Credit Reporting Agency Agrees to Pay Up to $700 Million in Data Breach Settlement with Federal and State Agencies

Weiner Brodsky Kider PC

Weiner Brodsky Kider PC

A large, national credit reporting agency has agreed to pay up to $700 million in monetary relief and penalties as part of a global settlement with the FTC, CFPB, and 48 states, the District of Columbia and Puerto Rico, which alleged that the credit reporting agency engaged in unfair and deceptive practices in connection with a 2017 data breach that affected approximately 147 million people.

In its complaint, the CFPB alleged the credit reporting agency engaged in unfair and deceptive practices in violation of the Consumer Financial Protection Act of 2010 by: (1) failing to provide reasonable security for the sensitive personal information stored within its computer networks; (2) misleading consumers about the strength of its data security safeguards in its privacy policies; and (3) engaging in acts and practices that caused additional harm or risk of harm to consumers in response to the breach.

As part of the settlement, the credit reporting agency will pay $300 to $425 million to a fund that will provide affected consumers with credit monitoring services and compensate consumers who bought credit or identity monitoring services from the agency and paid other out-of-pocket expenses as a result of the 2017 data breach.  The company will also pay $175 million to 50 U.S. states and territories, as well as $100 million to the CFPB in civil penalties.

In addition, the proposed settlement, if approved by the court, will also require the credit reporting agency to:

  • Beginning in January 2020, provide all U.S. consumers with six free credit reports each year for seven years—in addition to the one free annual credit report that each nationwide credit reporting agency must currently provide;
  • Implement a comprehensive information security program that must include several specific measures as described in the stipulated order;
  • Obtain third-party assessments of its information security program every two years for a period of twenty years after entry of the order; and
  • Submit incident reports to the FTC in the case of future data breaches where any federal or state law requires the credit reporting agency to notify any federal, state, or local government entity of the breach, and the breach affects at least 250 U.S. consumers.

Links to the complaints and settlement information can be found in the press releases issued by the FTC and CFPB.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Weiner Brodsky Kider PC | Attorney Advertising

Written by:

Weiner Brodsky Kider PC

Weiner Brodsky Kider PC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.