Equifax has agreed to pay at least $1.4 billion to settle multidistrict litigation brought on behalf of 147 million U.S. consumers and pay millions more to resolve civil complaints brought by the federal government and multiple state attorneys general over its massive 2017 data breach.
Monday's notice of the proposed settlement, detailed in court papers filed in Atlanta, would largely resolve the legal fallout from consumers whose personal and financial data was hacked following one of the nation's largest data breaches.
The civil settlement—which Equifax counsel and lawyers representing the consumer class announced at a hearing in U.S. District Court in Atlanta Monday morning—includes a commitment by the company to spend $1 billion on cybersecurity measures over the next five years and establish a $380.5 million fund to pay for four years of credit monitoring and financial help, where needed, in resolving identity theft issues for victimized consumers.
The fund would also reimburse consumers for expenses incurred in securing their personal information or repairing stolen identities after Equifax belatedly acknowledged the breach, according to the settlement terms.
Equifax also committed to expand the fund by at least another $125 million for excess out-of-pocket losses by consumers and potentially make available as much as $2 billion more if all 147 million consumers sign on, according to the terms.
The plaintiff consumers' notice of settlement stated the retail value of the credit services alone would exceed $282 billion, or $1,920 per consumer, if all 147 million class members take advantage of Equifax's offer. Equifax will not benefit from the credit protection services, which will be handled by Ireland-based consumer reporting agency Experian, according to the settlement terms.
U.S. District Chief Judge Thomas Thrash Jr. of the Northern District of Georgia approved the settlement agreement during Monday's hearing.
Attorneys for the consumer class who negotiated the deal will receive about $77.5 million from the fund, according to the settlement agreement.
Ken Canfield, a partner at Atlanta's Doffermyre Shields Canfield & Knowles and co-lead counsel for the consumers, said the settlement has “real teeth” because it “provides substantial relief to those consumers whose lives have been disrupted by the data theft, but it also ensues Equifax will dramatically improve its security practices moving forward.”
Norman Siegel of Kansas City's Stueve Siegel and Amy Keller of Chicago's DiCello Levitt served alongside Canfield as co-counsel. “Navigating complex financial systems when you've been the victim of identity theft is a cumbersome–and, in some instances, insurmountable–task for consumers,” Keller said. “We hope that our settlement gives them the assistance and peace of mind they need to move on from this incident.”
Said Siegel: “While we know that there are many members of Congress who are making privacy and cybersecurity a priority, the absence of any meaningful federal legislation that would hold companies accountable for egregious cybersecurity lapses like the one we saw in Equifax is unfortunate … This settlement sends a clear message that, if real change is going to happen relative to data security, the American people are going to have to push hard for it.”
Retired U.S. District Judge Layn Phillips of the Western District of Oklahoma mediated the settlement agreement. Phillips is the founder of Phillips ADR Enterprises in California.
The consumer class settlement also includes provisions for an innovative publicity campaign that will incorporate tools used in modern commercial and political advertising to reach class members through radio, print, mail, email and social media about their eligibility to file claims, and gives them an extended time frame for doing so.
Equifax and counsel for the consumer class reached a binding settlement agreement in March, according to settlement documents. Equifax then shared the terms with federal regulators and state attorneys general, according to the documents. Plaintiffs' lawyers agreed to consider suggested alterations to the deal but were not bound to accept any changes regulators proposed before reaching their own separate deals with Equifax. All consumer remuneration and benefits will be administered through the Atlanta class action settlement, according to the settlement terms.
Separate civil settlements have been reached with the Consumer Financial Protection Bureau, the Federal Trade Commission, and 50 state attorneys general, including $100 million for the CFPB and $280.5 million in fines to be distributed to the states. New York will receive more than $9 million, said New York Attorney General Letitia James, who co-led the multistate attorneys general group. Georgia Attorney General Chris Carr said his state will receive nearly $7.2 million.
The CFPB settlement requires Equifax to undergo biennial information security assessments by an independent third party professional, and provide them to the CFPB. The consent order does not allow any documents associated with those assessments to be withheld on the basis of confidentiality, proprietary or trade secrets, or any claims of privilege between Equifax and the assessor. Equifax is also required to provide the agency with reports associated with cyber security incidents for 20 years.
The New York State Department of Financial Services also separately investigated Equifax's security practices, and fined the company an additional $10 million for violating the federal Dodd-Frank Act and New York financial services laws, James said.
Shortly after Equifax went public about the breach in September 2017, a number of state attorneys general signed a letter to the company's lawyers expressing “profound concerns” about its delay in notifying the public of the breach, and its decision to continue to charge consumers for its own credit-monitoring services or for placing security freezes on their credit reports.
