Newsroom

July 23, 2019

Equifax to pay $700M for 2017 breach

data securityThe CFPB, Federal Trade Commission and 48 states, the District of Columbia and Puerto Rico yesterday announced a $700 million settlement with Equifax related to its 2017 data breach that affected more than 147 million U.S. consumers. This incident in particular brought renewed focus to NAFCU's longstanding call for a national data security standard.

The settlement – if approved by the federal court in the Northern District of Georgia – would provide up to $425 million in relief to consumers, as well as a $100 million civil money penalty and other relief. Affected consumers would also be eligible to receive at least 10 years of free credit-monitoring and at least seven years of free identity-restoration services.

"Today's announcement is not the end of our efforts to make sure consumers' sensitive personal information is safe and secure," said CFPB Director Kathleen Kraninger. "The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers. Too much is at stake for the financial security of the American people to make these protections anything less than a top priority."

In its complaint, the CFPB alleged that Equifax engaged in "unfair and deceptive practices in violation of the Consumer Financial Protection Act of 2010" by:

  • failing to provide reasonable security for the sensitive personal information stored within its computer network;
  • deceiving consumers about the strength of its data security program in privacy policies; and
  • engaging in acts and practices that caused additional harm or risk of harm to consumers in response to the breach.

Earlier this year, NAFCU's Executive Vice President of Government Affairs and General Counsel Carrie Hunt reiterated the association's call for a national data security standard for entities that collect and store consumers' personal and financial information ahead of a hearing to examine ways to improve the credit reporting system.

"While credit bureaus, such as Equifax, are governed by data security standards set forth by the Gramm-Leach-Bliley Act (GLBA), they are not examined by a regulator for compliance with these standards in the same manner as depository institutions," wrote Hunt.


NAFCU has long been active with lawmakers on the data security issue, and was the first group after the massive 2013 Target data breach to call for a legislative solution to reform the nation's data security system. It is also a key pillar of the association's 2019 advocacy priorities.