Equifax will pay Massachusetts $18.2 million settlement

The 2017 data breach affected 147 million Americans

THE CREDIT REPORTING agency Equifax will pay $18.2 million to the state of Massachusetts under a settlement reached with Massachusetts Attorney General Maura Healey over its 2017 data breach.

The massive data breach occurred when hackers obtained personal information of around 147 million people in the US, including nearly three million Massachusetts residents. Equifax is a credit reporting agency, which means it collects information about consumers’ credit history, then sells that information to banks and others that perform credit checks.

Healey’s office filed suit against Equifax in 2017 under the state’s consumer protection and data privacy laws. Healey said the company lacked sufficient safeguards to protect consumers’ personal data.

“What happened was completely reckless and unacceptable,” Healey said in a conference call with reporters on Friday.

The 50-page settlement was approved April 13 in Suffolk Superior Court and announced by Healey’s office on Friday.

In July 2019, Equifax agreed to pay $575 million as part of a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 48 US states, plus Puerto Rico and Washington, DC. Of that, $175 million was distributed among the states, and the rest went to a $300 million fund to provide credit monitoring for consumers (which can be increased to $425 million) and to the Consumer Financial Protection Bureau.

Indiana and Massachusetts were the only two states not to join that settlement. Equifax this week agreed to pay Indiana $19.5 million and Massachusetts $18.2 million. The Massachusetts money will go to the state’s general fund and the attorney general’s office.

Healey said the amount of money Massachusetts got by pursuing litigation is more than the state would have gotten had it agreed to the 2019 settlement. “We declined the settlement because we didn’t think it was strong enough and would do enough for Massachusetts consumers,” Healey said.

“We said from the beginning Equifax needed to pay for its mistakes,” Healey added. “Our job is to be out there protecting consumers, and we wanted more money to come back to the state.”

In addition to the monetary payment, Equifax will be required to implement an information security program, under the oversight of a chief information security officer, to protect the confidentiality of all personal information on its network. It will have to comply with this program through August 22, 2026. It will have to put in place a number of technical safeguards spelled out in the agreement.

Healey said steps are included in the agreement to minimize the collection of sensitive data, to keep Equifax’s software up to date, to impose regular security, monitoring, and testing requirements and to require third party assessment of the safeguards.

Meet the Author

Shira Schoenberg

Reporter, CommonWealth

About Shira Schoenberg

Shira Schoenberg is a reporter at CommonWealth magazine. Shira previously worked for more than seven years at the Springfield Republican/MassLive.com where she covered state politics and elections, covering topics as diverse as the launch of the legal marijuana industry, problems with the state's foster care system and the elections of U.S. Sen. Elizabeth Warren and Gov. Charlie Baker. Shira won the Massachusetts Bar Association's 2018 award for Excellence in Legal Journalism and has had several stories win awards from the New England Newspaper and Press Association. Shira covered the 2012 New Hampshire presidential primary for the Boston Globe. Before that, she worked for the Concord (N.H.) Monitor, where she wrote about state government, City Hall and Barack Obama's 2008 New Hampshire primary campaign. Shira holds a master's degree from Columbia University's Graduate School of Journalism.

About Shira Schoenberg

Shira Schoenberg is a reporter at CommonWealth magazine. Shira previously worked for more than seven years at the Springfield Republican/MassLive.com where she covered state politics and elections, covering topics as diverse as the launch of the legal marijuana industry, problems with the state's foster care system and the elections of U.S. Sen. Elizabeth Warren and Gov. Charlie Baker. Shira won the Massachusetts Bar Association's 2018 award for Excellence in Legal Journalism and has had several stories win awards from the New England Newspaper and Press Association. Shira covered the 2012 New Hampshire presidential primary for the Boston Globe. Before that, she worked for the Concord (N.H.) Monitor, where she wrote about state government, City Hall and Barack Obama's 2008 New Hampshire primary campaign. Shira holds a master's degree from Columbia University's Graduate School of Journalism.

Affected consumers will be given free credit monitoring for up to 10 years and access to two free copies of their credit report annually until 2024, according to the terms of the settlement.

Massachusetts consumers who had their identity stolen will still have access to the $425 million restitution fund set up in the multi-state litigation. Healey said she is not aware of any specific incidents of identity theft tied to the breach.

Healey said the message of the settlement is, “Protect people’s data or you’re going to pay.”