[B]URLINGTON — The state of Vermont will receive $1.85 million, and affected Vermont consumers are eligible for compensation, as part of a national settlement with Equifax following the company’s 2017 data security breach.
The approximately $700 million nationwide settlement resolves consumer class action lawsuits and litigation including the Federal Trade Commission, Consumer Finance Protection Bureau, attorneys general in 48 states and the New York Department of Financial Services stemming from one of the largest data breaches in history.
Attorney General TJ Donovan announced the state’s share of the settlement Monday at the University of Vermont, the home of the state’s Consumer Assistance Program. The breach at the credit reporting agency affected 148 million Americans and 251,419 Vermonters, Donovan said.
The Consumer Assistance Program, a partnership between the state and UVM, received over 700 calls the first weekend after the breach was announced, Donovan said.
“Because of this data breach, Vermonters felt anxious, scared that their financial livelihood was on the line,” Donovan said. “They rightfully should have been scared, we are an online, digital economy and scams are on the rise. This Equifax breach demonstrated that.”
Consumers’ Social Security numbers, birth data and address information were compromised, and for some consumers Social Security numbers, credit card numbers and credit dispute documents were obtained by hackers.
Equifax did not disclose the breach until September 2017, three months after the company discovered it.
Under the settlement, $425 million will go into a restitution fund for affected consumers, $175 million will go to states and between $50 million and $100 million will go to the federal Consumer Financial Protection Bureau. The settlement is pending judicial approval.
The number of consumers affected in each state determined the percentage of the settlement each state received, Donovan said. The $1.8 million Vermont will receive will go into the state’s general fund.
Affected consumers can submit claims for time spent dealing with the breach, which is $25 per hour for up to 20 hours.
“If Vermonters spent time making sure their money was safe, you are eligible for restitution up to 20 hours at $25 an hour,” Donovan said.
Consumers can also be reimbursed for documented out-of-pocket expenses related to the breach, up to $20,000. Affected consumers are also eligible for three free credit monitoring reports.
More information can be found, and claims can be made following a judge’s approval of the settlement, at equifaxbreachsettlement.com
The breach raised awareness about online digital security, Donovan said.
“More and more of our financial transactions are being done online,” he said. “That raises the risk level for scams and for these breaches.”
Equifax CEO Mark Begor said in a statement that the settlement was a “positive step” for consumers as the company moves forward from the 2017 data breach.
“The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter,” Begor said.
The Consumer Assistance Program has increased its outreach efforts on data privacy and consumer privacy following the breach, Chris Curtis, the chief of the attorney general’s public protection office, said.
“We are going to make sure that Vermonters feel secure, and that when there is a breach, there is accountability, there is restitution available for Vermonters … and that we can have preventive measures in the future,” he said.
Vermont was the first state to pass additional regulations for data brokers following the data breach. Part of this legislation including eliminating fees for Vermonters to place security freezes on their credit files.
The law, passed in January 2018, also clarified security requirements for companies that buy or sell personal information and makes it illegal to acquire personal data for fraudulent purposes.
The law also set up a registry for data brokers, but six months after the law took effect, only a small fraction of the companies that were mandated to register with the state have done so.
Equifax did not have adequate data security leading up to the breach, said Ryan Kriger, an assistant attorney general who worked on the case.
“It is possible to have a data breach and still have done everything in your power,” Kriger said. “The bad guys are often just that good. That was not the case here.”
Consumers affected by the Equifax breach can also sign up for alerts about the settlement at the FTC’s website.
Kriger said Equifax knew about a vulnerability which it did not patch prior to the breach and had too much information stored in an easily-accessible database.
“Another really important part of this settlement is there is an entire data security regime that Equifax is going to have to implement in order to comply with this settlement,” Kriger said. “So they have to have much better data security.”