On July 19 and 22, 2019, Equifax entered into multiple agreements to resolve consumer litigation and government investigations arising out of the 2017 cybersecurity incident in which the personal and financial data of millions of consumers was compromised. The settlement resolves multidistrict class action litigation and investigations by the Federal Trade Commission and the Consumer Financial Protection Bureau, and the attorneys general of 48 states, Puerto Rico and the District of Columbia, as well as the New York Department of Financial Services.
The settlement establishes a $425 million restitution fund to provide credit monitoring services and loss reimbursement to consumers, and payment of $290.5 million to state and federal agencies. It mandates an information security program to be maintained by Equifax for twenty years, with periodic assessments and written reports, and by August 30, 2019 the establishment of a clear and easily accessible process for employees to submit complaints or concerns about the company’s information security. The settlement also requires covered incident reports to the CFPB within a reasonable time within discovery of a security incident, bi-annual third-party information security assessments, and annual certification for twenty years by Equifax’s board of directors regarding its information security program, cooperation with the monitor, and compliance with the settlement order. Equifax said that it is committed to continuing the significant steps it is taking to enhance its information security and technology, and is investing $1.25 billion in those areas.
The comprehensive settlement requires approval by the court.