WASHINGTON — Despite having to cough up over half a billion dollars in a settlement with federal and state authorities, Equifax is likely not done answering to Congress for its 2017 data breach.
The company has agreed to pay restitution and fines as part of the deal with the Federal Trade Commission, Consumer Financial Protection Bureau and state authorities for the breach, which affected roughly 148 million Americans.
The new price tag is extra motivation for the credit bureaus and other companies that handle personal consumer data to strengthen their cybersecurity defenses. But several lawmakers who called for sweeping reforms in the wake of the breach but were not able enact new rules will likely want to study the settlement and continue the discussion about legislative requirements, according to experts.
“We have seen Congress being very interested in this topic,” said Ed Mills, a policy analyst with Raymond James. “It is very likely we will see a congressional hearing looking into the settlement. We likely have not heard the last of this from D.C.”
Equifax will pay a $175 million civil penalty to the states, a $100 million civil penalty to the CFPB and up to $425 million into a restitution fund. The amount of relief will be capped at $20,000 per consumer.
"This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company," Equifax Chief Executive Mark Begor said in a statement.
The settlement comes as lawmakers have tried for years to no avail to pass reforms of the credit reporting agencies, as well as data privacy and security protections.
Aaron Klein, economic policy studies director at the Brookings Institution, said the settlement is unlikely to put to rest lawmakers' concerns about the credit bureaus.
“It doesn’t change the fundamental problems with the credit bureaus, which is the rampant use of inaccurate information and no economic or legal incentives to fix errors on people’s credit,” Klein said.
But others say it could send a message to major corporations that they will be held accountable for data breaches.
“The settlement is helpful to send a strong message regarding the seriousness with which federal and state governments would take data breaches,” said Quyen Truong, a partner at Stroock & Stroock & Lavan. “There is the opportunity for consumers to get compensation under the funds that will be established, although proving their entitlement to compensation may be challenging for most consumers.”
Equifax to remain on Washington’s radar
Executives at Equifax faced a slew of congressional hearings and blowback after the breach was disclosed in 2017.
What followed were bills to reform the credit reporting industry, including measures to impose mandatory fines on companies that compromise consumers’ data. Other calls were made to enact federal legislation to strengthen consumer privacy protections.
But nothing has been enacted into law in response to the breach other than a provision in the regulatory relief bill that Congress passed in 2018 to enable consumers to freeze and unfreeze their credit in a timely manner.
Despite slow legislative movement, Equifax will likely continue to face inquiries from Washington.
Sen. Mark Warner, D-Va., who has supported mandatory fines on companies hit by data breaches, said that he is glad consumers will be compensated, but that Congress needs to impose structural reforms on the credit reporting industry.
“Americans don’t choose to have companies like Equifax collecting their data — by the nature of their business models, credit bureaus collect your personal information whether you want them to or not,” Warner said in a statement. “In light of that, the penalties for failing to secure that data should be appropriately steep. While I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again.”
Will consumers be made whole?
As part of the settlement, Equifax is required to pay a restitution fund to consumers of $300 million, at a minimum, but potentially up to $425 million.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
Some consumer advocates say the settlement is only a modest resolution for the harm caused individuals.
The restitution fund "seems modest for a breach of this scale, affecting 147 million consumers, but it does provide some real dollars to consumers for time and out-of-pocket expenses,” Chi Chi Wu, a staff attorney at the National Consumer Law Center, said in a statement.
Wu added that consumers still face long-term identity theft risks.
“The settlement provides some compensation right now, but the risk of identity theft is forever because our stolen Social Security numbers can be traded by hackers in perpetuity,” Wu said.
Mills said that the settlement puts the onus on consumers to prove that they should be compensated for the harm done by the breach.
“It still seems the onus is on the consumer to do the work and prove to Equifax that they deserve compensation,” Mills said. "There are going to be many members of Congress that believe that the responsibility should be on Equifax to fix this, not for the consumer to build his or her case onto the company.”
He added that consumers will likely need to present records going back years to qualify for compensation.
“You need to have a paper trail,” Mills said. “Any settlement has to have parameters, but the vast majority of folks who were impacted on this, probably never spent the time energy and effort to get reimbursed … for their time spent.”
Klein said that on average, compensation to consumers will be minimal.
“There will be a follow-up to show how many people will get this mythical $20,000,” he said. “So it will be interesting to see how many people that actually applies to.”