Unpacking the Equifax settlement
Illustration: Aïda Amer/Axios
After Equifax agreed this week to a landmark settlement with state and federal regulators for its historic 2017 data breach, regulators are hoping that its penalties — which will cost Equifax up to $700 million — are big enough to deter the next firm from allowing the next breach.
Why it matters: There has never before been a breach like Equifax, where enough personal data was pilfered to steal the identity of the majority of U.S. adults. It's a milestone that consumers and regulators alike hope will only happen the once.
By the numbers: The Equifax settlement includes $275 million in penalties to state and federal regulators and up to $425 million to provide protection and reimbursement to consumers harmed in the breach.
Details: The consumer fund — which starts at $300 million, with provision to go up to $425 million as needed — will provide identity theft protection insurance and pay for four years of credit monitoring at all three major credit bureaus along with an additional six at Equifax.
But the fund also contains a unique feature that experts believe could become a new standard in future penalties for breaches. It will reimburse costs of dealing with the breach, like lawyers, out of pocket credit monitoring services and time spent wrangling with the whole ordeal, up to $20,000 per individual.
Stricter than Europe: Penalties under GDPR, Europe's privacy law, are usually portrayed as tougher than those in the U.S. While GDPR didn't take effect until after the Equifax breach, had Equifax spilled personal information on 147 million Europeans, the fine under GDPR would actually be smaller than what the U.S. just dished out.
- Equifax did not encrypt personal data stolen in the breach, which would have violated GDPR. The penalty for violating GDPR is 2-4 percent of global revenue plus restitution.
- For Equifax, which made $3.36 billion in revenue in 2017, that's a fine of $67 million. The state and federal regulator penalties for Equifax totaled around $200 million more than that.
The big question: Will this settlement's bite carry over to future breaches?
- "There’s a real good chance the new reimbursement scheme will be the new standard," said Ken Dort, a data security and privacy attorney at Drinker Biddle.
- However, experts think some of the high dollar totals may be more a response to alleged egregious mismanagement at Equifax that led to the breach.
The intrigue: It's only a matter of luck that a federal agency was able to dole out a fine for a privacy violation. While the CFPB can penalize financial institutions, no federal agency has the authority to fine most other companies on this issue.
- Several lawmakers hope to pass legislation giving the Federal Trade Commission this central authority.
- "Strengthening the FTC by giving it authority would be the strongest deterrent to future breaches," said Terrell McSweeny, a former FTC commissioner who is now an attorney at Covington.
What they're saying: "I expect a good number of lawyers will be using this as a case study for their clients in the future," said Marcus Christian, an attorney in Mayer Brown's cybersecurity practice.