FTC Announces Final Settlement Over Equifax’s 2017 Data Breach

Here’ a timely reminder for business leaders about the long term impact of a data breach and the importance of immediately disclosing a cyberattack.

The Federal Trade Commission announced this week that a multi million-dollar settlement with credit score reporting company Equifax over a 2017 data beach became final in January.

As recounted on the FTC website “In September of 2017, Equifax announced a data breach that exposed the personal information of 147 million people. The company has agreed to a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories. The settlement includes up to $425 million to help people affected by the data breach.”

The federal agency advised consumers that the settlement administrator recently began sending emails and letters to people who filed a valid claim requesting free credit monitoring services from the settlement. Eligible claimants will get free membership in Experian Identity Works for four years.

Equifax noted on their website that, “A federal court approved a class action settlement that resolves lawsuits brought by consumers after the data breach. Equifax denied any wrongdoing and no judgment or finding of wrongdoing was made.”

National Headlines

The data breach created national headlines in 2017.

As reported by USA Today on September 18 that year, "Equifax CEO Richard Smith is facing a cataclysmic crisis that threatens not just his job but the survival of his company.

“Corporate America is no stranger to such existential moments. The question for Equifax is whether Smith follows the example of Tylenol after fatal product tampering, BP after a fatal oil spill, or JetBlue after a disruptive ice storm.

“Hackers stole personal information for as many as 143 million individuals from Equifax’s credit files, leaving them vulnerable to identity theft. The information includes names, birth dates, addresses and Social Security numbers.

“The breach of sensitive personal data may be impossible to repair. The second breach of customers’ trust may prove just as difficult.”

On September 26, 2017, CNBC reported that, “Richard Smith, CEO and chairman of Equifax, abruptly retired Tuesday following a data breach at the credit-reporting service that affected the personal information of 143 million people.

“The breach has sparked multiple investigations at the state and federal level, including the Department of Justice in Atlanta, where Equifax is based, and the Federal Trade Commission. The company said its chief information officer and chief security officer retired earlier this month.

“Three other executives, including the chief financial officer, have drawn scrutiny for selling $1.8 million of company stock just days after the breach was discovered internally but nearly six weeks before it was announced to the public.”

Delayed Disclosure Sparks Investigations

The failure by Equifax to disclose the data breach for six weeks sparked additional headlines and investigations.

According to the Wall Street Journal in October 2017, “Attorneys general in at least five states are looking into why credit-reporting firm Equifax Inc. didn’t tell the public for nearly six weeks about the massive data breach that potentially compromised the personal information of 145.5 million Americans.

“As the broader investigation into the Equifax breach continues, some state officials want to know why Equifax didn’t say something sooner. The inquiries are aimed at determining whether Equifax might have violated state laws requiring companies to notify consumers promptly when cyber-thieves steal personal data.”

The crisis was the subject of a detailed report by the U.S. General Accountability Office and an in-depth analysis by Bloomberg Businessweek.