Equifax CEO Mark Begor on Monday called the settlement and its consumer fund the “largest ever” in a data breach case. Begor acknowledged that while the fund has no cap, Equifax doesn't expect more than 7 million of the 147 million affected consumers will take advantage of available benefits. “We don't anticipate a need to fund more than $300 million,” Begor said. “If more than seven million consumers sign up, Equifax would increase contributions to the fund,” he said.
“We continue to monitor the Dark Web,” he said. “To date, we haven't seen any instances of our data being sold or any instances of identity theft.”
Begor also said that in keeping with a consent order reached with state banking regulators last summer, and Monday's settlement with consumer plaintiffs, Equifax is implementing major security improvements. The company is on track to invest $1.25 billion in more secure technology and additional security infrastructure over the next three years—about 50% more than it would normally have considered spending.
“We are abiding by that consent order,” Begor said. “We are aligned with regulators about what we are implementing.”
But at a news conference jointly held by the Federal Trade Commission and the Consumer Financial Protection Bureau, an FTC spokeswoman said Equifax's settlement with the FTC includes conditions that Equifax must report the number of claims made by consumers eligible for the settlement and the number of claims Equifax actually pays.
Maryland Attorney General Brian Frosh, who attended the news conference, took issue with Begor's statements that Equifax had not unearthed any of the hacked data.
“We know from all the data breaches we have experienced through Maryland and the U.S. [that] the hackers don't immediately take the information of consumers and start trying to steal it,” he said. “They often archive it, bank it, and they use it as long as years later.”
A team of King & Spalding attorneys led by partners Phyllis Sumner and David Balser represent Equifax. They negotiated the deal with the consumers' counsel after U.S. District Chief Judge Thomas Thrash refused to dismiss the multidistrict litigation last January. Last December, the U.S. House of Representatives Committee on Oversight and Government Reform released a report concluding the data breach was preventable.
In addition to the three co-leads, former Georgia Gov. Roy Barnes of The Barnes Law Group in Marietta, and David Worley, a partner at Atlanta's Evangelista Worley serve as liaison counsel.
The former Georgia governor, who filed the first consumer suit against Equifax after news of the data breach went public, said that, while the settlement “cannot come close to righting all of Equifax's wrongs, it is a critical first step toward making it right, compensating the victims and ensuring that in the future, companies do everything in their power to prevent this type of catastrophic breach.”
The steering committee includes Andrew Friedman of Washington's Cohen Milstein Sellers & Toll; Eric Gibbs of Gibbs Law Group in Oakland, California; James Pizzirusso of Hausfeld in Washington; Ariana Tadler of New York's Milberg Tadler Phillips Grossman; John Yanchunis of Morgan & Morgan in Tampa; William Murphy III of Murphy, Falcon & Murphy of Baltimore and Marietta attorney Jason Doss.
Thrash is also presiding over a separate group of lawsuits filed against Equifax by a number of financial institutions that issued debit or credit cards to consumers whose personal information was compromised and then were faced with helping customers clean up the resulting mess.
Benefits available to class members include:
- Compensation of up to 20 hours at $25 an hour—including as much as 10 hours that can be self-certified with no documentation—for time spent taking preventive measures or dealing with identity theft.
- Reimbursement of up to $20,000 for documented losses traceable to the breach, including the cost of freezing or unfreezing credit files, buying credit monitoring services, out-of-pocket losses from identity theft or fraud and professional fees associated with identity theft.
- A 25% refund to customers who bought credit monitoring or identity theft protection subscriptions from Equifax the year before the breach.
- Four years of three-bureau credit monitoring and identity protection services through Experian, a $1200 value, and an additional six years of one-bureau credit monitoring by Equifax, valued at $720.
- Alternative compensation of $125 for class members who already have credit monitoring or protection services in place.
- Identity restoration services through Experian to help class members for seven years who have been the victims of identity theft, including assignment of a certified identity theft restoration specialist and step-by-step assistance in dealing with credit bureaus, companies and government agencies.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllAtlanta-Based Fearless Fund Ends Black-Only Entrepreneurial Grant Contest After Settling Civil Rights Lawsuit
Deal Watch: Latham, Weil Lead Home Improvement Deal; Dealmakers Face Election Headwinds
8 minute readJetBlue-Spirit Airlines Planned $3.8 Billion Merger Dropped Due to Antitrust Concerns
Deal Watch: Kirkland, Akin Drive Energy Deals as Big Law Leans Into Sector for M&A
7 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250