WASHINGTON (Reuters) – Credit-reporting company Equifax Inc (EFX.N) will pay up to a record $650 million to settle U.S. federal and state probes into a massive 2017 data breach of personal information, authorities said on Monday.
The largest-ever settlement for a data breach draws to a close multiple probes into Equifax by the Federal Trade Commission, the Consumer Financial Protection Board and nearly all state attorneys general. It also resolves pending class-action lawsuits against the company.
“This company’s ineptitude, negligence, and lax security standards endangered the identities of half the U.S. population,” New York Attorney General Letitia James said in a statement.
Equifax, one of three major credit-reporting companies, disclosed in 2017 that a data breach had compromised the personal information, including Social Security numbers, of 143 million Americans.
The scandal upended the company, which saw the exit of its chief executive, as its security practices and slow speed in disclosing the breach were challenged. Washington policymakers questioned how private companies could amass so much personal data, setting off efforts to bolster consumers’ ability to protect and control their information.
Under the settlement, the company will establish a $300 million restitution fund for harmed consumers that could climb to $425 million depending on its use. Consumers eligible for the fund must submit claims showing they were fraud victims or set up credit-monitoring services following the breach.
Equifax will also pay a $175 million fine to the states and $50 million to the CFPB.
Affected consumers will also be eligible for 10 years of free credit monitoring from Equifax, and the company agreed to make it easier for consumers to freeze their credit or dispute inaccurate information in credit reports.
The company has also agreed to bolster its security practices and have its policies assessed regularly by a third party.
Reporting by Pete Schroeder; Editing by Peter Cooney