Atlanta-based Equifax on Monday announced it has reached a $700 million-plus settlement with the government that, pending court approval, will mean an end to legal action stemming from a massive data breach two years ago.
The deal calls for the company to create a consumer restitution fund of up to $425 million, to pay $290.5 million to state and federal regulators and to cover millions of dollars in lawyers’ fees assessed in the many lawsuits filed. It also agreed to overhaul its cyber-security policies.
In a conference call Monday with reporters, CEO Mark Begor said the pact was proof of the company’s trustworthiness. “This re-affirms our commitment to putting consumers first and safeguarding their data.”
The agreement was hammered out with Georgia Attorney General Chris Carr’s office, federal regulators and plaintiffs’ attorneys, but it drew some criticism from consumer advocates.
“I think the settlement is inadequate for the size of the affected class, the magnitude of the breach and the bad behavior,” Ed Mierzwinski, senior director of federal consumer programs at U.S. Public Interest Group. “There were no electronic guards. There were no alarms. And, when they were notified, you’d think they would have acted more quickly.”
The breach – which continued for 76 days – exposed the personal information of nearly 150 million Americans. That included Social Security numbers, birth dates, addresses, credit card numbers and, in some cases, driver’s license numbers – much of that data potentially valuable for years or even decades to come.
Equifax did not announce that the data had been accessed until early September 2017, weeks after discovering the electronic invasion.
The company’s response drew outrage from consumer groups. Congressional hearings were held, and a number of top executives – including CEO Rick Smith – took early retirement. Several other lower-level executives were charged with insider trading for stock trades made before the breach was publicly revealed.
Initially, it seemed the fury threatened the company’s survival. While Equifax stock did take a hit, it has been slowly recovering. Shares of the company had been trading at $141.59 before the announcement of the breach. Afterward, the price plummeted 34%. Equifax closed the trading day Monday just below $138 a share.
At the end of the past fiscal year, Equifax reported net income of about $300 million on revenues of $3.4 billion. It is slated to report its most recent quarterly earnings later this week.
Ultimately, Congress took no action against the company.
The deal announced Monday also would require Equifax — which is offering free credit monitoring through this year for those who signed up — to make it easier for consumers to freeze and thaw credit. It would also require the company to hire more staff to help victims of identity theft, reorganize its data security team and to minimize its use of sensitive data, according to Carr, Georgia’s attorney general.
It’s a “fair and appropriate settlement, ensuring substantial consumer relief and requiring the implementation of robust security measures to protect against future exposure of consumers’ private data,” said Carr.
Georgia will receive $7.2 million from Equifax as part of the settlement, he said.
Unless a federal judge sees reason to object, the agreement seems likely to take effect.
Attorneys at the Atlanta-based Barnes Law Group, who represent plaintiffs, said Monday they were filing a motion asking the court to accept the settlement of the case.
Liz Coyle, executive director of Georgia Watch, said the settlement is large enough to prove the agencies and attorneys general are serious about keeping credit agencies accountable. “I believe the magnitude fits the severity of the incident,” she said. “The intent is to ensure that this never happens again.”
After the breach was revealed, critics charged Equifax with fostering a corporate culture that put the priority on profits, not on protection.
Asked about that Monday, Begor — who became the company’s chief executive in early 2018 — talked about company investments since the breach.
“It’s hard for me to talk about the culture before I joined the company, but I’ve been very clear,” he said. “Culturally, when I joined the company, we made it clear that we were putting consumers first. We want to put the consumer first, and the security first and the technology first.”
The company has added several top positions in security and technology. In addition to the settlement payments announced Monday, Equifax will continue to make improvements part of a $1.25 billion investment, Begor said. “I hope that speaks volumes about the culture we have in place today for Equifax.”
Hackers generally steal information either to resell it for profit, or — when it’s a government hacker — to use it against an enemy.
If the Equifax breach was about money, there’s been no sign of that yet, Begor said.
However, unlike hacks of credit card numbers, personal data may be valuable for many years, experts said.
“We continue to monitor the dark web and identity theft,” Begor said. “And to date, we haven’t seen any evidence of our data being sold or an increase in identity theft.”
Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.
Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.