Penalty Amount
$175,000,000
Consumers Affected
147,000,000
California Attorney General Xavier Becerra, leading a multistate coalition of all 50 states, the District of Columbia, and Puerto Rico, announced a settlement with Equifax over a 2017 data breach that exposed personal information of 147 million consumers, including 15 million Californians. The breach resulted from Equifax’s failure to apply a critical software patch and implement adequate security measures, with disclosure delayed for months after discovery. Equifax will pay $175 million in state penalties, up to $425 million in consumer restitution, and implement enhanced data security measures and ten years of free credit monitoring for affected consumers.
Equifax must pay $175 million in penalties to states, including over $18.7 million to California, and up to $425 million into a restitution fund for affected consumers, who may receive cash reimbursement for breach-related losses or free credit monitoring for up to 10 years. Injunctive terms require Equifax to implement a comprehensive Information Security Program, hire a Chief Information Security Officer, reduce unnecessary storage of Social Security numbers, establish a consumer assistance process for identity theft claims, and comply with data protection requirements. Equifax is banned from profiting off data collected in connection with the breach or settlement remedies.
In-house legal teams should review vendor agreements with data brokers, credit reporting agencies, and third-party service providers to ensure robust data security clauses mandating timely software patching, encryption of sensitive personal information (including Social Security numbers), and comprehensive Information Security Programs. Breach notification clauses must be updated to require immediate disclosure of security incidents, aligning with state and federal notification timelines, and include obligations to provide consumer remediation such as credit monitoring. Data retention clauses should limit unnecessary storage of sensitive consumer data like Social Security numbers, and all contracts involving consumer personal information should require vendors to comply with applicable data protection laws and injunctive terms from enforcement actions.
Entity
Equifax
Industry
Data BrokerOfficial Press Release
https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-settlement-against-equifax-providing-600
Equifax Complaint
https://oag.ca.gov/system/files/attachments/press-docs/Equifax%20Complaint.pdf
Equifax Final approved judgment
https://oag.ca.gov/system/files/attachments/press-docs/Equifax%20-%20Final%20approved%20%20judgment.pdf
California Attorney General Enforcement Page
https://oag.ca.gov/privacy/privacy-enforcement-actions
"Equifax"
"pay another $175 million to states in penalties"
"Monday, July 22, 2019"
"California Attorney General Xavier Becerra today announced a nationwide settlement against Equifax"
"improperly exposed the personal information of 147 million consumers"
"failed to apply a critical software fix and implement security measures that would have protected and encrypted consumers’ data"
New Jersey Attorney General Christopher Porrino announced that New Jersey has joined a multi-state investigation into Equifax following a data breach affecting 143 million consumers. The multi-state group sent a letter demanding Equifax disable fee-based credit monitoring services and reimburse consumers for credit freeze fees with other bureaus, citing unfair practices and a months-long delay in breach disclosure.
California Attorney General Rob Bonta, joined by attorneys general from seven other states, filed a lawsuit to block the $6.2 billion merger between Nexstar Media Group and Tegna Inc. The lawsuit alleges the merger violates Section 7 of the Clayton Act by reducing competition in local TV markets, leading to higher prices, less local news, and job losses.
California Attorney General Rob Bonta filed a lawsuit against the U.S. Department of Education to block the expansion of IPEDS data collection requiring colleges to submit race-linked student data. The lawsuit argues the demand is arbitrary, capricious, and burdensome, and could enable costly partisan investigations. A multistate coalition co-led the challenge.
California Attorney General Rob Bonta and a coalition of state attorneys general announced they will continue their antitrust lawsuit against Live Nation/Ticketmaster after the U.S. Department of Justice settled the case. The states aim to hold Live Nation accountable for anticompetitive conduct that harms consumers, artists, and venues in the live music industry.
$376K
The California Privacy Protection Agency (CalPrivacy) settled with Ford Motor Company requiring the company to pay a $375,703 fine and change its practices. Ford violated the CCPA by requiring consumers to complete an email verification step before they could opt-out of the sale and sharing of their personal information collected through digital properties and connected vehicle services. In addition to the fine, Ford must provide easy methods to submit opt-out requests with minimal steps, audit its tracking technologies, and ensure compliance with opt-out preference signals including Global Privacy Control.
California Attorney General Rob Bonta, co-leading a bipartisan coalition of 21 attorneys general and charitable regulators, sent a letter to GoFundMe demanding the platform remove all plagiarized donation web pages for over 1.4 million charities, disclose information about donations, and ensure pages do not outrank official charity sites in search results. The action follows reports that GoFundMe used charities' information without consent and engaged in deceptive solicitations, violating state charitable solicitation and consumer protection laws.