Impacted by the massive Equifax data breach? Some important news came forward Monday morning.
Pennsylvania Attorney General Josh Shapiro announced that 48 states, Puerto Rico, and Washington D.C. have struck an agreement with Equifax on behalf of consumers.
The settlement creates a Consumer Restitution Fund of up to $425 million, a $175 million payment to the states, and injunctive relief.
From the attorney general’s office:
Under the terms of the settlement, Equifax agreed to provide a single Consumer Restitution Fund of up to $425 million—with $300 million dedicated to consumer redress. If the $300 million is exhausted, the Fund can increase by up to an additional $125 million. The company will also offer affected consumers extended credit-monitoring services for a total of 10 years.
Equifax has also agreed to take several steps to assist consumers who are either facing identity theft issues or who have already had their identities stolen including, but not limited to, terms:
- making it easier for consumers to freeze and thaw their credit;
- making it easier for consumers to dispute inaccurate information in credit reports; and
- requiring Equifax to maintain sufficient staff dedicated to assisting consumers who may be victims of identity theft.
Equifax has also agreed to strengthen its security practices going forward, including:
- reorganizing its data security team;
- minimizing its collection of sensitive data and the use of consumers’ Social Security numbers;
- performing regular security monitoring, logging and testing;
- employing improved access control and account management tools;
- reorganizing and segmenting its network; and
- reorganizing its patch management team and employing new policies regarding the identification and deployment of critical security updates and patches.
Equifax also agreed to pay the states a total of $175 million, which includes $7.3 million for Pennsylvania.
Consumers who are eligible for redress will be required to submit claims online or by mail. Paper claims forms can also be requested over the phone. Consumers will be able to obtain information about the settlement, check their eligibility to file a claim, and file a claim on the Equifax Settlement Breach online registry. To receive email updates regarding the launch of this online registry, consumers can sign up at www.ftc.gov/equifax. Consumers can also check www.attorneygeneral.gov for updates and call the settlement administrator at 1-833-759-2982 for more information. The program to pay restitution to consumers will be conducted in connection with settlements that have been reached in the multi-district class actions filed against Equifax, as well as settlements that were reached with the Federal Trade Commission and Consumer Financial Protection Bureau.
Shapiro’s office said the settlement follows an investigation into the incident that impacted 147 million consumers in one of the largest consumer reporting agencies in the world.
“Equifax failed in its fundamental responsibility to safeguard consumers’ sensitive financial information,” said Shapiro. “Equifax knew that there were serious flaws in their system, but still they did not take appropriate steps to fix it. They left their system vulnerable to the biggest data breach in history and the financial futures of millions of Americans were put at risk—and it was entirely preventable.”
The multi-state investigation found that Equifax failed to provide “reasonable” security to their system, which ended up leading to the largest-ever breach of consumer data. The company failed to replace software that could have detected the breach, which went unnoticed for 76 days.
The breach included social security numbers, names, dates of birth, addresses, credit card numbers, and in some cases, driver’s license numbers ending up in the hands of hackers.