allowed by law at the time of the hack, after it was revealed hundreds of thousands of British customers had also been affected. The UK Information Commissioner’s Office said Equifax had collected British customer data and stored it in the US.

Source: Financial Times

BIIA editorial comment: It has been reported some time ago that following the Equifax data breach consumers braced themselves for a wave of scams, but they never came. Here we are two years later, and the stolen data hasn’t appeared online (also read).