On February 13, 2020, following months of mediation efforts, a class action suit of Equifax shareholders entered an agreement in principle to settle—a long-awaited resolution following the infamous data breach from 2017. According to the terms of the settlement, Equifax will pay $149 million to the settlement class for their involvement in the massive data hack and related violations of federal securities laws.
This large settlement is the latest of several sums Equifax has paid in connection with the 2017 cyberattack. Thus far, Equifax is culpable for $1.7 billion in settlement expenses, signaling a liability reckoning for cybersecurity litigation.
Background on the 2017 Equifax Data Breach
In September 2017, Equifax, one of the “big three” consumer credit reporting agencies, admitted to a data breach of more than 147 million customers’ sensitive information—nearly half of the U.S. population. The company blamed a cyberattack and admitted hackers had accessed millions of Social Security numbers, addresses, birth dates, and driver’s license numbers.
On February 11, 2020, four members of China’s military were named as the perpetrators and indicted by the U.S. government. But for Equifax itself, the two years following the massive hack have seen outcry from customers and lawmakers alike, securities class action lawsuits, and, most recently, costly settlements with regulators.
The shareholders’ lawsuits aimed at Equifax in the wake of the data breach hitting headlines were consolidated into an amended complaint, filed in April 2018. The complaints alleged that Equifax “failed to take the most basic precautions” to secure its databases and issued misleading communications about the status of sensitive information collected from customers.
The Defendant’s Challenge
In response, the defendant filed a motion to dismiss the amended complaint. Upon a ruling in January 2019, the court granted the motion in part and denied it in part. Namely, the court upheld the plaintiff’s “multitude of specific, detailed factual allegations demonstrating that Equifax’s systems were grossly deficient and outdated, below industry standards, and vulnerable to attack.” The plaintiff’s claims that Equifax had been obligated to disclose details of the breach sooner were dismissed. The court also dismissed allegations of scienter by two named Equifax executives for selling large amounts of their stock in the days following the internal discovery of the breach.
A Drop in the Settlement Bucket
The company’s shareholders were not the only impacted party looking for legal justice. In July 2019, a proposed settlement was brought before the court laying out terms between Equifax and a class-action suit of affected customers. Equifax agreed to pay at least $650 million towards customer claims from the data breach, with the possibility of contributing significantly more.
About half of the proposed fund was assigned to compensate customers impacted by the data leak and $275 million going towards state and federal fines. Equifax stated they would contribute an additional $125 million towards customer claims if the original fund was exhausted. Equifax also agreed to provide free credit monitoring services for up to 10 years. In their estimation, seven million impacted customers would sign up for this service, costing them $16 million. However, if all 147 million people were to sign up, the cost would rise exponentially to over $2 billion.
The settlement also gave implicated customers the option to file a claim for a $125 cash payment instead of free credit monitoring. As of December 2019, only about 10% of the 147 million affected customers had taken any action for either the cash payment or credit monitoring service.
The Future of Cybersecurity
Equifax’s data breach was a shocking failure in cybersecurity, especially as data protection and hacking attacks become more periodic. This breach also struck a nerve among Equifax’s customer base. As Equifax churns out credit reports, customers have no control over the flow of their information from banks and insurance companies.
The Equifax data breach was distinct in both its scope and the critical nature of the data leaked. However, the ensuing settlements are important wins for cybersecurity enforcement, especially for companies whose possession of highly-sensitive data render them targets for hackers.