This article is from the source 'nytimes' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at https://www.nytimes.com/2019/07/22/business/equifax-settlement.html

The article has changed 9 times. There is an RSS feed of changes available.

Version 6 Version 7
Equifax to Pay at Least $650 Million in Largest Data-Breach Settlement Ever Equifax to Pay at Least $650 Million in Largest-Ever Data Breach Settlement
(about 5 hours later)
The credit bureau Equifax will pay at least $650 million and potentially significantly more to end an array of state, federal and consumer claims over a 2017 data breach that exposed the sensitive information of more than 147 million people. The breach was one of the most potentially damaging in an ever-growing list of digital thefts. The credit bureau Equifax will pay about $650 million and perhaps much more to resolve most claims stemming from a 2017 data breach that exposed sensitive information on more than 147 million consumers and demonstrated how little control Americans have over their personal data.
The settlement, which was announced on Monday and still needs court approval, would be the largest ever paid by a company over a data breach. The deal requires Equifax to put a minimum of $380.5 million into a restitution fund for American consumers who file claims showing that they were financially harmed. The settlement is vast in its scope, resolving investigations by two federal agencies and 48 state attorneys general and covering every American consumer whose data was stolen or just under half the population of the United States. It does not just compensate victims who lost money: People who suffered through the hassles of bank phone trees and credit-card customer service lines can bill Equifax $25 an hour for their time.
A portion of that money will pay for lawyers’ fees, but at least $300 million must go to victims, according to settlement documents filed in federal court in Atlanta. If the initial cash is depleted, the company will add up to $125 million more to settle consumers’ claims, bringing the total fund size to more than $500 million. A federal judge gave the agreement preliminary approval on Monday, and once finalized, it will be the largest settlement of a data breach case in terms of dollar amount and number of victims, surpassing the $115 million the health care company Anthem paid to settle claims from 79 million people who had their personal information stolen in 2015.
Equifax also agreed to provide up to 10 years of free credit monitoring services to those who had their data exposed. The settlement assumes that around 7 million people will sign up for that service. If more do, Equifax’s costs for providing it could rise meaningfully. Details about the settlement are posted at equifaxbreachsettlement.com, a website set up by the group that will handle claims. “Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk,” said the New York attorney general, Letitia James, who helped lead the states’ investigation.
[Here’s what the settlement means for you.] Almost half the settlement $300 million will go toward American consumers who were harmed by the breach, according to settlement documents filed in federal court in Atlanta. The company also agreed to pay $275 million in fines to end investigations by the Consumer Financial Protection Bureau, the Federal Trade Commission and 48 states, plus the District of Columbia and Puerto Rico.
Equifax will pay an additional $175 million in fines to end investigations by 50 attorneys general. Forty-eight states all except Indiana and Massachusetts, which separately filed their own lawsuits against Equifax are part of the deal, along with the District of Columbia and Puerto Rico. Equifax agreed to provide up to 10 years of free credit monitoring services to all victims of the breach in the United States, an offer that could prove costly. Equifax is paying one of its competitors, Experian, to provide that service for the first four years, but the settlement assumes only about seven million people will sign up.
“Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk,” said Attorney General Letitia James of New York, who helped lead the states’ investigation. “This company’s ineptitude, negligence and lax security standards endangered the identities of half the U.S. population.” That means the ultimate size of the settlement could change. Every additional million consumers who opt in would cost Equifax more than $16 million, according to the settlement documents. If all 147 million victims of the breach were to take part, the monitoring services would cost Equifax more than $2 billion.
The deal also settles investigations by two federal regulators: the Consumer Financial Protection Bureau, to which Equifax will pay a $100 million fine, and the Federal Trade Commission, the primary federal overseer of data security issues. The F.T.C. is not charging a fine; unlike the consumer bureau, it has limited legal power to impose big financial penalties. “If people want Equifax to pay more, sign up for credit monitoring,” said Norman E. Siegel, a lawyer representing consumers in the settlement.
Equifax, based in Atlanta, has been negotiating for months to finalize this settlement, and it set aside $690 million last quarter to cover the anticipated costs. Separately, the company has responded to the breach by spending hundreds of millions of dollars on investigative costs, technology improvements, free credit monitoring services and legal fees. In addition to the potential costs for credit monitoring, Equifax said it would add up to $125 million to the claims fund if the initial $300 million is depleted.
Mark W. Begor, the company’s chief executive, called the settlement a “positive step” for the company. Information for consumers will be posted at equifaxbreachsettlement.com, a website set up by the group that will handle claims. The site will begin accepting claims as soon as Tuesday, according to Amy E. Keller, one of the lead lawyers representing consumers in the settlement. Those who already signed up for identity theft protection will be eligible for reimbursement.
