Updated at 11:25 a.m. ET
Equifax will pay up to $700 million in fines and monetary relief to consumers over a 2017 data breach at the credit reporting bureau that affected nearly 150 million people.
The proposed settlement, which is subject to approval by a federal court, was announced Monday by the company, the Federal Trade Commission, the Consumer Financial Protection Bureau, 48 states, the District of Columbia and Puerto Rico.
The consumer data exposed in the breach included Social Security numbers, birthdates and addresses and, in some cases, driver's license numbers.
CFPB Director Kathleen Kraninger said the settlement includes $425 million to cover the "time and money [people affected by the breach] spent to protect themselves from potential threats of identity theft or addressing incidents of identity theft as a result of the breach."
Equifax also agreed to pay $175 million to the states and $100 million to the CFPB in civil penalties.
And, starting in January, Equifax "will provide all U.S. consumers with six free credit reports each year for seven years," the FTC said. That's in addition to the free annual credit reports that Equifax, and the two other nationwide credit reporting agencies — Experian and TransUnion — currently provide.
Under the settlement, affected consumers will be eligible for free credit monitoring. Those who already have credit monitoring services for at least six months can request a $125 cash payment.
People affected by the breach may also qualify for cash payments of up to $20,000 for: the time they spent dealing with fraud, identity theft or other misuses of their personal information, or taking preventative steps such as placing or removing security freezes; for out-of-pocket losses; and for 25% of the cost of Equifax credit or identity-monitoring products they paid for in the year before the breach was announced.
"Equifax failed to take basic steps that may have prevented the breach," FTC Chairman Joe Simons said in the agency's announcement. "This settlement requires that the company take steps to improve its data security."
The FTC alleges that Equifax "failed to patch its network after being alerted in March 2017 to a critical security vulnerability" and that the company didn't discover that its database was unpatched until four months later, when it detected suspicious traffic on its network. Multiple hackers were able to exploit the vulnerability, the FTC said.
In a statement, Equifax called the proposed settlement "a positive step for U.S. consumers." Equifax Chief Executive Officer Mark Begor said the $425 million consumer fund "reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter."
Some consumer advocates said the proposed settlement didn't go far enough, given the long-term harm the breach inflicted. "The shelf life of financial DNA is forever so this sounds like a sweetheart deal for a company that failed to do its basic job: protect consumer data," the U.S. Public Interest Research Group said in a statement.
But others praised the agreement. Justin Brookman, director of privacy and technology policy for Consumer Reports, said the FTC was able to force Equifax to "spend a fair amount of money as far as improving security, paying for credit monitoring, and reimbursing consumers for their expenses."
Sen. Mark Warner, D-Va., a member of the Senate Banking Committee, said in a statement that he was happy consumers will be compensated but added, "we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again." Warner is co-sponsoring legislation that would give the FTC more authority to supervise data security at the credit agencies.
RACHEL MARTIN, HOST:
The credit bureau Equifax will pay up to $700 million to consumers over a massive data breach two years ago. That hack exposed the personal information of about 147 million people. That is more than half the adult population of the entire United States.
NPR's Chris Arnold has been following this and joins us now. Hi, Chris.
CHRIS ARNOLD, BYLINE: Hey, Rachel.
MARTIN: So how much of this money is actually going to go to the people who were hurt or affected in some way by that data breach?
ARNOLD: Well, the Consumer Financial Protection Bureau, which was part of this, says $425 million will be for, quote, "time and money that people spent to protect themselves from potential threats of identity theft or addressing actual incidents of identity theft as a result of the breach."
And we're reading this morning. The settlement just came out, so we're, you know, thumbing through it, learning things. And people could get up to $20,000 each, it looks like, for lost time and money. You have to apply and document what happened. It looks like they're going to pay people $25 an hour for up to 20 hours for dealing with a whole range of different things - I mean, whether you had your identity stolen and you dealt with that or just...
ARNOLD: ...Signing up for services. And it's unclear, though, like, how people are supposed to know - well, OK, my identity got stolen. Was it because of this breach? I mean, so there's still some unanswered...
ARNOLD: ...Questions about exactly how that will work. But the goal is to reimburse people if they got hurt.
MARTIN: How do you actually do that? How do people try to get reimbursed?
ARNOLD: Well, there's a website, like there often is these days. It's equifaxbreachsettlement.com. These things are often difficult to remember on the radio, so I'm going to say it again - equifaxbreachsettlement.com - no spaces or anything. And assuming the court approves the settlement, people can go there and sign up and do everything they have to do. But we should say that people have to do this within six months if they want to get the benefits.
MARTIN: So a settlement for more than half a billion dollars sounds like a whole lot of money. Is this a win for consumer groups? Are they happy?
ARNOLD: I mean, it depends on who you ask. I mean, some advocates say look; this affected so many people - like you said, more than half the adult population of the United States - and the type of information that the credit bureau's track - it's so potentially damaging they say look; this is not enough. You know, it's ridiculous.
Others say $700 million is not an insignificant amount of money. It's a real bite out of the company's profits. And at least a lot of people are going to get some money back.
MARTIN: Can you just remind us about the breach itself? I mean, there were hearings in Congress when this happened. There were a lot of lawmakers who were very outraged. Why is this breach such a big deal?
ARNOLD: Yeah, I mean, again, first, it's 115 million people, right? So that makes it a big deal. But beyond that, I mean, Equifax affects the financial lives of, you know, almost everybody in this country, right? I mean, it's your credit score. It's your ability to get a mortgage or a car loan.
Companies like this collect data on your financial history. They know if you're paying your bills, how many credit cards you have, what the credit card numbers actually are, your social security number. And this hack exposed that, at least with this one company, they just did not have good enough security. And they're supposed to be, you know, safeguarding all this really sensitive information.
MARTIN: But it's brought up this other issue about what kind of permission people are or are not giving this company, right? I mean, people don't actively sign up for Equifax.
MARTIN: They can order a credit score, and then Equifax dives into their stockpile of all their personal information.
ARNOLD: Yeah. And, I mean, it's in some ways kind of crazy. This is the way it's evolved. And there are just all kinds of information. They have a dossier, basically, on all of us. We don't give permission, so that's why there's just been so much concern that they're not keeping us safe. We should say they're going to spend $1 billion, though, on cybersecurity as part of this settlement.
MARTIN: NPR's Chris Arnold. Thanks, Chris.
ARNOLD: Thanks, Rachel. Transcript provided by NPR, Copyright NPR.