Equifax’s top executive and government officials are defending the firm’s historic settlement over a data breach that exposed the personal information of millions of consumers against critics who argue the potentially $700 million in financial restitution is insufficient.
Continue Reading Below
As part of the agreement announced by the Federal Trade Commission on Monday, Equifax will pay $300 million to a fund intended to provide monetary relief for as many as 147 million individuals affected by the breach.
The Atlanta-based firm could be forced to add an additional $125 million should it be necessary to cover the cost for all those that file grievances, though CEO Mark Begor believes that unlikely, on top of $275 million in payments to states and federal agencies.
Equifax will not be required to plead guilty as part of the settlement, but executives could be charged at a later date. The firm will be subject to an independent third-party assessor that will have “extensive access to review, assess and report on the company’s compliance,” according to FTC Chairman Joe Simons.
Critics argued the fine and subsequent monitoring penalty does not send a strong enough message to corporate America and is not sufficient enough to address the harm caused by the hack.
“This settlement does not come close to making consumers whole and, once again, shows the limitations on the FTC’s ability to seek strong penalties and effective redress for consumers,” House Energy and Commerce Chairman Frank Pallone, D-N.J., said in a statement.
Indeed, a 2011 consent decree between the FTC and Facebook that subjected the social media giant to third-party audits of its privacy program appeared to be ineffective. Since the Cambridge Analytica scandal in 2016, where the Trump-affiliated British consulting firm had access to the private information of millions of users, Facebook has suffered from a slew of high-profile privacy scandals.
Still, Equifax's CEO argued the settlement, which he called “by far the largest ever,” is a reflection of the “seriousness that we took this matter and our commitment to supporting customers.”
“We continue to monitor the dark web and identity theft and to date we haven’t seen any instance of our data stolen being sold or increases in identify theft,” he told reporters on Monday, adding that the company is not anticipating needing to provide the added $125 million.
State officials, however, argued that hackers don’t typically immediately use stolen information and tend to archive it for years.
We can’t say that “all the harm has been realized and that consumers -- whatever claims they made so far -- are going to be the extent of the claims going forward, or the damages going forward,” said Maryland Attorney General Brian Frosh.
Consumers will have up to six months for the initial claims period and an additional four years in protection from identity theft related to information stolen in the Equifax breach.
On top of the FTC fines and consumer fund, Begor also highlighted the $1.25 billion the firm is spending in new technology and security processes, a 50 percent increase over the traditional spend. Additionally, Equifax is required to provide up to 10 years of free credit monitoring, four of which will include services from the trio of top credit monitoring firms.
In total, Equifax has spent $701 million addressing the breach scandal through the second quarter of 2019.
FTC and Consumer Financial Protection Bureau officials argued the settlement is adequate because it entitles consumers to financial restitution while also ensuring Equifax remains financially viable enough to continue to invest in new security measures.
“We do want to make sure that we are not bankrupting the company or making the company go out of business,” CFPB Director Kathy Kraninger told reporters.
The agency is not anticipating that all those affected by the breach will file claims and say the bulk of the remedy will come from the 10 years of free credit monitoring.
The fine could have been higher should the FTC be able to bring civil penalties against first-time offenders of federal privacy statutes, according to Simon, and he is urging Congress to move to give the agency the authority.
“Fortunately other agencies were able to fill in the gap this time but that will not always be the case, which sends the wrong signal regarding deterrence,” he said during Monday’s press conference.