“We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement,” he said. [Find out what the Equifax settlement means for you with our guide here.]
The settlement’s total price tag adds up to a bit less than one typical quarter of sales for Equifax. Last year, the company earned $300 million, a 49 percent drop from its income a year earlier, on sales of $3.4 billion. Equifax’s stock price tumbled after the breach but has since recovered most of its losses. The breach not only exposed private information but also put a spotlight on the loosely regulated role credit bureaus play in the day-to-day lives of Americans. Equifax makes money by selling its vast trove of information to auto loan, mortgage and credit card issuers. Consumers can exercise some control over how their files are used for example, by freezing them to prevent new credit lines from being opened but they cannot choose to have the bureaus stop collecting their information.
Some consumer advocates wish the punishment had been sharper. Law enforcement officials have never publicly identified who was behind the hack. Although the thieves did not steal Equifax’s crown jewels, its credit files, they used a flaw that was left unfixed to gain access to dozens of databases. According to a government report, the attackers siphoned off information for about 76 days until Equifax discovered the intrusion in late July 2017. The company waited more than a month to disclose the breach.
As bad as the loss of so much sensitive information was, the company’s bungled response also infuriated consumers. Equifax created an information website that barely functioned. It struggled to keep up with the deluge of phone calls and messages from worried consumers. At one point, it even accidentally pointed those seeking information on the breach toward a fake website.
The turmoil led to the ouster of Equifax’s chief executive, Richard F. Smith, and the company’s chief information officer and chief security officer. Last year, Equifax named Mark W. Begor, an outsider who had worked in private equity, as its new chief executive.
Equifax, based in Atlanta, has been negotiating for months to finalize the settlement and set aside $690 million last quarter to cover the anticipated costs. “We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement,” Mr. Begor said in a statement.
Some aspects of the settlement — particularly who exactly will be approved for compensation because their identities were stolen — remains to be seen.
Lawyers representing the consumers in the settlement say people who were victims of fraud after the breach will be eligible for settlements even if they cannot prove that the Equifax theft directly caused their loss. The settlement documents say anyone who experienced fraud that was “fairly traceable” to the stolen information will be able to make a claim. But applying that definition will be up to the settlement’s administrator, JND Legal Administration, which will follow a detailed written protocol laid out in the settlement.
It has been difficult to determine how much harm the breach did to consumers, because cybersecurity experts have not seen any sign of victims’ stolen names, Social Security numbers and addresses surfacing in the kinds of online marketplaces where such stolen information is often trafficked.
“We continue to monitor the Dark Web and identity theft,” Mr. Begor said at a news conference on Monday. “To date, we haven’t seen any instances of the data that was stolen being sold.”
[Still haven’t frozen your credit? Here’s our guide to what to do if you were affected by the Equifax breach.]
The current settlement figure of about $650 million is a bit less than one typical quarter of sales for Equifax. Last year, the company earned $300 million, a 49 percent drop from its income a year earlier, on sales of $3.4 billion. Equifax’s stock price tumbled after the breach but has since recovered most of its losses.
Some consumer advocates wish the punishment had been more harsh.
“The Equifax fine is grievously low, particularly given the scope of the identity problems they created,” said Pam Dixon, the executive director of the World Privacy Forum.“The Equifax fine is grievously low, particularly given the scope of the identity problems they created,” said Pam Dixon, the executive director of the World Privacy Forum.
But the sum “is not insignificant,” said Christopher Peterson, a law professor at the University of Utah and a former enforcement lawyer at the Consumer Financial Protection Bureau. Settling the case quickly is probably a better outcome for consumers than years of legal battling, he added.But the sum “is not insignificant,” said Christopher Peterson, a law professor at the University of Utah and a former enforcement lawyer at the Consumer Financial Protection Bureau. Settling the case quickly is probably a better outcome for consumers than years of legal battling, he added.
“My perspective is that this is a win for the various consumer protection agencies that are involved, but that over the long term, it creates only a relatively mild incentive for the big credit reporting agencies to strengthen their data security,” Mr. Peterson said. “The underlying law itself here does not provide as much protection as I think most Americans deserve and want.”“My perspective is that this is a win for the various consumer protection agencies that are involved, but that over the long term, it creates only a relatively mild incentive for the big credit reporting agencies to strengthen their data security,” Mr. Peterson said. “The underlying law itself here does not provide as much protection as I think most Americans deserve and want.”
