A coalition of 50 Attorneys General, comprising 48 states, the District of Columbia, and the Commonwealth of Puerto Rico has reached a settlement with Equifax resulting from an investigation into a massive 2017 data breach. While consumers will receive up to $425 million in claims in the settlement, Equifax will also pay $1 million to the State of Rhode Island as a consequence of the breach.
The investigation found that Equifax's failure to maintain a reasonable security system enabled hackers to penetrate its systems, exposing the data of 56 percent of American adults, including approximately 500,000 Rhode Island consumers—the largest-ever breach of consumer data. The Attorneys General secured a settlement with Equifax that includes a Consumer Restitution Fund as well as injunctive relief, which also includes a significant financial commitment.
"This is an important win for consumers," said Attorney General Peter F. Neronha. "As sensitive data becomes more and more vulnerable to online hackers, the need for adequate security systems and privacy measures is paramount. Our Office will continue to stand up for Rhode Island consumers.
"While this is a good result, I know my office can do more for consumers," he continued. "We need the right consumer protection tools in place so we can play an even larger role in ensuring that the people of our state are protected from harm and Rhode Island is getting its fair share of these types of settlements, as we proposed with our amendments to the Deceptive Trade Practices Act and other consumer protection laws last session. Those amendments would have provided the State with broader legal remedies and our office with the resources necessary to enforce those remedies."
On September 7, 2017, Equifax, one of the largest consumer reporting agencies in the world, announced a data breach affecting more than 147 million consumers— more than half of the U.S. population. Breached information included social security numbers, names, dates of birth, addresses, credit card numbers, and in some cases, driver's license numbers.
Shortly after, a coalition that grew to 50 Attorneys General launched a multi-state investigation into the breach. The investigation found that the breach occurred because Equifax failed to implement an adequate security program to protect consumers' highly sensitive personal information. Despite knowing about a critical vulnerability in its software, Equifax failed to fully patch its systems. Moreover, Equifax failed to replace software that monitored the breached network for suspicious activity. As a result, the attackers penetrated Equifax's system and went unnoticed for 76 days.
Under the terms of the settlement, Equifax agreed to provide a single Consumer Restitution Fund of up to $425 million—with $300 million dedicated to consumer redress. If the $300 million is exhausted, the Fund can increase by up to an additional $125 million. The company will also offer affected consumers extended credit-monitoring services for a total of 10 years.
Equifax has also agreed to take several steps to assist consumers who are either facing identity theft issues or who have already had their identities stolen including, but not limited to:
• making it easier for consumers to freeze and thaw their credit; • making it easier for consumers to dispute inaccurate information in credit reports; and • requiring Equifax to maintain sufficient staff dedicated to assisting consumers who may be victims of identity theft.
Equifax has also agreed to strengthen its security practices going forward, including:
• reorganizing its data security team; • minimizing its collection of sensitive data and the use of consumers' Social Security numbers; • performing regular security monitoring, logging and testing; • employing improved access control and account management tools; • reorganizing and segmenting its network; and • reorganizing its patch management team and employing new policies regarding the identification and deployment of critical security updates and patches.
In addition to the consumer restitution, Equifax agreed to pay the states involved, which includes $1 million for Rhode Island.
Submitting consumer claims:
Consumers will be able to file claims after this settlement has been approved by the Court.
What consumers can do today:
1. Rhode Island consumers can call the Rhode Island Attorney General's Consumer Protection Unit at 401-274-4400 to add their e-mail address to a list to receive notification when the settlement has been approved. Once the settlement has been approved, consumers will be able to file a claim.
2. Consumers can also receive email updates regarding the launch of the Equifax Settlement Breach online registry by signing up at www.ftc.gov/equifax-data-breach.
Filing a claim once the settlement has been approved:
1. Once the settlement has been approved by the Court, consumers will be able to file a claim online or by mail. Rhode Island consumers can call the Rhode Island Attorney General's Consumer Protection Unit at 401-274-4400 with questions about filing a claim. Consumers can also visit our website at www.riag.ri.gov for Frequently Asked Questions once the settlement has been approved.
The program to pay restitution to consumers will be conducted in connection with settlements that have been reached in separate, but related class actions filed against Equifax, as well as settlements that were reached with the Federal Trade Commission and Consumer Financial Protection Bureau.
# # #