Equifax will pay $671 million to settle numerous state class-action lawsuits and investigations by the Federal Trade Commission, New York Department of Financial Services and Consumer Financial Protection Bureau, the company said Monday.
The deal, which is still subject to a six-month court approval process, will establish a consumer restitution fund of up to $425 million, which will pay for credit monitoring from all three bureaus and any "out-of-pocket losses related to the breach." As an alternative, consumers can request a $125 cash payment if they already have been signed up for credit monitoring services that will continue for at least six months.
Consumers may also be eligible for payments of up to $20,000 for time they spent remedying fraud or misuse of personal information or out-of-pocket losses.
But that will likely be an uphill battle. As CNBC previously reported and as , repeated several times on a conference call Monday, the data connected with the Equifax breach has never been found for sale on the dark web. Instead, intelligence experts and security executives have told CNBC that the information was likely stolen by a foreign intelligence agency for spying purposes.
This means proving your data was misused as a result of the breach would be a difficult fight.
Settlements for "out-of-pocket" costs related to a security breach are already extremely rare, and generally must involve proving a direct connection between a real financial loss directly connected to data stolen. The same principle could have applied to proving fraud or data misuse, which would require consumers to prove the fraud was related to having their data stolen as a result of the Equifax breach and not a breach of another company.
But a spokesperson for the New York Attorney General's Office said it will enforce a rule that will allow consumers who have been the victim of identity theft from any breach, not just Equifax, to apply for the out-of-pocket reward.
Still, in this scenario, consumers will need to have a paper trail, including that any lost funds from identity theft were not reimbursed by a bank or credit card company, or that they spent time filing disputes over the fraud. The time spent will be compensated at $25 per hour for up to 20 hours, according to the settlement.
"Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk," said Attorney General Letitia James. "This company's ineptitude, negligence, and lax security standards endangered the identities of half the U.S. population. Now it's time for the company to do what's right and not only pay restitution to the millions of victims of their data breach."
A spokesperson for the FTC also said the commission intends to make restitution as easy as possible for the vicitms of the breach, and that it will allow victims to be compensated "if the circumstances of their identity theft involved the same type of personal information that was exposed in the breach, and that the identity theft occurred after the breach."
Experian will be offering the four-year credit monitoring service, as it has for its own free monitoring service between 2017 and 2019. The company has set up a website describing the settlement: www.equifaxbreachsettlement.com. The FTC has also published details of the settlement on its website.
Equifax's CEO called the incident "an attack on consumers and an attack on America" on the conference call. The breach affected 147 million consumers, most in the U.S., but also in Europe and Canada.
"We believe the total amount we are making in our compensation fund reflects the seriousness with which we take this matter," Begor said. "Today's announcement is a positive step for Equifax and for consumers."
Equifax's second-quarter earnings are scheduled to be released Wednesday. Equifax stock was up less than 1% midmorning Monday.
Correction: Equifax's second-quarter earnings are scheduled to be released Wednesday. An earlier version misstated the day.