Credit reporting agency Equifax said today it has agreed to pay $671 million to settle government investigations and legal actions related to a 2017 data breach that exposed information on about 147 million U.S. consumers.
The proposed settlement agreement is subject to approval by the Federal District Court for the Northern District of Georgia.
Terms of the agreement call for Equifax to provide a consumer restitution fund of up to $425 million that will pay for credit monitoring for consumers impacted by the breach, out-of-pocket losses related to the breach, and other consumer benefits including identity restoration services, the company said.
Equifax will also pay $290.5 million to Federal and state regulators, and pay attorneys’ fees and costs in class action litigation. The proposed settlement covers the class action litigation, and investigations by the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), attorneys general in 48 states, Puerto Rico, and the District of Columbia, and the New York Department of Financial Services.
The company directed consumers to learn about their rights at www.equifaxbreachsettlement.com.
In its own statement today, the Federal Trade Commission put the value of the settlement between $575 million and $700 million, with that range dependent on consumer claims to the restitution fund. FTC said the settlement will pay $175 million to the 48 states, Puerto Rico, and D.C., and that Equifax will pay $100 million of civil penalties to the CFPB.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons in a statement.
“Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud,” he said.
“Today’s announcement is not the end of our efforts to make sure consumers’ sensitive personal information is safe and secure. The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers. Too much is at stake for the financial security of the American people to make these protections anything less than a top priority,” said Kathleen Kraninger, CFPB Director.