The aftermath from one of the largest data breaches in U.S. history is nearing the end, as the presiding judge approved a proposed class action settlement resolving claims arising from Equifax’s September 2017 data breach.  As previously reported, approximately 147.9 million U.S. consumers’ personal information was compromised by that breach.

In a lengthy opinion, U.S. District Judge Thomas W. Thrash Jr. described the “settlement” as “the largest and most comprehensive recovery in a data breach in U.S. history by several orders of magnitude.”  The settlement requires Equifax to initially pay about $380 million into a settlement fund and up to $125 million more if the initial amount proves to be insufficient to cover class members’ out-of-pocket losses.  In addition to these payments into the settlement fund, Equifax agreed to provide credit monitoring and identity protection services to class members and spend “a minimum of $1 billion for data security.”

But Equifax’s initial payment and $1 billion spend on improved data security are only the tip of the iceberg.  As noted by the Court, “3.3 million class members have already submitted claims for credit monitoring with a collective retail value of roughly $6 billion.”  In reality, the benefit to the class already “exceeds $7 billion.”

In approving the settlement, the Court noted numerous elements of it as “significant,” including “an innovative and comprehensive” notice program that “takes advantage of contemporary and political advertising techniques,” that “all valid claims for out-of-pocket losses will be paid in full,” that 3.3 million class members already submitted claims for credit monitoring, that all class members have access to identity restoration services, that the notice program will continue for seven years, that Equifax must spend at least $1 billion on data security, that the data security measures Equifax takes “will be subject to independent verification and judicial enforcement,” that “[c]lass certification outside of the settlement context…poses a significant challenge,” the “miniscule number of objectors in comparison to the class size,” and the settlement mediator’s endorsement of the settlement.

While 2,770 class members requested exclusion from the settlement, only 388 directly objected to it, which the Court noted was “just .0002 percent of the class—despite organized efforts to solicit objections using inflammatory language and based on false and misleading statements about the settlement.”  The Court found the objections failed “to establish the settlement is anything other than fair, reasonable and adequate.”

The Court also found 718 form “objections” to be procedurally invalid and declined to consider them, as they were allegedly “filed out online by class members, were submitted en masse by Class Action Inc., a class action claims aggregator that created a website” with a “‘chat-bot’ that encouraged individuals to object based on that same erroneous information.” 

One of the objectors, Theodore Frank, who was called out by name in the Court’s opinion as being “in the business of objection to class action settlements” vowed to appeal the Court’s decision on Twitter.

The settlement is undoubtedly the largest in U.S. data breach history.  It is also a reminder to businesses everywhere the costs that can arise from a breach.  The mounting cybersecurity legislation, such as the California Consumer Privacy Act, which became operative at the start of the new year, and New York’s SHIELD Act, whose data security requirements take effect on March 21, continue to broaden businesses’ data security obligations, and are also a reminder that regulators and legislators are paying more and more attention to cybersecurity.

We’ll continue to monitor and report on this matter.