Equifax will pay Massachusetts $18.2 million settlement
The 2017 data breach affected 147 million Americans
THE CREDIT REPORTING agency Equifax will pay $18.2 million to the state of Massachusetts under a settlement reached with Massachusetts Attorney General Maura Healey over its 2017 data breach.
The massive data breach occurred when hackers obtained personal information of around 147 million people in the US, including nearly three million Massachusetts residents. Equifax is a credit reporting agency, which means it collects information about consumers’ credit history, then sells that information to banks and others that perform credit checks.
Healey’s office filed suit against Equifax in 2017 under the state’s consumer protection and data privacy laws. Healey said the company lacked sufficient safeguards to protect consumers’ personal data.
“What happened was completely reckless and unacceptable,” Healey said in a conference call with reporters on Friday.
In July 2019, Equifax agreed to pay $575 million as part of a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 48 US states, plus Puerto Rico and Washington, DC. Of that, $175 million was distributed among the states, and the rest went to a $300 million fund to provide credit monitoring for consumers (which can be increased to $425 million) and to the Consumer Financial Protection Bureau.
Indiana and Massachusetts were the only two states not to join that settlement. Equifax this week agreed to pay Indiana $19.5 million and Massachusetts $18.2 million. The Massachusetts money will go to the state’s general fund and the attorney general’s office.
Healey said the amount of money Massachusetts got by pursuing litigation is more than the state would have gotten had it agreed to the 2019 settlement. “We declined the settlement because we didn’t think it was strong enough and would do enough for Massachusetts consumers,” Healey said.
“We said from the beginning Equifax needed to pay for its mistakes,” Healey added. “Our job is to be out there protecting consumers, and we wanted more money to come back to the state.”
In addition to the monetary payment, Equifax will be required to implement an information security program, under the oversight of a chief information security officer, to protect the confidentiality of all personal information on its network. It will have to comply with this program through August 22, 2026. It will have to put in place a number of technical safeguards spelled out in the agreement.
Healey said steps are included in the agreement to minimize the collection of sensitive data, to keep Equifax’s software up to date, to impose regular security, monitoring, and testing requirements and to require third party assessment of the safeguards.Affected consumers will be given free credit monitoring for up to 10 years and access to two free copies of their credit report annually until 2024, according to the terms of the settlement.
Healey said the message of the settlement is, “Protect people’s data or you’re going to pay.”