Settlement Includes up to $425 Million in Consumer Restitution Following Investigation into 2017 Data Breach
News Release, Office of the Maryland Attorney General
BALTIMORE, MD (July 22, 2019) – Maryland Attorney General Brian E. Frosh today announced a settlement with Equifax as the result of an investigation into a massive 2017 data breach. Led by Maryland, the investigation found that Equifax’s failure to maintain a reasonable security system enabled hackers to penetrate its systems, exposing the data of 56 percent of American adults – the largest-ever breach of consumer data in history. The settlement with Equifax includes a Consumer Restitution Fund of up to $425 million, a $175 million payment to the states, and injunctive relief, which also includes a significant financial commitment. This is the largest data breach enforcement action in history.
“Equifax’s data breach affected the personal information of millions of Americans, leaving them vulnerable to identity theft and misuse of their personal records,” said Attorney General Frosh. “Our investigation and settlement will result in restitution to affected consumers. It also requires Equifax to make significant changes in the way it does business. Its protection of the personal information that it collects will be enhanced significantly, and Equifax will pay for oversight and monitoring to ensure that it does its job.”
On September 7, 2017, Equifax, one of the largest credit reporting agencies in the world, announced a data breach affecting more than 147 million consumers – more than half of the U.S. population. Breached information included social security numbers, names, dates of birth, addresses, credit card numbers, and in some cases, driver’s license numbers.
A coalition that grew to include 50 attorneys general launched a multi-state investigation into the breach. The investigation found that the breach occurred because Equifax failed to implement an adequate security program to protect consumers’ highly sensitive personal information. Despite knowing about a critical vulnerability in its software, Equifax failed to patch its systems. Additionally, Equifax failed to replace software that monitored the breached network for suspicious activity. As a result, the attackers penetrated Equifax’s system and went unnoticed for 76 days.
Under the terms of the settlement, Equifax agreed to provide a Consumer Restitution Fund of up to $425 million. The company will offer affected consumers extended credit-monitoring services for a total of 10 years.
Equifax has also agreed to take a number of steps to assist consumers who are either facing identity theft issues or who have already had their identities stolen. Those services include:
- making it easier for consumers to freeze and thaw their credit;
- making it easier for consumers to dispute inaccurate information in credit reports, and
- requiring Equifax to maintain sufficient staff dedicated to assisting consumers who may be victims of identity theft.
Equifax has also agreed to strengthen its security practices going forward, including:
- reorganizing its data security team;
- minimizing its collection of sensitive data and the use of consumers’ Social Security numbers;
- performing regular security monitoring, logging, and testing;
- employing improved access control and account management tools;
- reorganizing and segmenting its network; and,
- reorganizing its patch management team and employing new policies regarding the identification and deployment of critical security updates and patches.
Equifax also agreed to pay the states a total of $175 million, which includes $5.7 million for Maryland.
Consumers who are eligible for redress will be required to submit claims online or by mail. Paper claims forms can also be requested over the phone. Consumers will be able to obtain information about the settlement, check their eligibility to file a claim, and file a claim on the Equifax Settlement Breach online registry. To receive email updates regarding the launch of this online registry, consumers can sign up at www.ftc.gov/equifax-data-breach.
Consumers can also call the settlement administrator at 1-833-759-2982 for more information. The program to pay restitution to consumers will be conducted in connection with settlements that have been reached in the multi-district class actions filed against Equifax, as well as settlements that were reached with the Federal Trade Commission and Consumer Financial Protection Bureau.
In addition to Maryland, attorneys general participating in this settlement include Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, Wisconsin, Wyoming, and the District of Columbia. Also joining are Texas, West Virginia and the Commonwealth of Puerto Rico.
The Southern Maryland Chronicle is a local, small business entrusted to provide factual, unbiased reporting to the Southern Maryland Community. While we look to local businesses for advertising, we hope to keep that cost as low as possible in order to attract even the smallest of local businesses and help them get out to the public. We must also be able to pay employees(part-time and full-time), along with equipment, and website related things. We never want to make the Chronicle a “pay-wall” style news site.
To that end, we are looking to the community to offer donations. Whether it’s a one-time donation or you set up a reoccurring monthly donation. It is all appreciated. All donations at this time will be going to furthering the Chronicle through hiring individuals that have the same goals of providing fair, and unbiased news to the community. For now, donations will be going to a business PayPal account I have set-up for the Southern Maryland Chronicle, KDC Designs. All business transactions currently occur within this PayPal account. If you have any questions regarding this you can email me at firstname.lastname@example.org
Thank you for all of your support and I hope to continue bringing Southern Maryland the best news possible for a very long time. — David M. Higgins II