Oregon to receive $2.8M from record $700M Equifax data breach settlement

Equifax Inc.

Equifax will pay up to $700 million to settle with the Federal Trade Commission and others over a 2017 data breach that exposed Social Security numbers and other private information of nearly 150 million people. (AP Photo/Mike Stewart, File)AP

By SARAH SELL and KEN SWEET Associated Press

Equifax has agreed to pay $700 million, and potentially more, to settle with the federal authorities and states over its 2017 data breach that exposed the Social Security numbers and other private information of nearly 150 million people, roughly half of the U.S. population.

Oregon is in line to receive $2.8 million, according to the Oregon Department of Justice.

The settlement with the Consumer Financial Protection Bureau, the Federal Trade Commission, 48 states, the District of Columbia and Puerto Rico would provide up to $425 million in monetary relief to consumers, a $100 million civil money penalty and other relief.

The breach was one of the largest ever to threaten the private information. The consumer reporting company, based in Atlanta, did not detect the attack for more than six weeks. The compromised data included Social Security numbers, birth dates, addresses, driver license numbers, credit card numbers and, in some cases, data from passports. The breach resulted in the abrupt dismissal of Equifax’s then CEO as well as numerous other executives at the company.

"The (settlement) that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data - and reflects the seriousness with which we take this matter," said Equifax CEO Mark Begor.

Equifax stock, which plunged 30% in the days following the disclosure of the breach, have returned to levels where they traded before the incident. Shares of Equifax rose 2% to $140.26. A share cost $141.45 in the hours before the breach was disclosed on Sept. 7, 2017.

The relief is coming in multiple forms. Equifax will pay initially $380.5 million into a fund to cover potential identity theft that was caused as a result of the breach, as well as any costs that a potential victim had to pay for credit monitoring. An additional $125 million would be paid additionally by Equifax if victims' out-of-pocket expenses end up depleting the initial fund. Equifax could also potentially pay $2 billion to cover credit monitoring services if all 147 million victims sign up for credit monitoring services.

Victims of Equifax's breach will be eligible for up to 10 years of credit monitoring services for free, seven years of identity-restoration services, and six free copies of Equifax's credit reports per year for the next seven years. That's on top of the free credit reports each U.S. resident is eligible for from the credit reporting companies under U.S. law.

If consumers choose not to enroll in the free credit monitoring product, they may seek up to $125 as a reimbursement for the cost of a credit-monitoring product of their choice. Consumers must submit a claim in order to receive free credit monitoring or cash reimbursements.

Equifax will have to spend at least $1 billion over five years to enhance its cybersecurity practices.

On top of that, Equifax will have to pay a $100 million fine to the CFPB and pay tens of millions of dollars to states and territories to settle those lawsuits as well.

"Companies that profit from personal information have an extra responsibility to protect and secure that data," said FTC Chairman Joe Simons. "Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud."

Consumer advocates were generally positive on the settlement, but had concerns on the timescale of the settlement. Because the thieves stole permanently identifiable information like Social Security numbers and birth dates, the data could be used for decades to commit identity theft.

"What happens if a consumer is the victim of ID theft in the fifth year resulting from the breach, which costs the consumer tens of thousands of dollars?," said Chi Chi Wu, staff attorney at National Consumer Law Center.

The settlement must still be approved by the federal district court in the Northern District of Georgia.

Consumers who are eligible for redress will be required to submit claims online, by mail or by phone. Consumers will be able to obtain information about the settlement, check their eligibility to file a claim, and file a claim by phone or online. To receive email updates regarding the launch of the Equifax Settlement Breach online registry, consumers can sign up at www.ftc.gov/equifax-data-breach. Consumers can also call 1-833-759-2982 for more information.

If you purchase a product or register for an account through a link on our site, we may receive compensation. By using this site, you consent to our User Agreement and agree that your clicks, interactions, and personal information may be collected, recorded, and/or stored by us and social media and other third-party partners in accordance with our Privacy Policy.