A settlement has been reached in the Equifax data breach lawsuit. Under the terms of the settlement agreement, Equifax would be required to initially pay $380.5 million into a settlement fund. If more money is needed to compensate class members for out-of-pocket losses, Equifax will pay up to an additional $125 million into the settlement fund. If all class members file claims, Equifax could also be required to pay up to an additional $2 billion for credit monitoring services.
In addition, the settlement requires Equifax to pay $1 billion to improve its data security and implement specific cybersecurity measures, such as monitoring its systems for security threats, fixing critical vulnerabilities within 1 week, and allowing oversight by an independent cybersecurity auditor.
The initial deadline to file a claim is: 1/22/2020.
Who can receive benefits under the Equifax class action settlement?
Under the proposed settlement, the settlement class includes all consumers whose information was impacted by the data breach. The settlement defines the settlement class to include:
The approximately 147 million U.S. consumers identified by Equifax whose personal information was compromised as a result of the cyberattack and data breach announced by Equifax Inc. on September 7, 2017.
Initially, Equifax announced that only 143 million consumers were affected, but it has since expanded that number after conducting further investigation.
What are the settlement benefits for the Equifax data breach lawsuit?
Consumers who file a claim form can receive:
- At least 10 years of free credit monitoring (a value of $1,920)
- Up to $20,000 in compensation for documented out-of-pocket losses
- Up to $500 for time spent dealing with the breach
The credit monitoring services include at least 4 years of triple-bureau monitoring and an additional 6 years of monitoring for just the Equifax credit report. Consumers who already purchased credit monitoring can apply for “alternative compensation” of $125 under the settlement.
The compensation for out-of-pocket losses and expenditures, up to $20,000, includes the cost of freezing and unfreezing a credit file, purchasing credit monitoring, or losing money to fraud or identity theft.
The compensation for lost time, up to $500, includes time spent taking preventative measures (such as freezing a credit file or purchasing credit monitoring) or dealing with identity theft. Consumers who don’t want to provide time records can receive up to $250 without documentation.
Whether or not they file a claim, all class members are eligible for identity restoration services provided by Experian for a period of 7 years. The services are designed to help consumers who experience identity theft with the process of securing their identity and dealing with fraudulent credit transactions.
FTC Summary of the Settlement
For more details about the settlement benefits, you can review the class notice.
Important deadlines for the Equifax data breach settlement
Please take note of the following deadlines related to the Equifax data breach class settlement:
- Deadline to object to or opt-out of the settlement: 11/19/2019
- Hearing on final approval of the settlement: 12/19/2019
- Initial deadline to file a claim: 1/22/2020
- *Extended deadline to file a claim: 1/22/2024
* If money remains in the settlement fund after the initial claims period, an “extended claims period” will go into effect for another 4 years, during which additional class members can file claims for out-of-pocket losses or time spent dealing with fallout from the breach.
Our Role in the Equifax Data Breach Lawsuit
As part of the court-appointed leadership team representing consumers, our attorneys in the Equifax consumer data breach lawsuit helped file a consolidated complaint, alleging that Equifax failed to secure the personal information of nearly 150 million Americans, including addresses, driver’s license numbers, dates of birth, credit card details, Social Security numbers, and other data. According to the complaint, the hackers went undetected in Equifax’s system for two and a half months. The complaint says that Equifax missed numerous “red flags.” The complaint accused Equifax of acting negligently in failing to secure the personal information of so many people.
Our attorneys contributed to the efforts to defeat Equifax’s motion to dismiss the lawsuit. In January 2019, the judge denied Equifax’s attempt to have the lawsuit thrown out.
In July 2019, after the parties reached a settlement agreement, our attorneys helped file a motion asking the court to allow notice of the settlement to be provided class members. The court approved the motion the same day it was filed.
More Details on the Equifax Data Breach
Equifax, one of the three largest credit reporting agencies, announced on September 7, 2017 that it had experienced a “cybersecurity incident potentially impacting approximately 143 million U.S. consumers.” Equifax said that the hacker had exploited a “website application vulnerability” to gain access to Equifax’s systems. According to Equifax, “The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.”
