HONOLULU (KHON2) — Stephen Levins, executive director of the State of Hawaii Office of Consumer Protection announced that the State of Hawaii has settled its investigation into the 2017 Equifax Inc.’s data breach. Hawaii joined a coalition of 48 states, the District of Columbia, and the Commonwealth of Puerto Rico, that conducted the investigation and negotiated the terms of the settlement.
The investigation found that Equifax’s failure to maintain a reasonable security system enabled hackers to penetrate its systems, exposing the data of more than 147 million Americans, which included 56 percent of American adults. The States secured a settlement with Equifax that includes a Consumer Restitution Fund of up to $425 million, a $175 million payment to the states, and injunctive relief, which also includes a significant financial commitment. Equifax also has agreed to pay an additional $100 million to settle a federal investigation at the Consumer Financial Protection Bureau. This is the largest ever breach of consumer data and enforcement action on the matter to date.
The program to pay restitution to consumers will be conducted in connection with settlements that have been reached in the multi-district class actions filed against Equifax, as well as settlements that were reached with the Federal Trade Commission and Consumer Financial Protection Bureau.
In addition to consumer restitution, the State of Hawaii will receive one million dollars as a result of the settlement.
“Equifax’s conduct undermined consumers’ confidence in the ability of the credit reporting industry to safeguard confidential information. This settlement will send a strong message to Equifax and to other companies that failing to implement adequate protections will have severe consequences,” said Stephen Levins, executive director of the State of Hawaii Office of Consumer Protection.
On September 7, 2017, Equifax, one of the largest consumer reporting agencies in the world, announced a data breach affecting nearly half of the U.S. population. Breached information included social security numbers, names, dates of birth, addresses, credit card numbers, and in some cases, driver’s license numbers.
Shortly after, a coalition that grew to 48 states, the District of Columbia, and Puerto Rico, launched a multi-state investigation into the breach. The investigation found that the breach occurred because Equifax failed to implement an adequate security program to protect consumers’ highly sensitive personal information. Despite knowing about a critical vulnerability in its software, Equifax failed to fully update its systems with a critical security patch. Moreover, Equifax failed to keep up-to-date software that monitored the breached network for suspicious activity. As a result, the attackers penetrated Equifax’s system and went unnoticed for 76 days.
The company will offer consumers whose information was breached extended credit-monitoring services for 10 years.
Individuals who have questions about their eligibility for restitution and/or wish to enroll in credit monitoring should contact 1-833-759-2982 or visit https://www.ftc.gov/equifax-data-breach.
Equifax has also agreed to take several steps to assist consumers who are either facing identity theft issues or who have already had their identities stolen including, but not limited to, terms:
- Easing the process for consumers to freeze and thaw their credit
- Facilitating the resolution of disputes by consumers involving inaccurate information in credit reports
- Requiring Equifax to maintain sufficient staff dedicated to assisting consumers who may be victims of identity theft
Equifax has also agreed to strengthen its security practices going forward, including, among other things:
- Reorganizing its data security team;
- Minimizing its collection of sensitive data and the use of consumers’ Social Security numbers
- Performing regular security monitoring, logging and testing;
- Employing improved access control and account management tools;
- Reorganizing and segmenting its network
- Reorganizing its patch management team and employing new policies regarding the identification and deployment of critical security updates and patches
In addition to Hawaii, the other states participating in this settlement included: Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, Wyoming, and the District of Columbia.