Equifax Inc. agreed to pay $18.2 million and change security protections to end claims it failed to prevent a 2017 data breach that affected 3 million Massachusetts residents, state Attorney General Maura Healey announced.
The settlement ends claims tied to one of the largest data breaches in U.S. history and adds to other state attorney general settlements, including a $19.5 million pact with Indiana Attorney General Curtis Hill (R).
Equifax had a “duty to protect” the private information of Massachusetts residents and failed, Healey (D) told reporters. “Protect people’s data or you’ll pay.”
In addition to the financial pay-out, Equifax must monitor for any security vulnerabilities, minimize collection of sensitive data and agree to third-party audits of safeguards, according to the announcement.
An Equifax representative didn’t immediately respond to a request for comment.
Equifax has already reached settlements with federal agencies, other state attorneys general, city officials, investors, and consumer plaintiffs.
The company reached a $700 million settlement in July 2019 to end claims with the Federal Trade Commission, other state attorneys general, and the Consumer Financial Protection Bureau. It reached a $149 million settlement with investors and a $380.5 million deal with consumer plaintiffs.
Healey decided not to join the multi-state settlement because she said she wanted more restitution for Massachusetts residents.
The state got “more through litigation than” if they would have joined the July 2019 settlement, Healey said.