By Cynthia Brumfield
July 24, 2019 — The settlement also requires Equifax to spend another $125 million for cash compensation and potentially much more if the number of class members who sign up for credit monitoring exceeds 7 million. The company will further pay $175 million in fines to settle state attorneys’ general investigations and $100 million to resolve probes by the Consumer Financial Protection Bureau and the Federal Trade Commission (FTC).
Damage from Equifax breach runs deep
These hefty penalties follow a string of stinging developments Equifax has labored under for nearly two years. In the immediate aftermath of the breach, and Equifax’s own botched effort to deal with the fallout, CEO Richard Smith left the company shortly after the abrupt retirements of CIO David Webb and CSO Susan Mauldin.
In late June, Jun Ying, former Equifax vice president and international CIO, was sentenced to four months in prison and ordered to pay around $117,000 in restitution and $55,000 in fines for insider trades of the company’s stock he undertook during the period between the data breach’s discovery and the public announcement of it. Last October, former Equifax engineer Sudhakar Reddy Bonthu was likewise sentenced for insider trading and ordered to pay financial restitution for insider trading, although Bonthu was sentenced to eight months home confinement rather than serve a prison term.
In late May, investor ratings giant Moody’s slashed the outlook on Equifax from stable to negative in the first such downgrade attributable to a cyberattack. At the time of the downgrade, Moody’s said it didn’t see a brighter future for Equifax due to its breach-related expenses, which, at the time, Moody’s judged to be around $400 million for 2019 and 2020.
U.S. authorities aren’t alone in sanctioning Equifax for what the House Oversight and Government Reform Committee called an “entirely preventable” breach. Last September, the UK’s data regulator, the Information Commissioner’s Office (ICO), fined Equifax £500,000 ($664,000) for failing to protect the personal data of around 15 million Brits affected by the breach.
Equifax did get something of a break with the timing of the ICO’s fine because its breach happened too soon to get caught by the much more financially punitive regime of the EU’s General Data Protection Regulation (GDPR), which went into effect in May 2018. The GDPR’s rules could have cost Equifax 4% of its global revenue or around $136,000,000, an amount more or less on par with two recent fines levied by the ICO against other corporations for their data breaches.
In early July, the ICO announced it plans to fine British Airways more than £183 million (around $230 million) after hackers stole the personal data of half a million of the airline’s customers, including their payment card data, in a breach that began in June 2018. In early July, the ICO said that it plans to fine U.S. hotel group Marriott International £99.2 million or around $123 million related to a data breach discovered in 2018, but possibly dating back far as 2014. That breach, which affected Marriott’s Starwood group of hotels, exposed the private data of around 339 million guests.
Norm Siegel, one of the co-lead counsels on behalf of consumers in the Equifax settlement, thinks that security professionals and executives should take the Equifax breach to heart. “We were able to secure meaningful data security improvements, including a major capital commitment backed by a court order, which is another important feature of this settlement that perhaps will be a deterrent to” executive neglect of cybersecurity, he tells CSO.
Failure to heed the lesson of Equifax’s security flame-out will likely lead even more companies down the disastrous path Equifax followed, with more high-profile lawsuits to follow. “Consumer protection attorneys continue to play a key role in holding companies responsible,” Amy Keller, another co-lead counsel in the Equifax settlement tells CSO Online.
The settlement “demonstrates that consumers refuse to accept that data breaches are the ‘new norm’” and “not only
consumers for the time and money they spent as a result of the breach, but also [ensures] that consumers have the tools necessary to protect themselves in the future,” she says.
The message is clear, according to Keller. “If companies profit off of your data, then they owe you a duty to protect that data.”