A Georgia court granted final approval for an Equifax settlement in a class-action lawsuit, after the credit-reporting agency was hit by its massive 2017 data breach.
Equifax will pay $380.5 million to settle lawsuits regarding the 2017 data breach, the Atlanta federal judge reportedly ruled this week. In addition, Equifax may be required to dole out an additional $125 million “if needed to satisfy claims for certain out-of-pocket losses.”
“We are pleased that the Court approved the settlement, which provides significant benefits for consumers whose information was impacted in the 2017 breach,” an Equifax spokesperson told Threatpost.
The $380.5 million will be placed into a fund for consumers affected who are part of the class outlined in the lawsuit. The settlement cost will also cover attorneys’ fees, expenses and administration costs.
The $380.5 million for affected consumers is slightly more than the $300 million proposed previously by the Federal Trade Commission (FTC) in July 2019. The July 2019 proposal was subject to the federal court’s Monday approval.
As part of the settlement, the company will also need to pay at least $1 billion for improved security, as well as $175 million to 48 states in the U.S and and $100 million in civil penalties to the Consumer Financial Protection Bureau (CFPB).
Equifax will also need to pay $1.4 billion in litigation expenses and $77.5 million as a percentage based fee, according to Bloomberg.
It should also be noted that of the 147 million affected by the data breach, approximately 15 million are part of the class action lawsuit. If all 147 million class members end up signing up for credit monitoring (or the equal cost of $125 each), Equifax may need to pay out $2 billion more, the settlement said.
Class members have until Jan. 22 (next week) to claim benefits.
Affected consumers can either sign up for 10 years of free credit monitoring (for the equal cost of $125) or apply for a cash payout, which would make them eligible for up to $20,000; a cash payout would cover serious repercussions from the breach like losses from unauthorized charges to victims’ accounts or the cost of freezing their credit report.
Equifax, which handles data associated with more than 820 million customers and 91 million businesses worldwide, has been under public scrutiny since September 2017 when it disclosed the data breach. The attackers managed to access information containing Social Security numbers, birth dates, addresses, and some driver’s license numbers. Equifax said it discovered the intrusion on July 29, meaning attackers apparently had access to the company’s files for nearly 12 weeks.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons previously said in a statement after the July 2019 proposal was made (Threatpost has reached out to the FTC for comment regarding the final approval of the settlement). “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
In the past year, a slew of fines and penalties have been imposed that were tied privacy and data breach incidents. Earlier in July, the FTC slapped a $5 billion fine on Facebook for privacy violations following its Cambridge Analytica incident. Also hit with security-related fines in July were Marriott ($123 million) and British Airways ($230 million).
Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.