After two and a half years, Equifax's massive data breach that impacted the personal information of about 147 million Americans has officially been settled in court, with the company to potentially spend over $500 million in direct payments to class members who raised actions against it.
The incident was discovered in July 2018, with the credit rating firm saying that hackers had exploited a vulnerability on its website to access certain files, including names, social security numbers, birth dates, home addresses, and in some cases driver's licence numbers.
Shortly after the data breach was revealed, over 300 class actions were raised against Equifax, followed by more than 18 months of negotiations until the parties in April 2019 informed the court that a settlement was reached.
After consulting and negotiating with the US Federal Trade Commission (FTC), state attorneys, and members of the class actions regarding revisions to the term sheet, the parties entered into a proposed settlement agreement in July last year.
In July, the proposed amount for settlement was $700 million in damages, but with the court's ruling earlier this week, the amount that Equifax will officially be forced to shell out is, at a minimum, around $1.38 billion.
The settlement will require Equifax to put $380.5 million into a fund to compensate class members, and potentially an additional $125 million, if needed, to satisfy claims for certain out-of-pocket losses of the class members.
The $380.5 million fund is dedicated towards reimbursing up to $20,000 per class member for documented, out-of-pocket losses fairly traceable to the breach, such as the cost of freezing or unfreezing a credit file; buying credit monitoring services; out-of-pocket losses from identity theft or fraud, including professional fees; and other remedial expenses.
It will also be used to provide 25% of any money paid to Equifax for credit monitoring or identity theft protection subscription products in the year before the breach.
The credit rating firm has also agreed to spend at least $1 billion over five years on data security and related technology to comply with part of the settlement.
Expert witness in cybersecurity Mary Frantz said the implementation of these requirements should substantially reduce the likelihood of another data breach and would most likely have prevented the 2017 data breach from occurring.
Chief Judge Thomas W Thrash, meanwhile, labelled the incident as the "largest and most comprehensive recovery in a data breach case in US history by several orders of magnitude".
"The $380.5 million fund alone is more than the total recovered in all consumer data breach settlements in the last ten years," Thrash added.
Equifax will also be obligated to provide four years of three-bureau credit monitoring and identity protection services through Experian and an additional six years of one-bureau credit monitoring and identity protection services through Equifax for class members. The one-bureau credit monitoring shall be provided separately by Equifax and not be paid for from the settlement fund.
If all 147 million class members sign up for credit monitoring, this could amount to an additional $2 billion in value of services to be provided by Equifax.
Prior to the settlement, 3.3 million class members had already submitted claims for credit monitoring services with a collective retail value of roughly $6 billion, the court said.
In total, the benefit to the class -- even when only considering the value of the $380.5 million minimum settlement fund, the minimum $1 billion Equifax is required to spend on data security and related technology, and the retail value of the credit monitoring already claimed by class members -- exceeds $7 billion in value.
If Equifax ends up being obligated to pay the additional costs -- the additional $125 million to pay claims for out-of-pocket losses and $2 billion for credit monitoring services of all 147 million class members -- the credit rating firm's maximum expenditure to move forward from the data breach would total around $9.5 billion in value.
Equifax will also pay the class members' attorneys around $80 million for their role in representing the class action.
Out of the approximately 147 million class members, 388 directly objected to the settlement, with many wanting Equifax's senior management to be punished.
"The court is well aware of the intense public anger about the breach, which, in the court's view, reflects the sentiment that consumers generally do not voluntarily give their personal information directly to Equifax, yet Equifax collects and profits from this information and allegedly failed to take reasonable measures to protect it," the court said.
The court said, however, that it could not punish Equifax for its negligence as its role was only to determine whether the proposed settlement was fair, reasonable, and adequate. Equifax chief executive Richard Smith stepped down in October 2017.
Class members will have until 22 July 2020 to claim benefits and will not be required to file a claim to access identity restoration services.
If money still remains in the $380.5 million fund after the initial claims period, there will be a four-year extended claims period during which class members may recover for certain out-of-pocket losses and time spent rectifying identity theft.