CFPB, FTC, States Settle with Equifax Over 2017 Data Breach

On Monday the Bureau, FTC, and 48 states announced a settlement with Equifax that will provide up to $700 million in monetary relief and penalties. In a complaint and proposed stipulated judgment filed in federal district court in the Northern District of Georgia, the Bureau alleges that Equifax engaged in unfair and deceptive practices in connection with the 2017 data breach of Equifax’s systems that impacted approximately 147 million consumers. The proposed settlement with the Bureau, if approved by the court, will provide up to $425 million in monetary relief to consumers, a $100 million civil money penalty, and other relief. The Bureau coordinated its investigation with the FTC and attorneys general from across the country. In total, the settlements with these entities would impose up to $700 million in relief and penalties.


“Today’s announcement is not the end of our efforts to make sure consumers’ sensitive personal information is safe and secure. The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers. Too much is at stake for the financial security of the American people to make these protections anything less than a top priority,” said CFPB Director Kathleen L. Kraninger.


To provide relief for consumers affected by the breach, the Bureau’s proposed order requires Equifax to establish a consumer fund (Consumer Fund) with up to $425 million available to provide affected consumers with a broad array of redress. The Consumer Fund would be used to provide reimbursements to affected consumers for time and money they spent related to the breach.  If the court approves the settlement, affected consumers may be eligible to receive money by filing one or more claims for the following: 


- Up to $20,000 per consumer for lost time and money, including:

  • $25/hour for up to 20 hours for time spent protecting personal information or addressing identity theft after the breach;
  • Money spent purchasing credit monitoring or identity theft protection after the breach;
  • The cost of freezing or unfreezing credit reports at any consumer reporting agency after the breach;
  • Reimbursement for up to 25 percent of the amount paid to Equifax for credit or identity monitoring subscription products between September 7, 2016 and September 7, 2017;
  • Any unreimbursed costs, expenses, losses, or charges incurred as a result of identity theft; and
  • Miscellaneous expenses associated with any of the above, such as notary, fax, postage, mileage and telephone charges.