On July 22, 2019, the Federal Trade Commission announced that Equifax Inc. (“Equifax”) agreed to pay at least $575 million, and potentially up to $700 million, as part of a global settlement agreement with the FTC, the Consumer Financial Protection Bureau (“CFPB”), and 48 U.S. states and territories to resolve investigations into the colossal data breach the company suffered in 2017. This is the largest data breach settlement in U.S. history.

Equifax, one of America’s three main credit bureaus, stores  personal information relating to hundreds of millions of individuals. The FTC, which expects to file its complaint and the proposed stipulated order in district court today, alleges that Equifax’s failure to patch a critical network security vulnerability affecting its ACIS database, allowed hackers to operate undetected on Equifax’s networks for months, stealing vast stores of personal information. According to the complaint, after Equifax was alerted to the security issue in March 2017, the company’s security personnel ordered vulnerable systems be patched within 48 hours. Equifax failed, however, to ensure the order was carried out by the responsible employees, and it was left uncorrected.

In July 2017, four months later, Equifax discovered that its ACIS database was unpatched. Equifax’s investigation revealed that multiple hackers used the vulnerability to access the company’s network and obtain administrative credentials stored in plain text from an unsecured file. Using the credentials, the hackers masked their activities for months and stole the personal information of hundreds of millions of people, the majority of whom purchased credit scores, credit monitoring, or identity theft prevention services from Equifax. According to the FTC, the hackers stole at least 147 million names and dates of birth, 145.5 million Social Security numbers and 209,000 payment card numbers and expiration dates. They were able to do so, the FTC alleges, because Equifax failed to implement basic security measures and stored credentials and sensitive consumer information in plain text.

As part of the proposed settlement, Equifax will pay $300 million to a fund that will provide individuals with credit monitoring services and compensate them for their losses. Equifax will add up to $125 million to the fund as necessary. Additionally, beginning, January 2020, Equifax will provide all U.S. residents with six free credit reports each year for seven years (in addition to the one free credit report Equifax and the other two main credit bureaus, TransUnion and Experian, currently provide). Equifax also agreed to pay $175 million to 48 states, the District of Colombia and Puerto Rico, and $100 million to the CFPB.

Apart from its monetary payments, Equifax also must implement a comprehensive information security program. The program requires, among other things, that Equifax obtain annual certifications from its board of directors or relevant subcommittee that the company has complied with the order and obtain third-party assessments of its information security program every two years. The FTC is authorized to approve the assessor for each two-year assessment period.

In a press conference discussing the proposed settlement, FTC Chairman Joseph Simons emphasized that the FTC’s current authority does not allow it to impose broad civil penalties in this context, in contrast to the CFPB and the state attorneys general. Chairman Simons said that this constraint underlines the need for new federal legislation that expands the FTC’s enforcement powers.