Equifax’s (at least) $1.4 billion Settlement and the Future of Cybersecurity Litigation
On September 7, 2017, Equifax publicly announced that a cybersecurity data breach occurred in its systems from mid-May through July 2017, resulting in over one-hundred and forty-three million Americans with exposed credit-card information, Social Security numbers, and other sensitive personal information. A class action lawsuit asserting claims of negligence, breach of contract, unjust enrichment, and violations of the Fair Credit Reporting Act was filed against Equifax hours after the data breach was announced. Many Americans, even those largely unaware of data privacy and cyber-security protocols, followed directives to “freeze” their credit following the disclosure.
Two years after this historic breach, Equifax has entered into a settlement with the Federal Trade Commission and the Consumer Financial Protection Bureau. Equifax will set aside up to $425 million to reimburse victims of the breach, offer 10 years of credit-monitoring services to consumers who have been harmed, pay $175 million to the states themselves, and invest in its own cybersecurity. The total cost, including new safeguards Equifax has agreed to implement, is estimated to approach $1.4 billion, and that number may increase as implementation continues.
The payout is significantly higher than those levied against previous data breaches. In a 2016 data breach, Uber paid $148 million in fines. The state and federal groups view the Equifax payout as a victory and a shot across the bow for all corporations to reassess their cybersecurity measures, especially given that Equifax will be required to spend hundreds of millions of dollars on internal cybersecurity improvements in addition to fines. Some have considered the Equifax settlement as insufficient, given the scope and scale of the breach and when compared to the $5 billion data mishandling fine the FTC levied against Facebook.
The Equifax breach was one of the worst cybersecurity incidents in U.S. history due to the number of Americans affected and the sensitivity of the information that hackers obtained, such as names, home addresses, birthdates, and driver’s license numbers. The breach inflamed lawmakers, as Equifax failed to adopt even the most elementary cybersecurity protections, putting Americans’ livelihoods at risk. State and Federal congressional investigators found that Equifax was aware of vulnerabilities, but failed to address over 8,500 security fixes to address these issues as far back as 2015.
Under the Data Breach Prevention and Compensation Act, reintroduced in May, Equifax would have been fined $1.5 billion for its breach based on both the number of impacted people and the amount of personally identifying information involved. New state data-breach laws, such as the California Consumer Protection Act will also make future cybersecurity breaches much more costly to corporations. However, additional steps must be taken to ensure the right mechanisms are in place to deter and punish companies for these breaches. For example, although the FTC participated in investigating Equifax, the FTC itself could not issue a fine against Equifax, as the FTC is only empowered to fine repeat offenders and this incident was Equifax’s first offense.
This type of nationwide litigation is likely to prompt Congress to focus on creating uniform data security and data breach notification standards. Hopefully, this settlement will spur corporations to increase their budgets with respect to securing the personal data of American consumers. Thanks to Steve Kim for his contribution to this post. Please email Brian Gibbons with any questions.