This is a new fine and it is not old news and in fact, this article is the sixth article we have written on various implications of the original September 2017 Equifax data breach.
We do not expect that this will be the last we write about it either.
The continued scrutiny of the breach by regulatory authorities around the world is indicative of the risks that any data breach poses to organisations with a global presence.
This week, 22 July 2019, the US Federal Trade Commission (FTC) announced a settlement with credit reporting agency Equifax regarding their September 2017 data breach.
The amount of this settlement is in the range of US$575 million and potentially up to US$700 million. The settlement will be paid in part to the FTC, Consumer Financial Protection Bureau and 50 states and territories and relief will be paid to US citizens who were affected by the breach. Initial reports were that this concerned at least 147 million individuals.
Part of the announcement indicated that the quantum of the fine was based on the ability to compensate individuals, provide revenue for the various states and territories who had prosecuted the breach, and to ensure that Equifax was not bankrupted by the settlement.
The FTC has also appointed an independent third-party assessor to review Equifax's compliance with its data security obligations.
We first wrote about this breach in September 2017 and you can access all the relevant facts here.
When Equifax reported its first quarterly earnings after the breach, in November 2017, it indicated that the direct costs in that quarter topped US$87 million. You can read our article on that here.
The following year did not prove any better. In September 2018 the United Kingdom Information Commissioner's Office issued a monetary penalty of £500,000 to Equifax Ltd, the UK arm, based on the US breach. Read more about this here.
Finally, it ended the year with a report being released by the US House of Representatives Committee on Oversight and Government Reform and you can read our article and that report here.
The Federal Trade Commission has created a separate webpage for the settlement with FAQs and details for affected individuals here.
The press release announcing the settlement included a comment that if employees considered that the company was not living up to its data security promises they should contact the FTC.
What does this mean for other businesses?
It is clear from the above that a single incident can have ongoing costs and ramifications of a negative nature.
In addition to the Equifax breach, closer to home there has been a breach by the valuation firm, Landmark White, which occurred in January 2019 and involved its key customers pulling their business for a period of time, its shares being suspended from the ASX for over four weeks, a decline in its share price of around 23 per cent and as announced this week, the requirement that the firm raise additional capital of around $3 million to prevent it from going under.
It is clear from both the enormity of the Equifax breach and the more recent local breach that attention to data security is an investment well worth making as the consequences are significant.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.