Equifax has agreed to pay at least $1.4 billion to settle multidistrict litigation brought on behalf of 147 million U.S. consumers and pay millions more to resolve civil complaints brought by the federal government and multiple state attorneys general over its massive 2017 data breach.

Monday's notice of the proposed settlement, detailed in court papers filed in Atlanta, would largely resolve the legal fallout from consumers whose personal and financial data was hacked following one of the nation's largest data breaches.

The civil settlement—which Equifax counsel and lawyers representing the consumer class announced at a hearing in U.S. District Court in Atlanta Monday morning—includes a commitment by the company to spend $1 billion on cybersecurity measures over the next five years and establish a $380.5 million fund to pay for four years of credit monitoring and financial help, where needed, in resolving identity theft issues for victimized consumers.

The fund would also reimburse consumers for expenses incurred in securing their personal information or repairing stolen identities after Equifax belatedly acknowledged the breach, according to the settlement terms.

Equifax also committed to expand the fund by at least another $125 million for excess out-of-pocket losses by consumers and potentially make available as much as $2 billion more if all 147 million consumers sign on, according to the terms.

The plaintiff consumers' notice of settlement stated the retail value of the credit services alone would exceed $282 billion, or $1,920 per consumer, if all 147 million class members take advantage of Equifax's offer. Equifax will not benefit from the credit protection services, which will be handled by Ireland-based consumer reporting agency Experian, according to the settlement terms.

U.S. District Chief Judge Thomas Thrash Jr. of the Northern District of Georgia approved the settlement agreement during Monday's hearing.

Attorneys for the consumer class who negotiated the deal will receive about $77.5 million from the fund, according to the settlement agreement.

Kenneth Canfield of Doffermyre Shields Canfield & Knowles, Atlanta, enters the Richard B. Russell Federal Courthouse in Atlanta on Monday July 22, 2019. Canfield along with Amy Keller and Norman Siegel are the consumer plaintiffs lead counsel in the consumer class action case against Equifax as a result of the company's massive data breach.

Ken Canfield, a partner at Atlanta's Doffermyre Shields Canfield & Knowles and co-lead counsel for the consumers, said the settlement has “real teeth” because it “provides substantial relief to those consumers whose lives have been disrupted by the  data theft, but it also ensues Equifax will dramatically improve its security practices moving forward.”

Norman Siegel of Kansas City's Stueve Siegel and Amy Keller of Chicago's DiCello Levitt served alongside Canfield as co-counsel.  “Navigating complex financial systems when you've been the victim of identity theft is a cumbersome–and, in some instances, insurmountable–task for consumers,” Keller said. “We hope that our settlement gives them the assistance and peace of mind they need to move on from this incident.”

Said Siegel: “While we know that there are many members of Congress who are making privacy and cybersecurity a priority, the absence of any meaningful federal legislation that would hold companies accountable for egregious cybersecurity lapses like the one we saw in Equifax is unfortunate … This settlement sends a clear message that, if real change is going to happen relative to data security, the American people are going to have to push hard for it.”

Retired U.S. District Judge Layn Phillips of the Western District of Oklahoma mediated the settlement agreement. Phillips is the founder of Phillips ADR Enterprises in California.

The consumer class settlement also includes provisions for an innovative publicity campaign that will incorporate tools used in modern commercial and political advertising to reach class members through radio, print, mail, email and social media about their eligibility to file claims, and gives them an extended time frame for doing so.

Equifax and counsel for the consumer class reached a binding settlement agreement in March, according to settlement documents. Equifax then shared the terms with federal regulators and state attorneys general, according to the documents. Plaintiffs' lawyers agreed to consider suggested alterations to the deal but were not bound to accept any changes regulators proposed before reaching their own separate deals with Equifax. All consumer remuneration and benefits will be administered through the Atlanta class action settlement, according to the settlement terms.

Separate civil settlements have been reached with the Consumer Financial Protection Bureau, the Federal Trade Commission, and 50 state attorneys general, including $100 million for the CFPB and $280.5 million in fines to be distributed to the states. New York will receive more than $9 million, said New York Attorney General Letitia James, who co-led the multistate attorneys general group. Georgia Attorney General Chris Carr said his state will receive nearly $7.2 million.

The CFPB settlement requires Equifax to undergo biennial information security assessments by an independent third party professional, and provide them to the CFPB. The consent order does not allow any documents associated with those assessments to be withheld on the basis of confidentiality, proprietary or trade secrets, or any claims of privilege between Equifax and the assessor.  Equifax is also required to provide the agency with reports associated with cyber security incidents for 20 years.

