AG Announces Historic $600 Million Settlement with Equifax

TALLAHASSEE, Fla.—Attorney General Ashley Moody today announced an agreement reached with Equifax over failed security measures in a massive 2017 data breach that affected nearly half of the U.S. population. The agreement includes a Consumer Restitution Fund of up to $425 million, a $175 million payment to the states and injunctive relief. This represents the highest payment for a multistate data breach investigation to date. Attorney General Moody is joined by 49 other attorneys general in holding Equifax accountable for failing to implement adequate security measures.

Attorney General Ashley Moody said, “The massive Equifax data breach shows what happens when companies fail to protect Florida consumers’ most personal information from cybercriminals. It is a serious risk of identity theft that could follow consumers for a lifetime."

The investigation found that Equifax’s failure to maintain a reasonable security system enabled hackers to penetrate its systems. Breached information included Social Security numbers, names, dates of birth, addresses, credit card numbers, and in some cases, driver’s license numbers.

Shortly after Equifax announced a data breach on Sept. 7, 2017, the attorneys general launched a multistate investigation into the breach. The investigation found that the breach occurred because Equifax failed to implement an adequate security program to protect consumers’ highly sensitive information. Equifax failed to fully patch its systems despite knowing about a critical vulnerability in its software. Moreover, Equifax failed to replace software that monitored the breached network for suspicious activity. As a result, the attackers penetrated Equifax’s system and went unnoticed for 76 days.

Under the terms of the settlement, Equifax agrees to provide a single Consumer Restitution Fund of up to $425 million. The company will also offer affected consumers extended credit-monitoring services for 10 years. Equifax also agrees to take several steps to assist consumers who are either facing identity theft issues or who already had identities stolen including, but not limited to:

• • · Making it easier for consumers to freeze and thaw credit;
    · Making it easier for consumers to dispute inaccurate information in credit reports; and
    · Requiring Equifax to maintain sufficient staff dedicated to assisting consumers who may have had identities stolen as a result of the breach and provide greater access to educational materials.

Equifax also agrees to strengthen its security practices going forward, to include:

• • · Employing new policies regarding the identification and deployment of critical security updates and patches;
    · Reorganizing its data security team and enhancing its network security;
    · Creating the position of Chief Information Security Officer and requiring him/her to:
    • • o Inform, advise and update the Board of Directors regarding Equifax’s security posture or risks at any Board meeting concerning those topics;
        o Report any security event to at least one member of the Board of Directors within 48 hours; and
        o Annually inform the Board of Directors about the adequacy of Equifax’s Information Security Program.
    · Minimizing its collection of sensitive data and the use of consumers’ Social Security numbers; and
    · Performing regular security monitoring, logging and testing.

Separate settlements by the Federal Trade Commission, the Consumer Financial Protection Bureau, as well as the multi-district class actions are also addressed by the Consumer Restitution Fund. Florida’s agreement is subject to approval by the Circuit Court for Broward County.

A website will be available to accept claim forms and administer the settlement funds: EquifaxBreachSettlement.com. The website will go live in the coming days as the settlement must receive judicial approval before the administrator can accept consumer claim forms. If consumers wish to be notified when the breach settlement website begins accepting settlement fund related claims, they can go to FTC.gov/Equifax and submit email addresses. For questions about eligibility for restitution, filing a claim, enrolling in credit monitoring, or additional information, consumers should visit EquifaxBreachSettlement.com or call 1(833) 759-2982.