Consumer Advocates Criticize Equifax Settlement PlanTwo States Sit Out Proposed Settlement and Continue Their Own Lawsuits
Equifax's move to settle federal and state probes as well as class action lawsuits would see data breach victims being able to claim up to $20,000 each for unreimbursed expenses.
See Also: Gartner Magic Quadrant for APM
But it's unclear how many victims could document such losses, in which case much of the $300 million victim fund to be established would flow to the U.S. Treasury. Also, some consumer advocates view the proposed deal as being insufficient, given the magnitude of Equifax's data breach.
On Monday, federal regulators and state attorneys general announced that under a proposed settlement, the Atlanta-based credit reporting giant will pay at least $575 million to settle U.S. probes and class-action lawsuits that arose from its failure to adequately protect information for nearly 150 million Americans (see: Equifax Negotiates Potential $700 Million Breach Settlement).
That figure includes a $100 million in fines to the Consumer Financial Protection Bureau, as well as a $175 million total payout to 48 states, plus the District of Columbia and Puerto Rico.
"Companies that profit from personal information have an extra responsibility to protect and secure that data," says FTC Chairman Joe Simons. "Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers."
Equifax will also contribute $300 million - as well as an additional $125 million if required - to a fund to compensate affected consumers. The fund will be used to pay for credit monitoring services not offered by Equifax, as well as to compensate victims for out-of-pocket expenses that are "fairly traceable to the breach."
Earlier this year, Equifax CEO Mark Begor told Congress that he's committed $1.25 billion to improve the company's security posture.
In its agreement with the FTC, Equifax has also agreed to implement specific measures to improve its information security program, including submitting regular, third-party audits to the regulator. The company's board must also attest to Equifax's security efforts and could be fined for noncompliance.
Some consumer advocates say the proposed sanctions against Equifax are insufficient, in part because victims must extensively document any claims they submit. In addition, the stolen information leaves victims at risk of identity theft for the rest of their lives - not just the 10 years of prepaid credit monitoring and seven years of prepaid identity-restoration services that Equifax has agreed to provide.
"It's a parking ticket, not a penalty," Ed Mierzwinski of the U.S. Public Interest Research Group in Washington tells Reuters.
How to Get Compensation
Victim fund payments will cover the cost of identity theft and credit monitoring services, or victims can opt for a single $125 payment.
In addition, victims can claim compensation - up to a maximum of $20,000 per individual - for unreimbursed costs from "identity theft or identity fraud, falsified tax returns, or other alleged misuse of affected consumers' personal information," as well as miscellaneous expenses "such as notary, fax, postage, copying, mileage, and long-distance telephone charges." At a rate of $25 per hour, they can also document for compensation up to 20 hours of time spent dealing with "fraud, identity theft, or other misuse of an affected consumer's personal information that is fairly traceable to the breach."
Starting on Dec. 31, all U.S. consumers can request up to six free credit reports in any 12-month period from Equifax, for the next seven years. That's in addition to the free, annual credit report to which all U.S. consumers are already entitled from each of the three nationwide credit reporting agencies.
"We encourage consumers impacted by the breach to submit their claims in order to receive free credit monitoring or cash reimbursements," says Kathleen L. Kraninger, director of the CFPB.
The FTC's Equifax Data Breach Settlement page links to a site run by the breach settlement administrator that enables Americans to see if they were affected by the breach, after entering their last name and the last six digits of their Social Security number.
Each data breach victim will be eligible for being reimbursed up to $20,000 for out-of-pocket losses. But it's not clear how many might qualify for the full amount. Notably, there are no reports that information stolen from Equifax has ever been tied to any cases of fraud.
Court Must Approve Settlement
The settlement must still be approved by the federal district court in the Northern District of Georgia.
Equifax's Begor told reporters on Monday that he expects that $300 million will be sufficient to cover all victims' expenses. He tells CNBC that the fund should be paying out claims by year's end.
Some lawmakers say companies that violate Americans' privacy should face steeper sanctions. "This settlement is just a drop in the bucket of what Equifax's disregard for privacy could cost American families," Sen. Sherrod Brown, D-Ohio, says in a statement (see: Senators Scrutinize Facebook's Cryptocurrency Plans).
But there's no law on the books in the U.S. that would hold them to such account, despite some lawmakers - including Brown - having attempted to pass such legislation.
Two States Continue Lawsuits
Also unhappy with the settlement are the attorneys general of Indiana and Massachusetts, which are not participating in the proposed settlement.
"Equifax must pay a penalty commensurate with the worst data breach in American history, which compromised the private information of more than three million Massachusetts residents," says Maura Healey, the Massachusetts attorney general. "Our litigation is ongoing."