Settlement would force Equifax to pay up to $700 million over data breach, bureau says; sets up $425 million consumer fund

Up to $700 million in monetary relief and penalties would be provided in a settlement between credit reporting agency Equifax and the federal consumer financial protection agency and other federal and state agencies, the groups said in a joint release Monday.

The Consumer Financial Protection Bureau, the Federal Trade Commission (FTC), 48 states, the District of Columbia, and Puerto Rico announced the agreement with Equifax. According to the agencies, the settlement (if agreed to by a federal court) would provide up to $425 million in monetary relief to consumers, a $100 million civil money penalty, and other relief.

The settlement is in response to a complaint and proposed stipulated judgment filed in federal district court in the Northern District of Georgia by the CFPB. The bureau alleged that Equifax engaged in unfair and deceptive practices in connection with the September 2017 data breach of Equifax’s systems that, the bureau said, affected approximately 147 million consumers. The bureau said the breach resulted in exposure of consumers’ sensitive personal information, including names, addresses, social security numbers, and dates of birth.

According to the CFPB, the settlement requires Equifax to establish a consumer fund with up to $425 million available to provide affected consumers “with a broad array of redress.”

The fund, the agency said, would be used to provide reimbursements to affected consumers for time and money they spent related to the breach. If approved by the court, CFPB said, affected consumers may be eligible to receive money by filing one or more claims for up to $20,000 per consumer for lost time and money, including:

  • $25/hour for up to 20 hours for time spent protecting personal information or addressing identity theft after the breach;
  • Money spent purchasing credit monitoring or identity theft protection after the breach;
  • The cost of freezing or unfreezing credit reports at any consumer reporting agency after the breach;
  • Reimbursement for up to 25% of the amount paid to Equifax for credit or identity monitoring subscription products between Sept. 7, 2016, and Sept. 7, 2017;
  • Any unreimbursed costs, expenses, losses, or charges incurred as a result of identity theft; and
  • Miscellaneous expenses associated with any of the above, such as notary, fax, postage, mileage, and telephone charges.

The bureau said all affected consumers would be eligible to receive at least 10 years of free credit monitoring, at least seven years of free identity-restoration services, and, beginning Dec. 31, 2019, and for the next seven years, all U.S. consumers may request up to six free copies of their Equifax credit report during any 12-month period.

CFPB said the free copies would be provided to requesting consumers in addition to any free reports to which they are entitled under federal law.

If consumers choose not to enroll in the free credit monitoring product available through the settlement, they may seek up to $125 as a reimbursement for the cost of a credit-monitoring product of their choice.

In addition to consumer relief, the settlement requires Equifax to pay CFPB a $100 million civil money penalty. Equifax also would be required to make significant improvements to its data security practices and would be subject to ongoing oversight by regulators.

CFPB, FTC and States Announce Settlement with Equifax Over 2017 Data Breach

Statement by bureau Director Kathleen (“Kathy”) Kraninger