Skip to main content

CFPB, FTC and States Announce Settlement with Equifax Over 2017 Data Breach

WASHINGTON, D.C. – The Consumer Financial Protection Bureau (Bureau), the Federal Trade Commission (FTC), and 48 states, the District of Columbia and Puerto Rico announced a global settlement today with Equifax that would provide up to $700 million in monetary relief and penalties. In a complaint and proposed stipulated judgment filed in federal district court in the Northern District of Georgia, the Bureau alleges that Equifax engaged in unfair and deceptive practices in connection with the 2017 data breach of Equifax’s systems that impacted approximately 147 million consumers. The proposed settlement with the Bureau, if approved by the court, will provide up to $425 million in monetary relief to consumers, a $100 million civil money penalty, and other relief. The Bureau coordinated its investigation with the FTC and attorneys general from across the country. In total, the settlements with these entities would impose up to $700 million in relief and penalties. 

“Today’s announcement is not the end of our efforts to make sure consumers’ sensitive personal information is safe and secure. The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers. Too much is at stake for the financial security of the American people to make these protections anything less than a top priority,” said CFPB Director Kathleen L. Kraninger. 

“For consumers impacted by the Equifax breach, today’s settlement will make available up to $425 million for time and money they spent to protect themselves from potential threats of identity theft or addressing incidents of identity theft as a result of the breach. We encourage consumers impacted by the breach to submit their claims in order to receive free credit monitoring or cash reimbursements,” concluded Director Kraninger. 

In September of 2017, Equifax, a nationwide credit reporting company headquartered in Atlanta, Georgia, announced that a data breach at the company resulted in the exposure of approximately 147 million U.S. consumers’ sensitive personal information, including names, addresses, social security numbers, and dates of birth. 

“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”

The Bureau alleges in its Complaint that Equifax violated the law in several ways through its conduct both before and after the breach. Specifically, the Bureau alleges, Equifax engaged in unfair and deceptive practices in violation of the Consumer Financial Protection Act of 2010 by:

- Failing to provide reasonable security for the massive quantities of sensitive personal information stored within its computer network, causing substantial injury to consumers whose data was stolen;

- Deceiving consumers about the strength of its data security program in its privacy policies; and

- Engaging in acts and practices that caused additional harm or risk of harm to consumers in response to the breach.

To provide relief for consumers affected by the breach, the Bureau’s proposed order requires Equifax to establish a consumer fund (Consumer Fund) with up to $425 million available to provide affected consumers with a broad array of redress. The Consumer Fund would be used to provide reimbursements to affected consumers for time and money they spent related to the breach.  If the court approves the settlement, affected consumers may be eligible to receive money by filing one or more claims for the following: 

- Up to $20,000 per consumer for lost time and money, including:

  • $25/hour for up to 20 hours for time spent protecting personal information or addressing identity theft after the breach;
  • Money spent purchasing credit monitoring or identity theft protection after the breach;
  • The cost of freezing or unfreezing credit reports at any consumer reporting agency after the breach;
  • Reimbursement for up to 25 percent of the amount paid to Equifax for credit or identity monitoring subscription products between September 7, 2016 and September 7, 2017; 
  • Any unreimbursed costs, expenses, losses, or charges incurred as a result of identity theft; and
  • Miscellaneous expenses associated with any of the above, such as notary, fax, postage, mileage and telephone charges.

All affected consumers would be eligible to receive at least 10 years of free credit-monitoring, at least seven years of free identity-restoration services, and, starting on December 31, 2019 and extending seven years, all U.S. consumers may request up to six free copies of their Equifax credit report during any 12-month period. These free copies will be provided to requesting consumers in addition to any free reports to which they are entitled under federal law.

If consumers choose not to enroll in the free credit monitoring product available through the settlement, they may seek up to $125 as a reimbursement for the cost of a credit-monitoring product of their choice. 

A settlement administrator will manage the claims process. Consumers must submit a claim in order to receive free credit monitoring or cash reimbursements. After the court approves the settlement, consumers can submit a claim online at www.EquifaxBreachSettlement.com , or by mail. Consumers may visit this website to learn about the deadlines for filing claims. 

In addition to consumer relief, Equifax would be required to pay the Bureau a $100 million civil money penalty. Equifax also would be required to make significant improvements to its data security practices and would be subject to ongoing oversight by regulators. 

The Federal Trade Commission also filed a complaint and proposed stipulated judgment in federal court in the Northern District of Georgia today. The attorneys’ general from 48 states, the District of Columbia and Puerto Rico also have reached agreements to resolve investigations of the data breach that are being announced today. The FTC’s and the states’ orders provide for relief for consumers consistent with the Bureau’s order.

A copy of the proposed stipulated order is available at: https://files.consumerfinance.gov/f/documents/cfpb_equifax-inc_proposed-stipulated-order_2019-07.pdf

A copy of the complaint is available at: https://files.consumerfinance.gov/f/documents/cfpb_equifax-inc_complaint_2019-07.pdf

A fact sheet containing information about the settlement and resources for consumers to learn more is available here www.consumerfinance.gov/equifax-settlement.

Consumers may go to www.EquifaxBreachSettlement.com for more information about when and how to apply for and receive reimbursements.  

###

The Consumer Financial Protection Bureau is a 21st century agency that helps consumer finance markets work by regularly identifying and addressing outdated, unnecessary, or unduly burdensome regulations, by making rules more effective, by consistently enforcing federal consumer financial law, and by empowering consumers to take more control over their economic lives. For more information, visit consumerfinance.gov.