Oregon collects $2.8 million in Equifax breach settlement
SALEM — Oregon will receive $2.8 million as part of a settlement with the credit monitor Equifax after an enormous 2017 data breach affected nearly 1.8 million Oregonians.
The settlement, announced Monday, July 22, was between Equifax and 48 states, the District of Columbia and Puerto Rico. The agreement also settles ongoing investigations by the Federal Trade Commission and the federal Consumer Financial Protection Bureau. About $175 million of that is going to the states and territories, while up to $425 million will go to redress consumers' losses and for credit monitoring.
Equifax is also paying a $100 million fine to the Consumer Financial Protection Bureau.
The breach affected about 147 million people, compromising their Social Security numbers, birth dates, addresses, credit card numbers and for some, their driver's license numbers.
"These self-described 'stewards' of our data turned out to be incredibly careless with Oregonians' personal information and let down consumers — who had no choice about providing access to their data in the first place — in a big, big way," Rosenblum said in a July 22 statement.
Oregon's Department of Justice said Equifax offered extended credit monitoring for 10 years to those affected by the breach.
In a settlement agreement filed in a U.S. District Court in Georgia, Equifax denied "any wrongdoing whatsoever." But Rosenblum's office said the breach "occurred because Equifax failed to implement an adequate security program to protect consumers' highly sensitive personal information."
"Despite knowing about a critical vulnerability in its software, Equifax failed to fully patch its systems," Rosenblum said. "Equifax also failed to replace software that monitored the breached network for suspicious activity. As a result, the attackers penetrated Equifax's system and went unnoticed for 76 days."
'Thieves emptying the vaults'
Oregonians and others affected by the breach will have access to a $300 million fund to redress their losses through restitution and credit monitoring. If that amount is exhausted, up to another $125 million will be available.
The company has agreed to beef up its security protocols in the future.
The $2.8 million for Oregon goes to the Justice Department's Consumer Education and Protection Account to help pay for the department's work on behalf of the state's consumers.
The breach, announced by Equifax in September 2017, prompted an outcry on Capitol Hill, where U.S. Rep. Greg Walden, R-Ore., at the time chairman of the House Energy and Commerce Committee, made headlines for questioning the former Equifax chief executive officer. "How could a major U.S. company like Equifax, which holds the most sensitive and personal data on Americans, so let them down?" Walden asked during the October 2017 hearing. "It's like the guards at Fort Knox forgot to lock the doors and failed to notice thieves were emptying the vaults."
Rep. Frank Pallone, D-N.J., current chairman of the House Energy and Commerce, said in a statement that the settlement "does not come close to making consumers whole" and shows the Federal Trade Commission is limited in its power to seek "strong penalties and effective redress for consumers."
Pallone stressed the need for a comprehensive data privacy and security law to hold companies to account when consumer data is compromised.
Consumers can get email updates on the Equifax restitution and credit monitoring process by signing up at http://www.ftc.gov/equifax-data-breach, or call 1-833-759-2982 for more information.
Eligible consumers will eventually be required to submit claims.
Reporter Claire Withycombe: firstname.lastname@example.org or 971-304-4148.