A large, national credit reporting agency has agreed to pay up to $700 million in monetary relief and penalties as part of a global settlement with the FTC, CFPB, and 48 states, the District of Columbia and Puerto Rico, which alleged that the credit reporting agency engaged in unfair and deceptive practices in connection with a 2017 data breach that affected approximately 147 million people.
In its complaint, the CFPB alleged the credit reporting agency engaged in unfair and deceptive practices in violation of the Consumer Financial Protection Act of 2010 by: (1) failing to provide reasonable security for the sensitive personal information stored within its computer networks; (2) misleading consumers about the strength of its data security safeguards in its privacy policies; and (3) engaging in acts and practices that caused additional harm or risk of harm to consumers in response to the breach.
As part of the settlement, the credit reporting agency will pay $300 to $425 million to a fund that will provide affected consumers with credit monitoring services and compensate consumers who bought credit or identity monitoring services from the agency and paid other out-of-pocket expenses as a result of the 2017 data breach. The company will also pay $175 million to 50 U.S. states and territories, as well as $100 million to the CFPB in civil penalties.
In addition, the proposed settlement, if approved by the court, will also require the credit reporting agency to:
Links to the complaints and settlement information can be found in the press releases issued by the FTC and CFPB.