Equifax Settles 2017 Data Breach for $1.38 Billion
A class action settlement has been proposed in a case against Equifax Inc., relating to the data breach that Equifax announced in September 2017, which affected approximately 147 million U.S. consumers.
According to the settlement, Equifax will pay $380,500,000 into a fund for class benefits, attorneys’ fees, expenses, service awards and notice and administration costs; up to an additional $125,000,000 if needed to satisfy claims for certain out-of-pocket losses; and potentially $2 billion more if all 147 million class members sign up for credit monitoring. No settlement funds will revert to Equifax. The specific benefits available to class members include:
- Reimbursement of up to $20,000 for documented, out-of-pocket losses fairly traceable to the breach, such as the cost of freezing or unfreezing a credit file; buying credit monitoring services; out-of-pocket losses from identity theft or fraud, including professional fees and other remedial expenses; and 25 percent of any money paid to Equifax for credit monitoring or identity theft protection subscription products in the year before the breach. If the $380.5 million fund proves to be insufficient, Equifax will add another $125 million to pay claims for out-of-pocket losses.
- Compensation of up to 20 hours at $25 per hour (subject to a $38 million cap) for time spent taking preventative measures or dealing with identity theft. Ten hours can be self-certified, requiring no documentation.
- Four years of specially negotiated, three-bureau credit monitoring and identity protection services through Experian and an additional six years of one-bureau credit monitoring and identity protection services through Equifax. The Experian monitoring has a comparable retail value of $24.99 per month and has a number of features that are typically not available in “free” credit monitoring services offered to the public. The one-bureau credit monitoring will be provided separately by Equifax and not paid for from the settlement fund.
- Alternative cash compensation (subject to a $31 million cap) for class members who already have credit monitoring or protection services in place and who choose not to enroll in the enhanced credit monitoring and identity protection services offered in the settlement.
- Identity restoration services through Experian to help class members who believe they may have been victims of identity theft for seven years, including access to a U.S. based call center, assignment of a certified identity theft restoration specialist and step by step assistance in dealing with credit bureaus, companies and government agencies.
In addition, Equifax has agreed to entry of a consent order requiring the company to spend a minimum of $1 billion for data security and related technology over five years and to comply with comprehensive data security requirements. Equifax’s compliance will be audited by an experienced, independent assessor and subject to the Court’s enforcement powers. According to cybersecurity expert Mary Frantz, "[I]mplementation of the proposed business practice changes should substantially reduce the likelihood that Equifax will suffer another data breach in the future. These changes address serious deficiencies in Equifax’s information security environment. Had they been in place on or before 2017 per industry standards, it is unlikely the Equifax data breach would ever have been successful. These measures provide a substantial benefit to the Class Members that far exceeds what has been achieved in any similar settlements."