Equifax must spend ‘a minimum of $1 billion’ for data security

Last year, Equifax agreed to pay up to $700 million in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and a coalition of 50 attorneys general. A multistate investigation found Equifax failed to take basic measures to secure its network that led to a September 2017 data breach that impacted approximately 147 million people. In addition, Equifax agreed to pay $300 million to a Consumer Restitution Fund that will provide affected consumers with credit-monitoring services, bringing their total (penalty plus renumeration) to close to $1 billion, depending on how many people sign up for free credit monitoring.

The basic security measures Equifax failed to implement include a policy to ensure security vulnerabilities were patched; failing to segment its database servers to block access to other parts of the network once one database was breached; and failing to install robust intrusion-detection protections for its legacy databases.

It turns out, that $1 billion was just the tip of the iceberg for Equifax. According to court documents, filed Jan. 13 in the U.S. District Court for the North District of Georgia, Equifax must spend “a minimum of $1 billion for data security and related technology over five years and to comply with comprehensive data-security requirements. Equifax’s compliance will be audited by an experienced, independent assessor and subject to this court’s enforcement powers.”

The data security steps Equifax must take going forward include:

• Designate an employee to oversee the information-security program;
• Minimize its collection of sensitive data and the use of consumers’ Social Security numbers;
• Conduct annual assessments of internal and external security risks and implement safeguards to address potential risks, such as patch management and security remediation policies, network intrusion mechanisms, and other protections;
• Obtain annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information-security requirements;
• Test and monitor the effectiveness of the security safeguards; and
• Ensure service providers that access personal information stored by Equifax also implement adequate safeguards to protect such data.

Court documents state Equifax’s minimum settlement cost is $1.38 billion “and could be more, depending on the cost of complying with the injunctive relief, the number, and amount, of valid claims filed for out-of-pocket losses, and the number of class members who sign up for credit monitoring.”

Risk management lessons

The data breach offers numerous lessons from both a compliance and risk management standpoint, not the least of which is the importance of practicing good cyber-security hygiene. The court documents include the following statement from Mary Frantz, a cyber-security expert: “[I]mplementation of the proposed business practice changes should substantially reduce the likelihood that Equifax will suffer another data breach in the future. These changes address serious deficiencies in Equifax’s information security environment. Had they been in place on or before 2017 per industry standards, it is unlikely the Equifax data breach would ever have been successful.”