By | July 22, 2019

(RALEIGH) Attorney General Josh Stein today announced that he has reached a settlement with Equifax as a result of an investigation into a massive 2017 data breach. The investigation found that Equifax failed to maintain a reasonable security system – allowing hackers to penetrate its systems and expose the data of 56 percent of American adults. This was the largest-ever breach of consumer data. The settlement includes a Consumer Restitution Fund of up to $425 million, $175 million payment to the coalition of states that entered into the settlement, and injunctive relief. North Carolina’s share is more than $4.5 million. This is the largest data breach settlement in history.

NC Attorney General Josh Stein

“Equifax had access to people’s most sensitive personal information,” said Attorney General Josh Stein. “The company had a responsibility to keep that data secure. Because it did not, one in every two Americans’ personal information was exposed to hacking. Thanks to this settlement, Equifax will be held accountable and affected North Carolinians will see restitution.”

On September 7, 2017, Equifax, one of the largest consumer reporting agencies in the world, announced a data breach affecting more than 147 million consumers— nearly half of the U.S. population. Breached information included social security numbers, names, dates of birth, addresses, credit card numbers, and in some cases, driver’s license numbers.

Shortly after, Attorney General Josh Stein joined the executive committee of a coalition that grew to 50 Attorneys General undertaking a multi-state investigation into the breach. The investigation found that the breach occurred because Equifax failed to implement an adequate security program to protect consumers’ highly sensitive personal information. Despite knowing about a critical vulnerability in its software, Equifax failed to fully patch its systems. Moreover, Equifax failed to replace software that monitored the breached network for suspicious activity. As a result, the attackers penetrated Equifax’s system and went unnoticed for 76 days.

Under the terms of the settlement, Equifax agreed to provide a single Consumer Restitution Fund of up to $425 million—with $300 million dedicated to consumer redress. If the $300 million is exhausted, the Fund can increase by up to an additional $125 million. The company will also offer affected consumers extended credit-monitoring services for a total of 10 years.

Equifax has also agreed to take several steps to assist consumers who are either facing identity theft issues or who have already had their identities stolen including:

  • making it easier for people to freeze and thaw their credit;
  • making it easier for people to dispute inaccurate information in credit reports; and
  • requiring Equifax to maintain sufficient staff dedicated to assisting consumers who may be victims of identity theft.

Equifax has also agreed to strengthen its security practices going forward, including:

  • reorganizing its data security team;
  • minimizing its collection of sensitive data and the use of consumers’ Social Security numbers;
  • performing regular security monitoring, logging, and testing;
  • employing improved access control and account management tools;
  • reorganizing and segmenting its network; and
  • reorganizing its patch management team and employing new policies regarding the identification and deployment of critical security updates and patches.

Equifax also agreed to pay the states a total of $175 million, which includes $4,563,223.03 for North Carolina.

North Carolinians who are eligible for redress will be required to submit claims online or by mail. Paper claim forms can also be requested over the phone. People will be able to obtain information about the settlement, check their eligibility to file a claim, and file a claim on the Equifax Settlement Breach online registry at https://www.equifaxbreachsettlement.com/. To receive email updates regarding the launch of this online registry, consumers can sign up at www.ftc.gov/Equifax or call the settlement administrator at 1-833-759-2982 for more information. The program to pay restitution to consumers will be conducted in connection with settlements that have been reached in the multi-district class actions filed against Equifax, as well as settlements that were reached with the Federal Trade Commission and Consumer Financial Protection Bureau.

In addition to North Carolina, other Attorneys General participating in this settlement include Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, Wisconsin, Wyoming, and the District of Columbia. Also joining are Texas, West Virginia and the Commonwealth of Puerto Rico.

A copy of the judgment is available here.