Equifax sign in front of an office building

Consumers hurt by the 2017 Equifax data breach could be eligible for up to $20,000 in compensation and up to 10 years of free credit monitoring under a half-billion dollar settlement between the credit agency and the Federal Trade Commission.  

The $575 million agreement, which could grow to  as much as $700 million, would settle one of the largest data breaches in U.S. history, which exposed the personal information of 143 million consumers.

More on Equifax

The credit rating giant will pay $300 million into a fund that will provide affected consumers with up to 10 years of credit monitoring services and reimburse them if they paid for third-party credit monitoring, as well as other out-of-pocket expenses associated with the 2017 breach. Consumers may also be enititled to free identity restoration services, and a partial refund if they paid for Equifax services.

In addition, beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years. That's in addition to the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently provide.

Consumers must file to get their reimbursements, which are capped at $20,000, including compensation for up to 20 hours of the consumer's time at $25 per hour. Reimbursable items include losses stemming from identity theft, well as out-of-pocket expenses for items like attorney fees, notary services, faxes, copying, postage, phone and mileage charges.

In a Monday-morning press conference, the FTC stressed that the bar for getting compensation is relatively low. Some portion of the reimbursment for time spent can be self-certified. Furthermore, a  consumer who suffered an identity theft doesn't have to prove that it stemmed directly from the Equifax breach. Having experienced the loss after September 2017 should qualify a consumer for compensation.

Details of how consumers can file for reimbursement have not yet been finalized, but information be found at equifaxbreachsettlement.com when it becomes available, or by calling 1-833-759-2982. You can also sign up to get free e-mail updates about the settlement. 

According to an FTC release, Equifax would add up to $125 million to the fund if the initial payment is not enough to compensate consumers for their losses.

"Given the FTC's weak legal authority, it's a pretty strong settlement," says Justin Brookman, director of privacy and technology policy for Consumer Reports. "The FTC wasn't able to get penalties against Equifax, but it was able to force them to spend a fair amount of money as far as improving security, paying for credit monitoring, and reimbursing consumers for their expenses." 

Brookman warns consumers to not rely too heavily on credit monitoring.

"Credit freezes are actually better and they're free under the law," he explains. "Credit monitoring only alerts you once something has gone wrong, while credit freezes can prevent bad folks from getting your information in the first place."

The company has also agreed to pay $175 million in civil penalties to 48 states, the District of Columbia, and Puerto Rico, as well as $100 million to the Consumer Financial Protection Bureau  (CFPB). The FTC Commissioners voted unanimously, 5-0, to take this action against Equifax. 

“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons in a press release. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”

The amount of the settlement doesn't come as a surprise; the company had previously set aside $690 million to cover an impending FTC penalty.   

Earlier this month, The Wall Street Journal reported that the FTC would fine Facebook $5 billion for violations of its 2011 consent decree with the agency that put consumer data at risk in a variety of incidents, including Cambridge Analytica.

An 'Entirely Preventable' Breach

scathing Congressional report released in December of 2018 called the Equifax breach “entirely preventable.” The 96-page report concluded that the financial reporting company failed to properly fix a vulnerability in its database software despite being warned about the problem in early March 2017, months before the data breach.

Equifax also failed to implement routine security updates, which prevented the company from discovering the breach until hackers had access to the company's data system for 76 days between mid-May and late July. The public wasn't informed of the data breach until September 2017.

Equifax had not responded to Consumer Reports' request for comment at time of publication. 

In addition to the payments to consumers and government agencies, the agreement requires Equifax to implement "a comprehensive information security program."

Under that program, the company would designate an employee to oversee the information security program, conduct annual assessments of security risks, and implement safeguards. The company would also be required to test and monitor the effectiveness of its security, and ensure that its service providers also implemented adequate safeguards to protect consumer data.

Editor's Note: This story has been updated with additional information about the settlement from the FTC's news conference.