Also compromised, Equifax says, were “credit card numbers for approximately 209,000 U.S. consumers, and certain [credit] dispute documents with personal identifying information for approximately 182,000 U.S. consumers.” Rick Smith, Equifax’s CEO, said that Equifax discovered the incident on July 29, 2017. Upon discovering the breach, Equifax “engaged a leading cybersecurity firm, Mandiant, to conduct a comprehensive forensic review to determine the scope of the intrusion.” According to Equifax, the forensic investigation determined that the hacker had gone undetected in Equifax’s systems from May 13 through July 30, 2017.
Equifax Failed to Patch Major Security Vulnerability
Equifax announced that the hacker’s “initial attack vector” was “a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application.” The vulnerability was made public and Apache released a patch on March 6, 2017. As The Hacker News reports, “Right after the disclosure of the vulnerability, hackers started actively exploiting the flaw…” Companies that failed to implement the patch were “relatively easy” targets, according to Wired.
The day after discovering the breach, Equifax took the “affected web application” offline. Before hiring Mandiant, Equifax pinpointed the “vulnerability in the Apache Struts web application framework as the initial attack vector,” patched it, and brought the dispute portal back online. Click here for Equifax’s online dispute portal.
After Equifax’s announcement that the Apache Struts vulnerability had been the point of entry, Wired published, “Equifax Officially Has No Excuse.” Wired quotes cybersecurity researcher Bas van Schaik as saying:
This vulnerability was disclosed back in March. There were clear and simple instructions of how to remedy the situation. The responsibility is then on companies to have procedures in place to follow such advice promptly. The fact that Equifax was subsequently attacked in May means that Equifax did not follow that advice. Had they done so this breach would not have occurred.
LA Times, USA Today Contact GLG Privacy Attorneys for Comment
National news outlets including the LA Times and the USA Today have reached out to our data breach attorneys for their insight on the origins and implications of the Equifax data breach.
Speaking to the LA Times about the breach, Eric said:
The one thing that has held consistent in recent years is there’s substandard internal practices that lead to these breaches,” said Gibbs, a partner at Gibbs Law Group. “Time and time again, the [breaches] are then blamed on sophisticated hackers. But the sophistication of the hacker doesn’t have to do with it, it’s the internal practices.
Gibbs Law Group privacy attorney David Berger further commented on the consequences of the breach for the LA Times, stating:
“There’s quite broad and serious potential harm over many years,” said David Berger, counsel at Girard Gibbs. “It’s particularly concerning.”
How to Check if You’re Affected by the Equifax Data Breach
Equifax has set up an official website that it says you can use to “[s]ee if your personal information is potentially impacted.” Equifax says it will not send individual notices to consumers except for 209,000 consumers whose credit card numbers were compromised, and the 182,000 consumers whose personal identifying information was stolen from credit dispute documents.
According to the site’s instructions, consumers whose information was impacted will be notified of that fact after clicking “Check Potential Impact,” and entering their last name and the last six digits of their Social Security number.
Consumers and news organizations, however, have reported that the site may not be accurate. Some individuals have reported that when they entered random or non-existent names and Social Security numbers, the site told them their information was impacted by the breach.
How Did Equifax Get My Information?
If you have opened a line of credit or an account with any “[c]redit card companies, banks, credit unions, retailers, [or] auto and mortgage lenders,” then those entities have all reported the details of your credit application—such as your Social Security number—to all three credit reporting agencies (Equifax, TransUnion, and Experian). The banks and lenders also report, on an ongoing basis, your credit activity and payment history to the three credit bureaus.
Our Leadership in Data Breach & Privacy Cases
Our firm has represented plaintiffs in complex lawsuits involving some of the nation’s largest data breaches, including litigation against Anthem, Adobe, Home Depot, Excellus Blue Cross and Blue Shield, and Banner Health, among others. In the past, we have successfully represented consumers with data breach and privacy claims involving HealthNet and Certegy Check Services.
Eric Gibbs has established himself as a leader in emerging litigation involving data breach and privacy. He was court-appointed to the four-member leadership team in the Anthem Data Breach Litigation, which recently settled for $115 million, the largest data breach settlement in history (settlement pending final Court approval). Eric secured a landmark ruling in the Adobe Systems, Inc. Privacy Litigation, which makes it easier for plaintiffs to seek relief following a breach. He was recently selected from among a pool of attorneys from across the country to serve as co-lead counsel in the Vizio, Inc., Consumer Privacy Litigation.
Eric co-founded the American Association for Justice’s Data Breach and Privacy Litigation Group, and has served as chair and organizer of several consumer privacy conferences on best practices and developments in consumer privacy litigation.