Experts weigh in on whether regulators will need to become more aggressive in oversight and penalties in the future
Equifax has settled with US regulators out of court to resolve lawsuits relating to a 2017 data breach, and experts believe the deal will act as a benchmark for future cybersecurity cases.
The overall settlement is at least $575 million and could reach $700 million. The fund for consumer expenses makes up a substantial portion of what Equifax is expected to pay, with at least $300 million earmarked to settle consumer claims.
Around 147 million individuals were said to have been impacted by the Equifax data breach, in which their personally identifiable information (PII) was compromised.
The settlement between the credit monitoring service, the US Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), and 50 states and territories was reached after the FTC found Equifax did not take “reasonable steps” to protect consumer data.
According to the US regulator, “archaic” legacy technologies were in use. Proper patching processes were not enforced, credentials were stored in plaintext, and expired security certificates were not refreshed, among many other cybersecurity failures.
On the day of the Equifax breach settlement, FTC chairman Joseph Simons said in prepared remarks (PDF) that “the FTC will continue its vigorous data security enforcement program [and] will seek strong injunctive relief against law violators, to the fullest extent allowed under existing law”.
Equifax maintained full-year revenue guidance of between $3.4 billion and $3.5 billion during Q2 2019 earnings, and so the $700 million settlement is more than a slap on the wrist for the company.
However, Adam Laub, CMO of security software firm STEALTHbits Technologies, told The Daily Swig, “it’s likely more the ‘starting point’ that others can expect moving forward”.
This view is shared by Steve Black, Professor of Law and enterprise data breach consultant at Texas Tech University.
Black told us that the Equifax settlement could be considered a “warning shot” which will be “the first of many from regulatory bodies”.
“It is very difficult to put a price tag on personal data, and even more difficult to value security and peace of mind,” Black says.
“We won’t know if this is enough of a punishment until potentially years down the line. Time will tell if this is enough of a wake-up call for organizations or if regulators need to get more aggressive.”
Black added that it is difficult to judge how many consumers will file a claim, but in some cases, unfulfilled claims of a similar nature can be as high as 50%.
Were you impacted by the Equifax data breach?
A website and FAQ have been made available for consumers who wish to file a claim. In order to see if you are eligible, follow the steps below:
- Use this eligibility checker to see if your information was compromised. You will need to submit your last name and the last six digits of your Social Security number.
- Gather evidence for any out-of-pocket expenses and file a claim online here, or via mail (PDF). You can include evidence of fraudulent transactions connected to the breach, the cost of freezing or unfreezing your credit report, professional service bills, and credit monitoring charges. A full list can be found here.
- Impacted consumers can select whether they wish to receive free, long-term credit monitoring or a one-off payment. This was originally pegged at $125 per person, although a recent update to the Equifax settlement page is recommending that people opt for credit monitoring. Given the “overwhelming response” to the settlement, each person who takes the cash option is going to get a “very small amount”, the FTC said.
- You can also sign up for updates related to the settlement with the FTC.
The deadline for claims has been set as January 22, 2020.
The Daily Swig has reached out to the administrators of the settlement with additional queries. This article will be updated as and when we receive a response.
RELATED Equifax to pay up to $700m to settle 2017 data breach