By Cynthia Brumfield
Equifax’s 2017 breach will cost it billions in fines, customer restitution and mandated and voluntary security improvements. All organizations that profit from consumer data should take notice.
July 24, 2019 — The settlement also requires Equifax to spend another $125 million for cash compensation and potentially much more if the number of class members who sign up for credit monitoring exceeds 7 million. The company will further pay $175 million in fines to settle state attorneys’ general investigations and $100 million to resolve probes by the Consumer Financial Protection Bureau and the Federal Trade Commission (FTC).
Damage from Equifax breach
hefty penalties follow a string of stinging developments Equifax has labored
under for nearly two years. In the immediate aftermath of the breach, and
Equifax’s own botched effort to deal with the fallout, CEO Richard Smith left
the company shortly after the abrupt retirements of CIO David Webb and CSO
late June, Jun Ying, former Equifax vice president and international CIO, was
sentenced to four months in prison and ordered to pay around $117,000 in
restitution and $55,000 in fines for insider trades of the company’s stock he
undertook during the period between the data breach’s discovery and the public
announcement of it. Last October, former Equifax engineer Sudhakar Reddy Bonthu
was likewise sentenced for insider trading and ordered to pay financial
restitution for insider trading, although Bonthu was sentenced to eight months
home confinement rather than serve a prison term.
late May, investor ratings giant Moody’s slashed the outlook on Equifax from
stable to negative in the first such downgrade attributable to a cyberattack.
At the time of the downgrade, Moody’s said it didn’t see a brighter future for
Equifax due to its breach-related expenses, which, at the time, Moody’s judged
to be around $400 million for 2019 and 2020.
authorities aren’t alone in sanctioning Equifax for what the House
Oversight and Government Reform Committee called an “entirely
preventable” breach. Last September, the UK’s data regulator, the Information
Commissioner’s Office (ICO), fined Equifax £500,000 ($664,000) for failing
to protect the personal data of around 15 million Brits affected by the breach.
Equifax did get something of a break with the timing of
the ICO’s fine because its breach happened too soon to get caught by the much
more financially punitive regime of the EU’s General Data Protection
Regulation (GDPR), which went into effect in May 2018. The GDPR’s rules
could have cost Equifax 4% of its global revenue or around $136,000,000, an amount
more or less on par with two recent fines levied by the ICO against other
corporations for their data breaches.
early July, the ICO announced it plans to fine British Airways more than £183
million (around $230 million) after hackers stole the personal data of half a
million of the airline’s customers, including their payment card data, in a
breach that began in June 2018. In early July, the ICO said that it plans to
fine U.S. hotel group Marriott International £99.2 million or around $123
million related to a data breach discovered in 2018, but possibly dating back
far as 2014. That breach, which affected Marriott’s Starwood group of hotels,
exposed the private data of around 339 million guests.
Norm Siegel, one of the co-lead counsels on
behalf of consumers in the Equifax settlement, thinks that security
professionals and executives should take the Equifax breach to heart. “We were
able to secure meaningful data security improvements, including a major capital
commitment backed by a court order, which is another important feature of this
settlement that perhaps will be a deterrent to” executive neglect of cybersecurity,
he tells CSO.
Failure to heed the lesson of Equifax’s
security flame-out will likely lead even more companies down the disastrous
path Equifax followed, with more high-profile lawsuits to follow. “Consumer
protection attorneys continue to play a key role in holding companies
responsible,” Amy Keller, another co-lead counsel in the Equifax settlement
tells CSO Online.
The settlement “demonstrates that consumers
refuse to accept that data breaches are the ‘new norm’” and “not only
consumers for the time and money they spent as a result of the
breach, but also [ensures] that consumers have the tools necessary to protect
themselves in the future,” she says.
The message is clear, according to Keller. “If companies profit off of your data, then they owe you a duty to protect that data.”
Ready to protect your company from hackers? For Cyber Security Software and Services, visit Promero