On April 14, 2020, the Indiana Attorney General’s office announced that the state had reached a settlement agreement with Equifax in connection with Equifax’s 2017 data breach. Under the terms of the settlement, Equifax will pay a $19.5 million penalty. Indiana previously elected not to participate in a July 2019 multistate and Federal Trade Commission settlement with Equifax regarding the same data breach.
In addition to the monetary penalty, Equifax agreed to various additional measures. Along with implementing and maintaining an information security program, Equifax agreed to (1) biannually assess its management and implementation of security updates and patches for the company network, including vulnerability assessments; (2) extend its credit monitoring offer to affected Indiana consumers to 10 years at no cost to consumers; and (3) obtain a third-party assessment of its obligations under the terms of the settlement, and submit periodic reports to the Attorney General regarding the same. Equifax also agreed to pay restitution to affected Indiana consumers.