A large, national credit reporting agency has agreed to pay up to $700 million in monetary relief and penalties as part of a global settlement with the FTC, CFPB, and 48 states, the District of Columbia and Puerto Rico, which alleged that the credit reporting agency engaged in unfair and deceptive practices in connection with a 2017 data breach that affected approximately 147 million people.
In its complaint, the CFPB alleged the credit reporting agency engaged in unfair and deceptive practices in violation of the Consumer Financial Protection Act of 2010 by: (1) failing to provide reasonable security for the sensitive personal information stored within its computer networks; (2) misleading consumers about the strength of its data security safeguards in its privacy policies; and (3) engaging in acts and practices that caused additional harm or risk of harm to consumers in response to the breach.
As part of the settlement, the credit reporting agency will pay $300 to $425 million to a fund that will provide affected consumers with credit monitoring services and compensate consumers who bought credit or identity monitoring services from the agency and paid other out-of-pocket expenses as a result of the 2017 data breach. The company will also pay $175 million to 50 U.S. states and territories, as well as $100 million to the CFPB in civil penalties.
In addition, the proposed settlement, if approved by the court, will also require the credit reporting agency to:
- Beginning in January 2020, provide all U.S. consumers with six free credit reports each year for seven years—in addition to the one free annual credit report that each nationwide credit reporting agency must currently provide;
- Implement a comprehensive information security program that must include several specific measures as described in the stipulated order;
- Obtain third-party assessments of its information security program every two years for a period of twenty years after entry of the order; and
- Submit incident reports to the FTC in the case of future data breaches where any federal or state law requires the credit reporting agency to notify any federal, state, or local government entity of the breach, and the breach affects at least 250 U.S. consumers.