The recently announced multistate settlement between credit reporting company Equifax Inc. and the Attorneys General of 48 states, Puerto Rico, and the District of Columbia (the AGs) demonstrates the increasingly active role of state regulators in policing the privacy and security practices of businesses that handle consumers’ personal information. The multistate settlement is part of a comprehensive agreement between Equifax, the AGs, and other state and federal regulators, under which Equifax will pay at least $575 million and up to $700 million to resolve investigations and litigation arising out of a 2017 data breach alleged to have affected over 147 million consumers.

Multistate settlement payments and consumer relief

Under the terms of the final settlement and consent decree (the multistate settlement), Equifax will pay $175 million to be divided among the AGs. Equifax will also:

  • Pay between $300 million and $425 million into a restitution fund for affected consumers;
  • Offer affected adult consumers up to 10 years and affected minors up to 18 years of free credit monitoring and related services, including credit reporting and identity theft insurance; and
  • Provide improved security, identity theft, credit freeze, credit transparency, and other consumer assistance services.

Equifax is not required to admit wrongdoing under the multistate settlement. The Federal Trade Commission and Consumer Financial Protection Bureau (CFPB) have announced Equifax will pay $100 million in civil penalties to the CFPB to resolve related federal litigation.

Privacy and security compliance measures

In addition to its payments and consumer relief measures, Equifax must implement updated privacy, security, and information governance practices that include, among other things:

  • A seven-year comprehensive information security program, requiring oversight of vendors that handle consumers’ personal information;
  • Upgraded internal safeguards and controls for the handling of consumer data, including encryption of certain information stored on or transmitted across Equifax networks and enhanced practices related to the sharing of consumer data with third parties for advertising purposes;
  • Numerous technical upgrades, including among other things network segmentation protocols, risk-based penetration testing, heightened account access and password controls, and automated vulnerability and exposure monitoring;
  • Biennial security assessments performed by an independent third party; and
  • Reporting, compliance monitoring, and related record-keeping requirements.

Many of the information security and oversight measures in the multistate settlement reflect corrective actions Equifax agreed to undertake pursuant to a consent order reached with several state banking regulators in June 2018.

Comments and takeaways from the settlement

Equifax’s multistate settlement with the AGs is one of the largest breach settlements in U.S. history. It arrives at a time when all 50 states have enacted data breach legislation and less than six months before the effective date of the California Consumer Privacy Act (CCPA), which includes a private right of action provision for individuals affected by certain breaches of unencrypted data. In addition to the pending CCPA, other states and the federal government are considering comprehensive consumer privacy legislation that would further increase the authority of state AGs and federal regulators to scrutinize the privacy and security practices of organizations that handle consumer personal information.

The regulatory and litigation costs associated with defending data breach investigations and litigation can be expected to increase, making it more important for businesses to review, update, and document their information privacy and security practices, keep abreast of the evolving legislative and regulatory landscape, and understand the policy and enforcement priorities of state AGs’ offices.