TALLAHASSEE, Fla.—Attorney General Ashley Moody today announced an agreement reached with Equifax over failed security measures in a massive 2017 data breach that affected nearly half of the U.S. population. The agreement includes a Consumer Restitution Fund of up to $425 million, a $175 million payment to the states and injunctive relief. This represents the highest payment for a multistate data breach investigation to date. Attorney General Moody is joined by 49 other attorneys general in holding Equifax accountable for failing to implement adequate security measures.
Attorney General Ashley Moody said, “The massive Equifax data breach is the most egregious example of a failure to protect Florida consumers’ most personal information from cybercriminals. It is a serious risk of identity theft that could follow consumers for a lifetime.”
The investigation found that Equifax’s failure to maintain a reasonable security system enabled hackers to penetrate its systems. Breached information included Social Security numbers, names, dates of birth, addresses, credit card numbers, and in some cases, driver’s license numbers.
Shortly after Equifax announced a data breach on Sept. 7, 2017, the attorneys general launched a multistate investigation into the breach. The investigation found that the breach occurred because Equifax failed to implement an adequate security program to protect consumers’ highly sensitive information. Equifax failed to fully patch its systems despite knowing about a critical vulnerability in its software. Moreover, Equifax failed to replace software that monitored the breached network for suspicious activity. As a result, the attackers penetrated Equifax’s system and went unnoticed for 76 days.
Under the terms of the settlement, Equifax agrees to provide a single Consumer Restitution Fund of up to $425 million. The company will also offer affected consumers extended credit-monitoring services for 10 years. Equifax also agrees to take several steps to assist consumers who are either facing identity theft issues or who already had identities stolen including, but not limited to:
Equifax also agrees to strengthen its security practices going forward, to include:
Separate settlements by the Federal Trade Commission, the Consumer Financial Protection Bureau, as well as the multi-district class actions are also addressed by the Consumer Restitution Fund. Florida’s agreement is subject to approval by the Circuit Court for Broward County.
A website will be available to accept claim forms and administer the settlement funds: EquifaxBreachSettlement.com. The website will go live in the coming days as the settlement must receive judicial approval before the administrator can accept consumer claim forms. If consumers wish to be notified when the breach settlement website begins accepting settlement fund related claims, they can go to FTC.gov/Equifax and submit email addresses. For questions about eligibility for restitution, filing a claim, enrolling in credit monitoring, or additional information, consumers should visit EquifaxBreachSettlement.com or call 1(833) 759-2982.
