Attorney General Ellen Rosenblum today announced a nationwide settlement with the consumer reporting giant, Equifax, as the result of an investigation into a massive 2017 data breach, the largest-ever breach of consumer data. Oregon will receive over $2.8 million from the settlement and consumers are eligible to apply for restitution. The company will also offer affected consumers extended credit-monitoring services for a total of 10 years.
On September 7, 2017, Equifax, one of the largest consumer reporting agencies in the world, announced a data breach affecting more than 147 million consumers. Breached information included social security numbers, names, dates of birth, addresses, credit card numbers, and in some cases, driver’s license numbers
“This mega-sized Equifax data breach affected the personal information of over half of the U.S. adult population. These self-described ‘stewards’ of our data turned out to be incredibly careless with Oregonians’ personal information and let down consumers – who had no choice about providing access to their data in the first place – in a big, big way,” Attorney General Ellen Rosenblum said. “I am pleased that state attorneys general have had a role in holding Equifax accountable for failing to maintain the privacy and security of our personal data.”
The multi-state investigation found that the breach occurred because Equifax failed to implement an adequate security program to protect consumers’ highly sensitive personal information. Despite knowing about a critical vulnerability in its software, Equifax failed to fully patch its systems. Equifax also failed to replace software that monitored the breached network for suspicious activity. As a result, the attackers penetrated Equifax’s system and went unnoticed for 76 days.
Under the terms of the settlement, Equifax agreed to provide a single Consumer Restitution Fund of up to $425 million—with $300 million dedicated to consumer redress. If the $300 million is exhausted, the Fund can increase by up to an additional $125 million.
Equifax has also agreed to take several steps to assist consumers who are either facing identity theft issues or who have already had their identities stolen. These steps include making it easier for consumers to freeze and thaw their credit; making it easier for consumers to dispute inaccurate information in credit reports; and requiring Equifax to maintain sufficient staff dedicated to assisting consumers who may be victims of identity theft.
Equifax has also agreed to strengthen its security practices going forward by reorganizing its data security team; minimizing its collection of sensitive data and the use of consumers’ Social Security numbers; performing regular security monitoring, logging and testing; employing improved access control and account management tools; reorganizing its network; and reorganizing its patch management team and employing new policies regarding critical security updates and patches.
Consumers who are eligible for redress will be required to submit claims online, by mail, or by phone. Consumers will be able to obtain information about the settlement, check their eligibility to file a claim, and file a claim by phone or online. To receive email updates regarding the launch of the Equifax Settlement Breach online registry, consumers can sign up at www.ftc.gov/equifax-data-breach ». Consumers can also call 1-833-759-2982 for more information.
The program to pay restitution to consumers will be conducted in connection with settlements that have been reached in the multi-district class actions filed against Equifax, as well as settlements that were reached with the Federal Trade Commission and Consumer Financial Protection Bureau.
In addition to Oregon, other Attorneys General participating in this settlement include Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, Wisconsin, Wyoming, and the District of Columbia. Also joining are Texas, West Virginia and the Commonwealth of Puerto Rico.
The Attorneys General secured a settlement with Equifax that includes a Consumer Restitution Fund of up to $425 million, a $175 million payment to the states, and injunctive relief, which also includes a significant financial commitment.
The Oregon Department of Justice (DOJ) is led by Attorney General Ellen Rosenblum, and serves as the state’s law firm. The Oregon DOJ advocates for and protects all Oregonians, especially the most vulnerable, such as children and seniors.