Equifax Inc.'s headquarters in Atlanta. Photo credit: John Disney/ALM

Equifax has agreed to pay $19.1 million in fines to New York state officials as part of a broader $1.4 billion settlement to resolve what's been considered one of the largest digital breaches of personal data in history.

State officials in New York announced their part in the global settlement Monday after court papers were filed on the agreement in Atlanta.

Equifax has agreed to pay a fine of $10 million to the New York State Department of Financial Services as part of the settlement. An additional $9.1 million was secured by the New York Attorney General's Office as part of a multistate investigation into the company.

That's separate from the $425 million in restitution that Equifax has agreed to pay after the personal information of more than 147 million consumers was exposed and illegally accessed in September 2017. That was more than half of the adults living in the U.S.

New York Attorney General Letitia James said in a statement Monday that Equifax had been negligent in protecting the personal data of consumers.

“Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk,” James said. “This company's ineptitude, negligence, and lax security standards endangered the identities of half the U.S. population.”

The multistate investigation found, specifically, that attackers targeted vulnerabilities in the company's Apache Struts software, which is used to develop web applications. Equifax was told about the potential for a breach earlier in 2017, the investigation found, but didn't take the necessary steps to correct the problem.

The attackers then used the vulnerability to access the personal information of millions of consumers, a breach that went unnoticed by Equifax for more than two months.

Equifax had agreed to pay for a Consumer Restitution Fund of up to $425 million as part of the settlement. It'll start with an immediate commitment of $300 million, which will be followed by an additional $125 million if those funds run out. 

Under the accord, the company will pay another $175 million to the 48 states involved in the lawsuit, Washington, D.C., and Puerto Rico. New York will receive $9.1 million of those funds as a result of the probe.

A second investigation, led by the New York State Department of Financial Services, will net New York $10 million after the agency found Equifax had separately violated state and federal financial laws.

DFS Superintendent Linda Lacewell said the settlement announced Monday reinforces the agency's commitment to protecting consumers when it comes to financial institutions and digital threats.

“First and foremost, the settlement announced today holds Equifax accountable for its egregious breach in its duty to consumers in safeguarding their sensitive personal identifying information and restores some peace of mind and protection to New Yorkers,” Lacewell said. “Strengthening consumer protections for New Yorkers, DFS now requires credit rating agencies to be licensed and supervised by DFS, and comply with the Department's landmark cybersecurity regulation to better guard against potential breaches.”

The agency's investigation focused on the security practices of Equifax, both during and at the time of the breach, and its communications with consumers following the event. DFS concluded that the company's practices violated the federal Dodd-Frank Act and state Financial Services Law, §208.

The breach itself, the agency found, had the potential to seriously harm consumers through the exposure of their personal information, such as Social Security numbers, credit card information, and more. After the breach was announced, the company didn't do enough to inform and guide consumers whose data may have been compromised, the agency said.

The federal counterpart of DFS, the Consumer Financial Protection Bureau, will receive an additional $100 million from Equifax as part of the settlement. 

Mark Begor, the CEO of Equifax, called the settlement a “positive step” in a statement Monday morning. He said the company has committed more than $1 billion to a technology and security investment program to provide further protections for consumers.

“This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company,” Begor said. “The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter.”

Consumers who were affected by the breach, of which there were many, will be required to submit claims showing they were a victim of fraud or took proactive steps to set up credit-monitoring services by submitting documents online or by mail.

Equifax has also agreed to offer consumers up to 10 years of free credit-monitoring services if they were one of the millions whose data was exposed. That will include up to $1 million of identity theft insurance, with no deductible. The first four years will include credit monitoring by the country's three largest agencies, while the remainder will only be from Equifax. 

A new website to assist consumers in submitting a claim, enrolling in credit-monitoring services, or just learning more will be set up sometime in the near future, according to state officials. Consumers can visit the Federal Trade Commission's website in the meantime for more information.

Consumers affected by the breach won't be able to immediately submit a claim after Monday's announcement. The settlement ultimately will require court approval, according to state officials. 

READ MORE:

Equifax Reaches $1.4 Billion Data Breach Settlement in Consumer Class Action

AG James Backs Data Breach Protection Act Passed by Legislature

AOL Agrees to Pay Largest Ever Settlement Under Children's Privacy Law