The Equifax data breach was one of the most massive data breaches of all time, and it has resulted in the biggest settlement for a data breach to date. After two years of investigations at the state and federal levels, credit reporting agency Equifax has agreed to a $675 million – up to possibly $700 million – settlement that puts to rest complaints from the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB), as well as multistate class action litigation.
In 2017, Equifax was hacked when it failed to secure its servers, leaving the personal information of 147 million people – including credit card numbers, driver’s license numbers, Social Security numbers, birth dates, and addresses – exposed. As we previously reported, the resulting theft of consumer data resulted in multistate litigation and investigations by Congress, the FTC, and European data protection authorities. A year after the breach, the Government Accountability Office (GAO) released a report on the breach, which found Equifax was using software with a known vulnerability in its online dispute portal that enabled hackers to penetrate the network and acquire personal information. According to the report, the company’s systemic deficits in the areas of identification, detection, segmentation, and data governance led to the breach.
The Order, which was approved by Chief Judge Thomas Thrash Jr. of the U.S. District Court for the Northern District of Georgia on July 22, 2019, requires Equifax to pay at least $175 million in civil penalties to the states, District of Columbia, and Puerto Rico, $300 million to a fund that will provide free credit monitoring services to consumers, and $100 million in fines to the CFPB. Equifax will contribute up to $125 million more to the fund if the initial payment isn’t adequate to compensate consumer losses. Consumers will also receive six free credit reports annually for seven years.
In addition to the payout, Equifax must implement a comprehensive information security program and must designate an employee to oversee it. The company is required to obtain third-party assessments of its information security program every two years, and the FTC can approve the assessor for each two-year assessment period. Equifax also must invest a minimum of $1 billion to improve its data security over the next five years.
In prepared remarks at a press conference on July 22, 2019, FTC chair Joseph Simons used the opportunity to reiterate a point he made previously in testimony to Congress – that the FTC needs greater enforcement powers:
“The [CFPB] and the states were able to obtain civil penalties for this breach by a major financial institution. The FTC could not. The FTC could not, because we do not have civil penalty authority for initial violations of the FTC Act or for violations of the Gramm-Leach-Bliley Safeguards Rule. Fortunately, other agencies were able to fill in the gap – this time. But under different circumstances, future breaches might not always be subject to civil penalties, which sends absolutely the wrong signal regarding deterrence. For this reason, I renew my call for Congress to enact federal data security legislation that gives the FTC authority to seek civil penalties for first-time violations.”
Simons has repeatedly pushed Congress to grant the FTC greater enforcement powers, including the ability to impose fines for violations of federal laws that fall within its jurisdiction. The FTC’s recent willingness to use new tools, such as holding company executives personally liable for data breaches, shows that the FTC is creatively expanding the use of its enforcement arsenal while awaiting Congressional action, at least in some instances. However, the recent Commission vote to fine Facebook $5 billion for violations of a prior consent agreement – a situation where the FTC does have civil penalty authority – did not impose responsibility on Facebook founder Mark Zuckerberg or other senior executives. The failure to do so drew dissents from the two Democrats on the Commission, and the question of senior manager accountability will likely loom larger in future data breach and privacy investigations.