Credit reporting agency Equifax continues to pay through the nose after the mega breach it suffered in 2017 resulted in the leak of 147 million customer records and the firing of three executives.
After agreeing to pay up to $700 million to settle charges brought by the US Federal Trade Commission (FTC), Equifax now must pay an additional $380.5 million into a fund for class action benefits, attorneys’ fees, expenses, service awards and notice and administration costs, bringing the tally to well over $1 billion.
But expenses associated with the massive cyber blunder don’t stop here. Chief Judge Thomas W. Thrash, Jr., in the Northern District of Georgia, Atlanta, has ordered Equifax to fork out an additional $1 billion to strengthen its cybersecurity posture and ensure history doesn’t repeat itself.
“Equifax has agreed to entry of a consent order requiring the company to spend a minimum of $1 billion for data security and related technology over five years and to comply with comprehensive data security requirements,” court documents state. “Equifax’s compliance will be audited by an experienced, independent assessor and subject to this Court’s enforcement powers.”
The approval order includes a statement from Mary Frantz, an expert in cyber-security, forensics and compliance.
“Implementation of the proposed business practice changes should substantially reduce the likelihood that Equifax will suffer another data breach in the future,” Frantz reckons. “These changes address serious deficiencies in Equifax’s information security environment.”
According to Frantz, Equifax could have avoided these massive costs and the reputational damage associated with the breach, had the agency allocated enough capital to cybersecurity.
“Had [these measures] been in place on or before 2017 per industry standards, it is unlikely the Equifax data breach would ever have been successful,” Frantz says. “These measures provide a substantial benefit to the Class Members that far exceeds what has been achieved in any similar settlements.”
Chief Judge Thomas W. Thrash, Jr. believes the move ensures adequate funding for securing plaintiffs’ information long after the case is resolved.
Besides paying damages to affected customers, associated legal fees and now agreeing to invest $1 billion in data security, Equifax has paid a £500,000 ($650,000) penalty under Europe’s Data Protection Act (DPA) from 1998, which was superseded by the General Data Protection Regulation (GDPR) in May 2018. Had the breach occurred in the post GDPR era, Equifax would have paid much more, likely in the hundreds of millions.