The New York State Department of Financial Services also separately investigated Equifax's security practices, and fined the company an additional $10 million for violating the federal Dodd-Frank Act and New York financial services laws, James said.

Shortly after Equifax went public about the breach in September 2017, a number of state attorneys general signed a letter to the company's lawyers expressing “profound concerns” about its delay in notifying the public of the breach, and its decision to continue to charge consumers for its own credit-monitoring services or for placing security freezes on their credit reports.

Equifax CEO Mark Begor on Monday called the settlement and its consumer fund the “largest ever” in a data breach case. Begor acknowledged that while the fund has no cap, Equifax doesn't expect more than 7 million of the 147 million affected consumers will take advantage of available benefits.  “We don't anticipate a need to fund more than $300 million,” Begor said. “If more than seven million consumers sign up, Equifax would increase contributions to the fund,” he said.

“We continue to monitor the Dark Web,” he said. “To date, we haven't seen any instances of our data being sold or any instances of identity theft.”

Begor also said that in keeping with a consent order reached with state banking regulators last summer, and Monday's settlement with consumer plaintiffs, Equifax is implementing major security improvements. The company is on track to invest $1.25 billion in more secure technology and additional security infrastructure over the next three years—about 50% more than it would normally have considered spending.

“We are abiding by that consent order,” Begor said. “We are aligned with regulators about what we are implementing.”

But at a news conference jointly held by the Federal Trade Commission and the Consumer Financial Protection Bureau, an FTC spokeswoman said Equifax's settlement with the FTC includes conditions that Equifax must report the number of claims made by consumers eligible for the settlement and the number of claims Equifax actually pays.

Maryland Attorney General Brian Frosh, who attended the news conference, took issue with Begor's statements that Equifax had not unearthed any of the hacked data.

“We know from all the data breaches we have experienced through Maryland and the U.S. [that] the hackers don't immediately take the information of consumers and start trying to steal it,” he said. “They often archive it, bank it, and they use it as long as years later.”

A team of King & Spalding attorneys led by partners Phyllis Sumner and David Balser represent Equifax. They negotiated the deal with the consumers' counsel after U.S. District Chief Judge Thomas Thrash refused to dismiss the multidistrict litigation last January. Last December, the U.S. House of Representatives Committee on Oversight and Government Reform released a report concluding the data breach was preventable.

In addition to the three co-leads, former Georgia Gov. Roy Barnes of The Barnes Law Group in Marietta, and David Worley, a partner at Atlanta's Evangelista Worley serve as liaison counsel.

The former Georgia governor, who filed the first consumer suit against Equifax after news of the data breach went public, said that, while the settlement “cannot come close to righting all of Equifax's wrongs, it is a critical first step toward making it right, compensating the victims and ensuring that in the future, companies do everything in their power to prevent this type of catastrophic breach.”

The steering committee includes Andrew Friedman of Washington's Cohen Milstein Sellers & Toll; Eric Gibbs of Gibbs Law Group in Oakland, California; James Pizzirusso of Hausfeld in Washington; Ariana Tadler of New York's Milberg Tadler Phillips Grossman; John Yanchunis of Morgan & Morgan in Tampa; William Murphy III of Murphy, Falcon & Murphy of Baltimore and Marietta attorney Jason Doss.

Thrash is also presiding over a separate group of lawsuits filed against Equifax by a number of financial institutions that issued debit or credit cards to consumers whose personal information was compromised and then were faced with helping customers clean up the resulting mess.

Benefits available to class members include:

• Compensation of up to 20 hours at $25 an hour—including as much as 10 hours that can be self-certified with no documentation—for time spent taking preventive measures or dealing with identity theft.

• Reimbursement of up to $20,000 for documented losses traceable to the breach, including the cost of freezing or unfreezing credit files, buying credit monitoring services, out-of-pocket losses from identity theft or fraud and professional fees associated with identity theft.

• A 25% refund to customers who bought credit monitoring or identity theft protection subscriptions from Equifax the year before the breach.

• Four years of three-bureau credit monitoring and identity protection services through Experian, a $1200 value, and an additional six years of one-bureau credit monitoring by Equifax, valued at $720.

• Alternative compensation of $125 for class members who already have credit monitoring or protection services in place.

• Identity restoration services through Experian to help class members for seven years who have been the victims of identity theft, including assignment of a certified identity theft restoration specialist and step-by-step assistance in dealing with credit bureaus, companies and government agencies.