Attorney General Bob Ferguson, along with 49 other attorneys general, today announced that credit-reporting agency Equifax will pay more than half a billion dollars because of a 2017 data breach affecting nearly 150 million individuals nationwide. This is the largest data breach enforcement action in U.S. history.

“Equifax handles Washingtonians’ personal data, and we expect them to keep that information safe,” said Ferguson. “This resolution holds Equifax accountable to the millions of individuals who had their information stolen.”

As part of resolutions to be filed today with Washington, 49 other attorneys general, the Consumer Financial Protection Bureau, the Federal Trade Commission and private parties, Equifax will pay $175 million to the states and up to $425 million to affected consumers. Washington will receive more than $3.7 million, which will go toward continued enforcement of state data security and privacy laws. If the number of consumers filing claims results in less than the maximum restitution payments from the nationwide fund, the Attorney General’s Office may use its payment to provide additional funds to Washingtonians.

Affected consumers will have the opportunity to file a claim and receive a part of the up to $425 million in restitution. The resolution and claims process are subject to the court’s approval. Once approved, Washingtonians who believe they were victims of the Equifax breach can submit a claim at www.equifaxsettlementbreach.com or call 833-759-2982 for more information.

Equifax is one of three major credit-reporting agencies that provide credit ratings for individuals nationwide. From May 2017 through July 2017, hackers had access to Equifax’s network, affecting approximately 148 million consumers across the United States. The hackers accessed the private information of more than 3 million Washingtonians, including their social security numbers, birth dates, credit card numbers and addresses.

In a complaint to be filed today, Ferguson asserts that despite being alerted to a vulnerability in its network and ways to fix the vulnerability, Equifax failed to put procedures in place to fix security issues leading to the breach. A multistate investigation also found that the credit-reporting agency failed to follow industry standards to protect individuals’ personal information, such as saving personal information in unsecure locations and not encrypting passwords. 

The Attorney General asserts that Equifax’s failure to protect Washingtonians’ information violated the state Consumer Protection Act.

Corporate reforms
Affected Washingtonians can submit a claim online, or request a paper form to send by mail, at www.EquifaxBreachSettlement.com or by calling 833-759-2982. To receive email updates regarding the launch of this online registry, consumers can sign up atwww.ftc.gov/equifax-data-breach. Today’s resolution proposes that the nearly 150 million individuals affected by the breach can request free credit monitoring provided by Equifax and reimbursement for:

  • time spent trying to avoid or recover from identity theft, up to 20 total hours at $25 per hour;
  • money spent trying to avoid or recover from identity theft, including fees to freeze or unfreeze credit, professional identity theft services costs or postage; and
  • reimbursement of $125 for those who already have credit monitoring and decline the credit monitoring services offered as part of the resolution.

The proposed restitution is subject to the court’s approval.

Equifax will provide free credit monitoring to affected individuals for ten years. Individuals under 18 years old at the time of the breach will receive 18 years of free credit monitoring.

In addition to free credit monitoring, affected individuals who become victims of identity theft may be eligible for free services to help restore their identity.

For at least five years, all consumers can request two additional credit reports from Equifax every 12 months at no cost. Federal law allows individuals to request one free report every 12 months.

For three years, Equifax must have adequate staffing and resources available for consumers affected by the breach. It also must provide informational resources on how to request a fraud alert or security freeze and what consumers should do if they believe they are a victim of identity theft.

Equifax must improve security measures to prevent a data breach in the future. Equifax must implement an “Information Security Program,” which will limit the collection and use of individuals’ private information, such as social security numbers. The resolution requires Equifax to put technical safeguards in place to protect personal information and complete independent, third-party compliance assessments for the next six years.

Washington was a member of the executive committee in the multistate investigation. Assistant Attorneys General Shidon Aflatooni and Tiffany Lee are lead attorneys on the case for Washington state.

Ferguson’s work on data breaches
In 2015, Attorney General request legislation updated Washington’s data breach notification statute, closing a loophole that allowed most businesses to avoid requirements to notify Washingtonians when their personal information had been accessed or stolen. Ferguson proposed additional legislation in 2019 to update this law, reducing the number of days companies have to report data breaches to 30 days and expanding the types of private information that the law covers. The bill passed the Legislature unanimously in 2019.

Attorney General Ferguson has been taking action to protect Washingtonians when companies fail to reasonably secure data or provide timely notice regarding breaches. In November 2017, the Attorney General’s Office filed a multi-million-dollar consumer protection lawsuit against ride-sharing company Uber for failing to disclose a data breach that compromised the names and driver’s license numbers of nearly 13,000 Uber drivers in Washington. Uber waited more than a year to notify affected drivers and the Attorney General’s Office, much longer than the 45 days required by law at the time. As a result of Ferguson’s lawsuit, Uber paid $5.79 million to Washington state, which included payments of $170 for each of the impacted drivers.

Earlier this month, Ferguson announced that Premera Blue Cross will pay $10 million over its 2014 data breach that affected the private health care information of over 10.4 million individuals.

Ferguson’s office has required several corporations, including Target Corporation, that experienced breaches impacting Washingtonians’ privacy to enter into legally enforceable agreements to improve their data security.

More information about data breaches in Washington, including the individual data breach reports submitted to the Attorney General’s Office, is available atwww.atg.wa.gov/data-breach-notifications. Information for businesses on reporting data breaches is available at www.atg.wa.gov/identity-theft-and-privacy-guide-businesses.