Almost two years after credit reporting agency Equifax suffered a major data breach affecting more than 143 million people, the company has now settled with U.S. regulators. As part of that settlement, Equifax will pay at least $575 million, and potentially up to $700 million, in fines and restitution. The settlement is the largest ever agreed for data breach violations, reports CNBC.
However, when you look at the numbers involved, that total doesn’t seem like much considering how many people were affected. The terms of the agreement say Equifax will set up a restitution fund of $300 million for the victims of the data breach. That fund could climb to $425 million depending on its use. People who were affected by the Equifax breach will have to submit claims proving they were the victims of fraud related to the breach or that they set up credit-monitoring services following the breach.
Equifax will also need to pay a $175 million fine to the states and a $50 million fine to the Consumer Financial Protection Board. Adding all these fines and penalties up, you get the $575 million to $700 million figure. However, when you divide the minimum end of that figure by 143 million—the number of people affected by the Equifax data breach—you see that Equifax is essentially paying $4 for every person’s data that was breached. Breached data included a person’s social security number, birth dates, and addresses—and in a few cases, credit card and driver’s license numbers, too.
So for all that stress and worry and concern about your data being out there in the hands of hackers and criminals on the black market, people affected by the breach are essentially awarded four bucks. And if Equifax is forced to pay that extra $125 million in restitution, bringing its fines to the max of $700 million, the average victim only gets another 89 cents for a total of $4.89. That won’t even buy you a Big Mac Happy Meal.
Perhaps it’s because of restitution settlements like this that Elizabeth Warren wants real consequences for the next Equifax-level data breach.