Emily Birnbaum and Maggie Miller
Lawmakers and industry officials are criticizing the settlement between regulators and credit agency Equifax, claiming the potentially $700 million penalty is not enough for the 2017 data breach that exposed the personal information of around 147 million Americans.
Critics also are turning their ire toward Congress, arguing the penalty could have been steeper if the U.S. had a comprehensive privacy law in place.
“[The settlement] shows that we need a comprehensive data privacy and security law to ensure companies are designing their systems to protect consumer privacy from the start, minimizing the personal information they keep, and are held appropriately accountable if they fail,” House Energy and Commerce Committee Chairman Frank Pallone Jr. (D-N.J.) said in a statement on Monday.
The enormous Equifax breach, which left more than half the adults in the U.S. vulnerable to identity theft and fraud, compromised data including Social Security numbers, birth dates, driver’s license numbers, credit card numbers, addresses and some passport data.
The settlement would require Equifax to pay $575 million and possibly $700 million, over the breach. Of that, $300 million will go to a fund providing impacted consumers with credit monitoring services. Equifax also stands to add $125 million if the initial amount doesn’t prove adequate to meet demand.
Additionally, Equifax will pay $175 million to 48 states, the District of Columbia and Puerto Rico, along with $100 million to the Consumer Financial Protection Bureau in civil penalties.
When the full amount is divided out, Equifax will pay around $4 for every consumer impacted by the breach.
“While this settlement may help compensate people affected by the breach, it doesn’t adequately address the broader problem of lax data security,” Sen. Amy Klobuchar (D-Minn.), a 2020 Democratic presidential candidate, said in a statement. “Congress must act to ensure that a breach of this magnitude never happens again.”
Equifax has also agreed to provide all U.S. customers with six free credit reports each year for seven years beginning in January, and the company is required to implement a “comprehensive information security program” to protect customers.
Equifax says it is investing more than $1 billion in technological and cybersecurity measures to prevent another breach.
“To date, we have not identified instances of the stolen data being used for identity theft purposes or being sold on the dark web,” Equifax CEO Mark Begor told reporters on a call Monday. “But we remain committed to doing the right thing for impacted consumers in safeguarding their data.”
While Equifax may not have identified incidences of the data being used for malicious purposes, Maryland Attorney General Brian Frosh (D) said at a press conference Monday that hackers often keep data for years. “I don’t think we can say ... that all the harm has been realized,” he added.
The settlement came two years after Equifax discovered the breach. The investigation dragged on in part because it was not immediately clear how the government could hold Equifax accountable, an issue largely due to the lack of federal privacy legislation.
“If we had the comprehensive privacy statute … the authorities would be clear, we’d have a clear way to proceed and then we wouldn’t have an extensive negotiation to try to figure out what sort of remedies the agencies could impose,” Harold Feld, senior vice president of consumer group Public Knowledge, told The Hill.
Justin Brookman, director of consumer privacy and technology policy for Consumer Reports, told The Hill he believes the two-year timeline underscores the Federal Trade Commission’s (FTC) need for more resources. The FTC previously told Congress it only has 40 full-time employees dedicated to overseeing internet privacy and data security, a number that pales in comparison to the 500 employees for the United Kingdom’s privacy watchdog.
During a press conference Monday, FTC officials said they need greater civil penalty authority to respond to incidents such as the Equifax breach, with FTC Chairman Joseph Simons urging Congress to pass data privacy legislation that would give them authority to bring penalties against companies for their first offense.
“I think we could create a lot more deterrence if we got civil penalty authority, and that is what we are asking for,” Simons said.
Following the initial breach in 2017, Congress stepped in to investigate the incident, with multiple hearings from various committees. Multiple congressional reports concluded that Equifax ignored vulnerabilities in its system that led to the hack and failed to take adequate action in its aftermath.
Other lawmakers from both sides of the aisle also criticized the settlement and the lack of a federal data privacy law.
Senate Intelligence Committee Vice Chairman Mark Warner (D-Va.) said in a statement, “While I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again.”
Warner and Sen. Elizabeth Warren (D-Mass.), another 2020 contender, introduced a bill last year that would hold companies like Equifax accountable for data breaches in the future.
Sen. Ben Sasse (R-Neb.) called the settlement “good news” but said the consequences of the breach will reverberate for years.
“Years from now, there will be families who can’t get home loans, families stuck with crummy credit scores, and families battling fraudulent charges because their data was mishandled by Equifax,” Sasse said in a statement.
Security experts concluded the Equifax data was likely stolen by a nation-state for spying purposes, since it has not surfaced on the dark web and there is little evidence it has been used to impersonate victims.
The breach amounted to the largest of its kind in U.S. history, leading to an equally record-shattering settlement on Monday, which some saw as an important precedent.
Rep. Greg Walden (Ore.), the House Energy and Commerce Committee’s top Republican, called the settlement a “step forward.”
“We knew there was no silver bullet, because restoring trust takes time,” he added.
Brookman told The Hill he believes the settlement would be “an effective deterrent for future behavior.”
And Frosh said the settlement now “sets a standard for all credit reporting agencies.”
A spokesperson for TransUnion, one of the three major credit agencies, told The Hill in a statement that it is “acutely aware that consumers count on us to safeguard their information, as do our data furnishers and business customers. Information security is a top priority at all levels of our global organization.”
On Capitol Hill, though, despite calls for legislation, work on a federal data privacy bill has largely stalled.
“We really encourage them to consider and keep going,” Simons said Monday. “It’s important for consumers, it’s important for the country.”