The day of reckoning has finally come for Equifax. The credit reporting agency agreed to pay $700 million, and possibly even more, to the U.S. government and states as a result of the epic 2017 data breach. Equifax lost the Social Security numbers and private information of nearly 150 million Americans in what has been described as the largest data breach of its kind in history.
The settlement, announced on Monday, was the result of the efforts and investigations of a coalition of 50 Attorneys General representing 48 states, the District of Columbia, and the Commonwealth of Puerto Rico. The Attorneys General secured a settlement with Equifax that includes a Consumer Restitution Fund of up to $425 million and $175 million payment to the states.
The investigation revealed that Equifax failed to maintain a reasonable security. Equifax knew about a critical vulnerability in its software yet failed to fully patch its systems. Additionally, Equifax failed to replace monitoring software the could have alerted the network operators of suspicious activity. These failures allowed attackers to operate freely on Equifax’s system unnoticed for 76 days. More than half of Americans adults, 56 percent, had their data exposed.
Equifax has agreed to initially pay nearly $400 million into a special fund to cover costs related to potential consumer identity theft and other damages. But the cost of settlement could balloon to as much as $1.4 billion. Equifax is also required to spend at least $1 billion over five years to improve its own cyber security practices.
Pennsylvania Attorney General Josh Shapiro said of the settlement, “This settlement requires significant corporate change. And we send a clear message to corporate America that attorneys general are going to hold companies accountable for being irresponsible with American’s data.”
For consumers the settlement provides compensation if they paid to protect or monitor their credit after the breach. Consumers will recieve free credit monitoring for 10 years and at least seven years of free identity restoration services. Starting at the end of 2019, all U.S. shoppers can request up to six free copies of their Equifax credit report during any 12-month period. Consumers not taking advantage of free credit services may seek up to $125 compensation.
As part of the settlement Equifax also agreed to help consumers facing identity theft issues or who have had their identities stolen. These steps include:
- Making it easier for consumers to freeze and thaw their credit.
- Making it easier for consumers to dispute inaccurate information in credit reports.
- Requiring Equifax to maintain sufficient staff dedicated to assisting consumers who may be victims of identity theft.
Equifax has also agreed to strengthen its security practices including:
- Equifax has also agreed to reorganize its data security team.
- Minimize its collection of sensitive data and the use of consumer’s Social Security numbers.
- Perform regular security monitoring, logging and testing.
- Employ improved access control and account management tools.
- Reorganize and segment its network.
- Reorganize its patch management team and employing new policies regarding the identification and deployment of critical security updates and patches.
No More Social Security Numbers
On of the more interesting developments to come from this settlement is that Equifax must limit the use of consumer Social Security numbers. The settlement requires Equifax to research identity verification methods that do not use Social Security numbers. “Equifax is required to limit the collection of consumer Social Security numbers and look into different ways” to verify identity, Josh Shapiro, Pennsylvania’s Attorney General, said on Monday.
Because of this requirment consumers may have to surrender other information, in particular biometric data such fingerprints, voice prints, or using the iris of the eye as identification. Another company is working on technology that will be able to identify a specific individual’s heartbeat and turn that information into a unique identifier.
Other non-biometric methods of identification include providing information like the last number you called on your phone or the last purchase you made using your credit or debit card. Other possible methods of identification include your phone or laptop’s IP addresses and even a blockchain-created digital ID.
Can You Get Paid?
Some consumers may be elegible for as much as $20,000 in compensation from this settlement. But that is not likely for anybody. Why? Because you have some very difficult hoops to jump through to get to the big money. First you have to prove you were even part of the data breach. That requires you to check with Equifax using you name and the last six numbers of your Social Security number. Then you have to have documentation of the money and time spent battling for your identity or clearing fraudulent charges.
“It’s unlikely that many consumers will get the full $20,000 — not only because they won’t be able to find the documentation, but because it didn’t actually cost them $20,000,” said Jack Gillis, executive director of the Consumer Federation of America.
Consumers have the option of two types of claims. Equifax is offering up to 10 years of free credit monitoring or you can take the $125 cash pay out. The other option is to apply for a cash payment that does not exceed $20,000 per person. The big cash payout covers the serious repercussions from the breach that includes losses from fradulent charges to your accounts; the cost of freezing or unfreezing your credit report; or fees to accountants and attorneys. Consumers could also be compensated for the time they spent dealing with the breach at $25 per hour for up to 20 hours.
The process for filing a claim has already begun and you have until January 22, 2020 to apply. The actual pay outs will happen January 23 2020 “at the earliest,” according to the FTC. You can also sign up to get email updates about the settlement.
To obtain cash restitution or accept Equifax’s offer of free credit monitoring, you have to file a claim. After court approval of the settlements, claims can be filed at equifaxbreachsettlement.com. Information also can be obtained from Equifax’s claims administrator at 833-759-2982.