Equifax, one of America’s three largest credit bureaus, alongside Experian and TransUnion, has files on hundreds of millions of people worldwide that contain extensive details about their financial accounts and transactions. Equifax even receives copies of millions of Americans’ paychecks, which are fed into its Work Number database. Major data breaches have become an almost routine occurrence. Last year, the Marriott hotel chain disclosed that thieves had stolen personal details on roughly 500 million guests, an attack that has been attributed to a Chinese intelligence-gathering effort. In May, a security journalist revealed that a major title insurance company, First American Financial Corporation, had left nearly 900 million documents related to mortgage deals online and unprotected.
The company makes money by selling its vast trove of information to auto loan, mortgage and credit card issuers. Consumers can exercise some control over how their files are used for example, by freezing them to prevent new credit lines from being opened but they cannot opt out of the system and demand that Equifax or its competitors stop collecting and storing their personal information. But the Equifax breach had perhaps the most potential for damage. Equifax, one of the three largest credit bureaus in the United States alongside Experian and TransUnion, has files on hundreds of millions of people worldwide that contain extensive details about their financial accounts and transactions. Equifax even receives copies of millions of Americans’ paychecks, which are fed into its Work Number database.
Law enforcement officials have never publicly identified who was behind the Equifax theft, and cybersecurity experts say they have not seen any sign of the information surfacing in the kinds of online marketplaces where stolen personal information is often bought and sold. After a series of fiery congressional hearings, in which lawmakers of both parties denounced Equifax for its missteps “I can’t fix stupid,” Representative Greg Walden, Republican of Oregon, told Mr. Smith in one memorable exchange lawmakers passed new restrictions on credit bureaus, including a law making credit freezes free. But there have been no major changes to the federal laws covering what information credit bureaus can collect and what steps they must take to safeguard it.
That has made it tricky to determine how much the attack has harmed consumers. There is little known evidence of consumer fraud directly attributed to the breach, but customers have spent countless hours taking precautionary steps like freezing their credit files and scouring them for signs of illicit activity. The settlement on Monday is still not the final word on claims that resulted from the breach. Two states, Massachusetts and Indiana, sued Equifax separately. Those cases have not been resolved.
Consumers seeking payments from the restitution fund will be required to submit claims, with documentation, showing that they have been a victim of fraud or have taken steps to set up credit monitoring services. Fraud victims will not have to prove that Equifax’s breach directly caused their loss; anyone who was affected by the breach and subsequently experienced fraud involving personal information that was stolen will be able to make a claim, according to settlement documents.
People who paid for credit monitoring or identity theft protection services will be eligible to have what they spent refunded. They will also be eligible for compensation for the time they spent dealing with the issues — such as hours on the phone talking to financial services providers — at a rate of $25 per hour, for up to 20 hours.
The Equifax hackers used a flaw that was known but accidentally left unfixed to gain access to dozens of databases. They did not steal Equifax’s crown jewels, its credit files, but they did obtain sensitive information like names, Social Security numbers, birth dates, addresses and driver’s license numbers.
For about 76 days, according to a government report, the hackers siphoned information out in small increments, until Equifax detected the intrusion in late July 2017. It was not until six weeks later that the company disclosed the breach.
Individuals, lawmakers and regulators responded with fury to both the loss of so much sensitive information and to the company’s bungled public response. Equifax created an information website that barely functioned. It struggled to keep up with the deluge of phone calls and messages from worried consumers and at one point, it even accidentally pointed those seeking information on the breach toward a fake website.
The turmoil led to the ouster of Equifax’s chief executive, Richard F. Smith, who retired shortly after the breach was revealed. Several other top executives, including the chief information officer and chief security officer, were also forced out. Last year, Equifax named Mr. Begor, an outsider who worked in private equity, as its new chief executive.
After a series of fiery congressional hearings, in which lawmakers of both parties denounced Equifax for its missteps — “I can’t fix stupid,” Representative Greg Walden, Republican of Oregon, told Mr. Smith in one memorable exchange — lawmakers passed a few new restrictions on credit bureaus, including a law making credit freezes free. But there have been no major changes to the federal laws covering what information credit bureaus can collect and what steps they must take to safeguard it.
Major data breaches have become an almost routine occurrence. Last year, the Marriott hotel chain disclosed that thieves had stolen personal details on roughly 500 million guests, an attack that has been attributed to a Chinese intelligence-gathering effort. In May, a security journalist revealed that a major title insurance company, First American Financial Corporation, had left nearly 900 million documents related to mortgage deals lying openly on the internet, unprotected.