The Equifax Settlement and Increasing Standards of Care Requirements
In September of 2017, Equifax, the largest of the three main credit reporting agencies, announced a data breach that exposed the personal information of 147 million consumers – almost 50% of the U.S. population. Due to a known, unpatched security vulnerability, hackers were able to gain access to a magnitude of unencrypted private consumer information, including names, Social Security numbers, dates of birth, credit card numbers, addresses, and even driver’s license numbers.
More than two years after the breach was reported, Equifax has now reached a $575 million global settlement (with the potential to reach $700 million) with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and the 50 U.S. states and territories. Based on the agreement, Equifax will allocate $175 million to the 50 U.S. states and territories, $100 million to the CFPB, $300 million to a fund that will provide credit monitoring services for affected consumers, and an additional $125 million fund in the event the initial $300 million is not enough to compensate consumers for their losses.
In addition to paying restitution to the millions of victims of the data breach, Equifax also agreed to provide seven years of free assisted identity restoration services and six free credit reports each year for seven years.
However, financial remedies are only part of the Equifax settlement agreement. Since the FTC alleges that Equifax violated the FTC Act and the Gramm-Leach-Bliley Safeguards Rule (GLBA) by failing to defend sensitive consumer data, the company is required to implement a comprehensive information security program. The program must be maintained for 20 years and protect the security, confidentiality, and integrity of consumers’ sensitive personal information
This court ruling by the FTC against Equifax is only the beginning of the increased “Standards of Care” required for an organization’s cybersecurity program. As more organizations fall victim to a data breach and become involved in lawsuits or face regulatory actions, the courts will turn to this care benchmark to measure the organization’s practices to determine liability, fault, and punishment. Implementing these minimum Standards of Care set out by the FTC and updating your cyber insurance policies to include some, if not all, of these requirements, will help protect your organization in the wake of an incident.
In Part 1 of our series tracking popular settlement actions and court cases, we’ll take a closer look at the specifics of the information security program required for Equifax and how these requirements may enhance your company’s security program as well.