Equifax Inc. agreed to pay up to $700 million to resolve U.S. federal and state investigations into the 2017 hack that compromised some of the most sensitive information of more than 140 million people.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” FTC Chairman Joe Simons said in a statement. “Equifax failed to take basic steps that may have prevented the breach.“
Equifax will pay as much as $425 million to compensate consumers and provide credit monitoring to those whose information was exposed under a settlement announced Monday by the Federal Trade Commission. Equifax will separately pay $175 million to 48 states, the District of Columbia, and Puerto Rico, and an additional $100 million to the U.S. Consumer Financial Protection Bureau.
The company must also spend at least $1 billion to improve its data security, according to a settlement filed in a class-action lawsuit against Equifax.
The agreement, the largest data-security settlement by the agency, resolves a nearly two-year investigation by all 50 states and the FTC into the massive breach that compromised sensitive information like Social Security numbers and dates of birth.
Shares were up less than 1% at $138.50 at 9:47 a.m. in New York.
Equifax, based in Atlanta, has largely bounced back since the company disclosed the breach in September 2017 with shares recovering nearly all their value. At the time, Equifax’s stock lost more than a third of its value within days.
The incident sparked outcries on Capitol Hill and among consumer advocates for more oversight of the three big consumer credit-rating companies: Equifax, TransUnion and Experian Plc. At a hearing in February, Democrats and Republicans on the House Financial Services Committee slammed the companies, as Chairwoman Maxine Waters promised to tighten regulation of the industry.
Democratic Representative Frank Pallone, who chairs the committee working on privacy legislation, said Monday the settlement “shows the limitations on the FTC’s ability to seek strong penalties and effective redress for consumers” and said it illustrates the need for a privacy bill to hold companies accountable if they fail to protect data.
Yet lawmakers have failed to act since the hack was disclosed and efforts to pass a federal privacy law in this Congress seem to be losing momentum.