On July 22, 2019, Equifax reportedly reached a settlement agreement reaching up to $700 million with attorneys general from 48 states as well as the District of Columbia and Puerto Rico. The resolution comes two years after Equifax suffered an enormous data breach exposing the personal information of more than 147 million Americans. Investigations revealed that Equifax failed to follow basic cybersecurity principles by not patching computer systems and storing sensitive data in plain text, among other things. Equifax has agreed to set aside $425 million of the $700 million settlement to reimburse victims, settle claims with the Consumer Financial Protection Bureau for an additional $100 million and revamp its data security program, which is subject to audit for the next 20 years.
On the same day, Equifax settled a class action stemming from the same investigation. According to the terms of the settlement, Equifax has committed to “spend $1 billion on cybersecurity measures over the next five years and establish a $380.5 million fund to pay for four years of credit monitoring and financial help, where needed, in resolving identity theft issues for victimized consumers.”
The cost to businesses for “mega” breaches is well into the hundreds of millions or even billions of dollars.