Media Contact: Liz Brocker (701) 328-2213
BISMARCK, ND - Attorney General Wayne Stenehjem today announced that a national coalition of Attorneys General has reached a settlement with Equifax as the result of an investigation into a massive 2017 data breach. The settlement includes a Consumer Restitution Fund of up to $425 million and a $175 million payment to the states. It is the largest data breach enforcement action in history.
“This enforcement action sends a strong message to Equifax and other credit reporting agencies that when you are in the business of collecting and storing our personal and confidential information, you must properly safeguard that information, and if you fail to do so, we will hold you accountable,” said Stenehjem.
On September 7, 2017, Equifax, one of the largest consumer reporting agencies in the world, announced a data breach affecting more than 147 million individuals — about half the adult population of the United States. Breached information included names, addresses, social security numbers, birthdates, credit card numbers, and driver’s license numbers.
The Attorneys General immediately launched a national investigation, which found that despite knowing about a critical vulnerability in its software systems, Equifax did not patch the systems or even replace a software program that monitored its system for breaches. As a result, it took Equifax 76 days to notice that its database had been hacked and the highly sensitive personal information of millions of Americans had been stolen.
Under the terms of the settlement, Equifax will establish a Consumer Restitution Fund of up to $425 million to reimburse people who suffered a financial loss from identity theft or expenses for credit monitoring services as a result of the breach. Eligible individuals will be able to submit claims online or by mail, through a process coordinated by the Federal Trade Commission. Consumers can obtain more information about how to determine their eligibility and can register their email address to receive notice when the FTC is ready to process claims, at ftc.gov/equifax, or by calling the FTC’s claim hotline at 1-833-759-2982.
As part of the settlement, Equifax is required to minimize its future collection of sensitive data, including social security numbers, to strengthen its security practices, perform regular security monitoring, logging and testing, and institute new policies to identify and quickly deploy critical security updates and patches to its systems. Equifax will pay the states a total of $175 million, which includes $1 million for North Dakota.
Equifax is one of the three major credit reporting agencies, along with Experian and TransUnion, which collect personal and financial information of millions of Americans and then profit from re-selling that information in the form of credit reports. These credit reports are used by prospective employers, landlords, credit card companies, and lenders, to decide whether an individual poses a credit risk.
In addition to North Dakota, the following states participated in the settlement: Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, Wyoming, as well as the District of Columbia and the Commonwealth of Puerto Rico.
# # #