Long-Awaited Fine of $700M Also Imposes New Security Rules
The last couple weeks have brought big news from the FTC as they’ve handed down large fines to some really big firms. Recently they fined Facebook $5 billion, the largest fine to any firm ever. This week their fine dropped on Equifax, with the minimum fine starting at $575 million and with all 48-50 states affected, could go as high as $700 million. The fine was levied because of Equifax’s 2017 data breach that compromised 147 million Americans.
Last December, Congress completed an investigation into the Equifax breach and determined that Equifax was responsible due to several ways they failed to protect the data (See our blog, Congressional investigation into Equifax breach finds multiple security failures). The resulting breach led to an enormous number of users’ personal information being exposed – nearly half the country, including names, dates of birth, Social Security numbers, addresses and more, all of which can be used to carry out user identity theft or fraud.
The Terms of the Agreement
Equifax agreed to pay $300 million to fund several consumer credit monitoring services. The fund covers credit and identity monitoring services, including those that Equifax provided to users, as well as compensation for consumers who bought these services from Equifax. Other expenses from the data breach are covered as well. If the initial amount doesn’t cover all the costs, Equifax will provide an additional $125 million to cover consumer losses.
Other terms specify that Equifax will give six (6) free credit reports per year for seven (7) years for all US consumers. This is in addition to the one free credit report Equifax and the other two agencies (Experian and TransUnion) are obligated to provide when requested.
Equifax will pay $175 million to 48 states, DC and Puerto Rico, plus $100 million in civil penalties to the Consumer Finance Protection Bureau (CFPB).
FTC Chairman Joe Simons said about Equifax and the fine, “Companies that profit from personal information have an extra responsibility to protect and secure that data.” He continued, “This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
Security Above and Beyond the Fine
Paying restitution to victims is important but preventing such breaches from reoccurring is equally important.
Equifax now must implement a more robust, comprehensive security program that adheres to these measures:
Designates an employee to oversee the information security program;
Conducts annual assessments of internal and external security risks, and implementing safeguards to address potential risks, including patch management and security remediation policies, network intrusion mechanisms, and other protections;
Obtains annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information security requirements;
Tests and monitors the effectiveness of the security safeguards; and
Ensures service providers that procedures to access personal information stored by Equifax implement adequate safeguards to protect such data.
Equifax won’t oversee its own compliance. They must use a third party to assess its program every two years. The assessor must be approved by the FTC and is bound by the agreement to provide evidence of compliance, with independent samples, documents and interviews with employees.
Equifax itself must also submit an annual status report to the FTC regarding its consumer claims. Guidelines for distributing funds are still pending. Sadly, a good portion of the money will go to legal fees.
Will Anything Change in the Aftermath?
Monitoring consumer accounts after a breach matters but it’s only the beginning.
"It's of course important for consumers to monitor their credit, but if there are problems, the real challenge is in addressing fraud and proactively repairing damaged credit," says Willy Leichter, vice president of marketing at Virsec, an applications security company.
"Free reporting does none of that," he told the E-Commerce Times.
Additional fines could be coming from the GDPR too. The GDPR’s maximum fine can be 4 percent (4%) of annual global revenue. They have imposed increasing fines since the regulations went into effect and many investigations are pending – including into Facebook, Google, Apple and others. The recent fine from the US on Facebook was 9 percent (9%), and this Equifax fine is roughly 25 percent (25%) of annual revenue.
With their fines, regulatory agencies like the FTC are sending a clear message that these companies who failed to protect data are liable for breaches that compromise their users’ information.
At the same time, it remains to be seen if these penalties will be effective deterrents against treating confidential information flippantly, or an incentive to do more to protect that information. The potential of these breaches to cause problems ranging from irritation to destruction to massive numbers of people is severe.
“Large penalties do change the risk equations that many businesses use to decide on their level of security investment,” noted Virsec's Leichter. "But given the scale of the Equifax breach, this penalty is relatively light and may have little direct effect on other businesses and little direct effect on improving consumer security."
Companies have to decide for themselves – hopefully before any hefty fines – that security is an essential goal in its own right and that it’s important not only to earn customer loyalty but to also be deserving of keeping it.