In January, a federal grand jury indicted four members of the Chinese army for hacking into the computers of Equifax in 2017 and stealing sensitive information on 145 million Americans. News about the charges overshadowed another legal milestone in the Equifax saga: on January 13, 2020, a federal judge in Georgia gave final approval to a class action settlement resolving claims arising from the massive breach.
Even when a cyber attack is the work of a nation state, the victim company is likely to be sued civilly—by private plaintiffs, federal regulators, or state attorneys general. Equifax faced actions from all three directions, and it settled all three sets of cases. Placed side-by-side, the settlements may represent the new template for data breach litigation. Among other lessons, they show growing specificity in the corrective actions demanded by regulators.
In the class action settlement, Equifax agreed to pay $380,500,000 into a fund for consumer redress and attorneys’ fees. Equifax also agreed to spend a minimum of $1 billion for data security over five years and to comply with a 22 point “Business Practices Commitment” incorporated in the settlement. Under the plan, Equifax agreed to:
- Implement a comprehensive information security program;
- Monitor and log transactions on its network;
- Regularly scan for vulnerabilities;
- Conduct risk-based penetration-testing;
- Maintain a patch management process;
- Implement strong user authentication;
- Encrypt personal information or implement adequate compensating controls;
- Delete information when no longer needed;
- Ensure that vendors also have appropriate security; and
- Undergo independent compliance assessments for 7 years.
Equifax was also sued by the Federal Trade Commission (FTC), the Consumer Finance Protection Bureau (CFPB) and by multiple states. In July 2019, those cases settled. In addition to the fund for consumer restitution, Equifax agreed to pay the states $175 million and the CFPB $100 million in penalties.
In terms of improvements to Equifax’s security, the FTC’s settlement had many features that also appeared in the class action settlement. But the FTC order imposed additional, quite specific requirements. It specified that patch management procedures must require confirmation that patches were actually completed. It required the use of secure development practices for applications developed in-house. It required the company to adopt a process for receiving and addressing vulnerability reports from third parties. And while the class action obligations run for 7 years, the FTC’s oversight lasts for twenty.
But the settlements with the states are even more detailed. The settlement with California includes more than fifty specific requirements. To cite just a few: Equifax’s security program should be guided by the principle of zero-trust (assume that nothing is secure and act accordingly). Data collected shall be limited to the minimum necessary. Reliance on Social Security Numbers should be reduced.
In a blog commenting on the Equifax case, the FTC advised that the settlement illustrated security basics expected of any business. From the increasingly detailed remedies demanded by regulators, it is clear that the bar for basic security is rising.
About the author:
Jim Dempsey has been a leading expert on privacy and Internet policy for three decades. Jim was appointed by President Obama as a part-time member of the Privacy and Civil Liberties Oversight Board (PCLOB), an independent federal agency charged with advising senior policymakers and overseeing the nation’s counterterrorism programs. He is also the author or co-author of articles in law reviews and other journals nationwide.