Updated at 11:25 a.m. ET
Equifax will pay up to $700 million in fines and monetary relief to consumers over a 2017 data breach at the credit reporting bureau that affected nearly 150 million people.
The proposed settlement, which is subject to approval by a federal court, was announced Monday by the company, the Federal Trade Commission, the Consumer Financial Protection Bureau, 48 states, the District of Columbia and Puerto Rico.
The consumer data exposed in the breach included Social Security numbers, birthdates and addresses and, in some cases, driver’s license numbers.
CFPB Director Kathleen Kraninger said the settlement includes $425 million to cover the “time and money [people affected by the breach] spent to protect themselves from potential threats of identity theft or addressing incidents of identity theft as a result of the breach.”
Equifax also agreed to pay $175 million to the states and $100 million to the CFPB in civil penalties.
And, starting in January, Equifax “will provide all U.S. consumers with six free credit reports each year for seven years,” the FTC said. That’s in addition to the free annual credit reports that Equifax, and the two other nationwide credit reporting agencies — Experian and TransUnion — currently provide.
Under the settlement, affected consumers will be eligible for free credit monitoring. Those who already have credit monitoring services for at least six months can request a $125 cash payment.
People affected by the breach may also qualify for cash payments of up to $20,000 for: the time they spent dealing with fraud, identity theft or other misuses of their personal information, or taking preventative steps such as placing or removing security freezes; for out-of-pocket losses; and for 25% of the cost of Equifax credit or identity-monitoring products they paid for in the year before the breach was announced.
“Equifax failed to take basic steps that may have prevented the breach,” FTC Chairman Joe Simons said in the agency’s announcement. “This settlement requires that the company take steps to improve its data security.”
The FTC alleges that Equifax “failed to patch its network after being alerted in March 2017 to a critical security vulnerability” and that the company didn’t discover that its database was unpatched until four months later, when it detected suspicious traffic on its network. Multiple hackers were able to exploit the vulnerability, the FTC said.
In a statement, Equifax called the proposed settlement “a positive step for U.S. consumers.” Equifax Chief Executive Officer Mark Begor said the $425 million consumer fund “reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter.”
Some consumer advocates said the proposed settlement didn’t go far enough, given the long-term harm the breach inflicted. “The shelf life of financial DNA is forever so this sounds like a sweetheart deal for a company that failed to do its basic job: protect consumer data,” the U.S. Public Interest Research Group said in a statement.
But others praised the agreement. Justin Brookman, director of privacy and technology policy for Consumer Reports, said the FTC was able to force Equifax to “spend a fair amount of money as far as improving security, paying for credit monitoring, and reimbursing consumers for their expenses.”
Sen. Mark Warner, D-Va., a member of the Senate Banking Committee, said in a statement that he was happy consumers will be compensated but added, “we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again.” Warner is co-sponsoring legislation that would give the FTC more authority to supervise data security at the credit agencies.