The attorneys general of 40 states have concluded multistate settlements (in the form of Assurances of Voluntary Compliance or Assurances of Discontinuance) with Experian Data Corp., Experian Information Solutions, Inc. (“Experian”) and T-Mobile U.S.A., Inc. to resolve allegations arising out of data breaches that occurred in 2012 and 2015, whereby Experian is required to pay of over $13.67 million and T-Mobile is required to pay $2.43 million. These penalties are to be distributed among the states. In particular, the states alleged that Experian and T-Mobile had failed to protect consumers’ sensitive personal data, and failed to inform customers of the breaches once they were known, thereby violating the consumer protection and breach notification laws of the various states.
Experian Data Corp. was alerted to the 2012 breach by the US Secret Service; that breach involved a threat actor obtaining access to the names, social security numbers, addresses, and telephone numbers of consumers. Per the Assurances, Experian informed the entity with which it had a data sharing agreement (U.S. Infosearch) of the breach upon discovery, but it did not notify affected consumers. The 2015 breach involved data stored by Experian for its customer T-Mobile, and included the personal information – e.g., social security numbers, government identification numbers, and credit history information – of 15 million individuals who had applied for T-Mobile postpaid services and financing.
The separate Assurances impose a number of obligations on the companies, including:
- Requiring the companies to comply with state laws pertaining to consumer protection, personal information protection, and data breach notifications;
- Prohibiting making misleading statements or omissions regarding the storage, maintenance or transmission of personal data;;
- Imposing a five-year breach reporting and records retention requirement;
- Making reasonable efforts to reduce their use and storage of social security numbers by examining alternate means of authentication;
- Implementing incident response and notification plans;
- Following strict procedures in credentialing third-party vendors; and
- Developing, implementing and maintaining a written identity theft prevention program.
Individually, Experian must implement an information security program commensurate with the size, complexity nature and scope of the company’s activities, including designating a chief information security officer, and is required to offer free credit monitoring services and two complimentary credit reports to affected consumers for five years. Experian must also engage an independent third-party assessor for a period of six years. T-Mobile is required to incorporate into vendor contracts specific measures regarding encryption, passwords, patching, and other security measures, and to maintain a vendor contract inventory.
Antitrust, securities, tax and criminal claims are excluded from the Assurances, and the companies may still be under investigation by state and federal authorities. The current settlement does not cover the August 2021 data breach reported by T-Mobile, which is still under investigation by a multistate coalition of attorneys general.