Jul 25, 2019

Unpacking the Equifax settlement

Illustration: Aïda Amer/Axios

After Equifax agreed this week to a landmark settlement with state and federal regulators for its historic 2017 data breach, regulators are hoping that its penalties — which will cost Equifax up to $700 million — are big enough to deter the next firm from allowing the next breach.

Why it matters: There has never before been a breach like Equifax, where enough personal data was pilfered to steal the identity of the majority of U.S. adults. It's a milestone that consumers and regulators alike hope will only happen the once.

By the numbers: The Equifax settlement includes $275 million in penalties to state and federal regulators and up to $425 million to provide protection and reimbursement to consumers harmed in the breach.

Details: The consumer fund — which starts at $300 million, with provision to go up to $425 million as needed — will provide identity theft protection insurance and pay for four years of credit monitoring at all three major credit bureaus along with an additional six at Equifax.

But the fund also contains a unique feature that experts believe could become a new standard in future penalties for breaches. It will reimburse costs of dealing with the breach, like lawyers, out of pocket credit monitoring services and time spent wrangling with the whole ordeal, up to $20,000 per individual.

Stricter than Europe: Penalties under GDPR, Europe's privacy law, are usually portrayed as tougher than those in the U.S. While GDPR didn't take effect until after the Equifax breach, had Equifax spilled personal information on 147 million Europeans, the fine under GDPR would actually be smaller than what the U.S. just dished out.

  • Equifax did not encrypt personal data stolen in the breach, which would have violated GDPR. The penalty for violating GDPR is 2-4 percent of global revenue plus restitution.
  • For Equifax, which made $3.36 billion in revenue in 2017, that's a fine of $67 million. The state and federal regulator penalties for Equifax totaled around $200 million more than that.

The big question: Will this settlement's bite carry over to future breaches?

  • "There’s a real good chance the new reimbursement scheme will be the new standard," said Ken Dort, a data security and privacy attorney at Drinker Biddle.
  • However, experts think some of the high dollar totals may be more a response to alleged egregious mismanagement at Equifax that led to the breach.

The intrigue: It's only a matter of luck that a federal agency was able to dole out a fine for a privacy violation. While the CFPB can penalize financial institutions, no federal agency has the authority to fine most other companies on this issue.

  • Several lawmakers hope to pass legislation giving the Federal Trade Commission this central authority.
  • "Strengthening the FTC by giving it authority would be the strongest deterrent to future breaches," said Terrell McSweeny, a former FTC commissioner who is now an attorney at Covington.

What they're saying: "I expect a good number of lawyers will be using this as a case study for their clients in the future," said Marcus Christian, an attorney in Mayer Brown's cybersecurity practice.

Go deeper: How to file a claim over Equifax's data breach

Go deeper

How to file a claim over Equifax's data breach

Illustration: Sarah Grillo/Axios

If you're one of the 147 million-plus people who had their data exposed by Equifax's massive 2017 data breach, you can file a claim for cash or free credit monitoring, courtesy of Equifax's recent settlement with the Federal Trade Commission.

Details: If you lost up to $500 from the Equifax breach, filing for a "time spent" cash payment requires the least amount of paperwork and supporting documents. The deadline for all claims is January 22, per the FTC, and benefits will not be sent until January 23 at the earliest.

Go deeperArrowJul 25, 2019

What to do if you're a Capital One customer whose info was hacked

Photo: Rafael Henrique/SOPA Images/LightRocket via Getty Images

Approximately 100 million Capital One customers in the U.S. and Canada are caught up in a data hack that the bank claims happened in March. If you think you're among them, here are a few steps you can take.

Where to start: The bank says it will notify all affected customers, including 140,000 whose social security numbers were compromised, and offer identify protection services and credit monitoring. Both are worth taking advantage of.

Go deeperArrowJul 30, 2019

Data from 100 million credit applications stolen from Capital One

Photo: Johannes Eilsele/AFP/Getty Images

The FBI arrested Washington state resident Paige Thompson Monday morning for the digital theft of data from tens of millions of credit card applications, multiple news sites reported. Capital One confirmed broad aspects of the arrest in a press release.

What was stolen: Data from around 100 million credit card applications from between 2005 and 2019, including 80,000 bank account numbers and 140,000 Social Security numbers. 1 million Canadian Social Insurance Numbers were also stolen.

Go deeperArrowJul 29, 2019