In re Equifax Inc. Customer Data Security Breach Litigation — MDL, FTC/CFPB, and related actions¶
Table of contents¶
- Executive Summary
- Regulatory and Legal Outcomes
- Security Technical Summary
- Understanding Regulatory and Court Orders
- Case Pack Documents
- Facts and Timeline
- References
Executive Summary¶
Equifax disclosed a 2017 breach affecting large numbers of U.S. consumers, exposing credit file data and related identifiers. Federal regulators—the FTC and CFPB—obtained orders requiring security program upgrades, assessments, and consumer redress, among other terms. Civil MDL litigation addressed class claims and settlement administration.
Regulatory and Legal Outcomes¶
FTC¶
Stipulated order (July 2019) — comprehensive information security program, assessments, and redress (read the order PDF).
CFPB¶
Parallel enforcement with posted complaint and order on the CFPB action page.
MDL¶
In re Equifax Inc. Customer Data Security Breach Litigation — consumer class proceedings and settlement (see MDL docket and settlement documents).
Security Technical Summary¶
Summary¶
Public narratives focus on patch management failure for a known vulnerability in an internet-facing stack, leading to mass data access in a credit bureau environment.
Attack chain (simplified)¶
- Known CVE present in exposed application component.
- Exploitation yields access to consumer databases.
- Exfiltration at scale; delayed or complex internal detection narrative in public filings.
Engineering takeaways¶
- Emergency patch SLAs for internet-facing apps with PII.
- Segmentation and egress controls for data stores.
- Tabletop exercises with legal and comms at bureau scale.
Understanding Regulatory and Court Orders¶
See Understanding regulatory and court orders.
| Document | Date | Source | Key content |
|---|---|---|---|
| FTC stipulated order — Equifax | Jul. 22, 2019 | FTC | Security program, assessments, redress |
| CFPB — Equifax, Inc. | — | CFPB | Enforcement order and complaint (as posted) |
Case Pack Documents¶
| Case Document | Summary | Writing Scenario |
|---|---|---|
| Executive and board | ||
| Board Pack | High-level security status and top risks for the board. | CISO delivers a board security brief to the Board Audit Committee. |
| Executive Security Risk Summary | Consolidated security risks and mitigation for executives. | Security Director prepares executive risk summary for CEO and leadership. |
| Security Program Status Report | Program health, metrics, and progress for leadership. | Lead Security Engineer submits status report to Security Director and CISO. |
| Strategic Security Initiative Justification | Business case for a major security initiative. | CISO presents business case for program investment and remediation. |
| Regulatory and compliance | ||
| Regulatory Security Explanation | Explain security posture and controls to a regulator. | Security lead submits explanation of program and compliance posture. |
| Compliance Justification Document | Justify how controls meet a requirement or framework. | Lead Security Engineer maps controls to legal or regulatory requirements. |
| Controls -> Evidence Map | How controls are implemented and evidenced. | Security or control owner maps controls to evidence for regulator or auditor. |
| Governance Response Memo | Respond to an audit or regulatory request on governance. | CISO submits governance response memo for oversight review. |
| Legal-technical | ||
| Detailed Narrative of Events | Chronological factual narrative for legal or regulatory use. | Security or legal prepares chronology for counsel or regulator. |
| Security Architecture Explanation for Legal Review | Explain architecture and controls for counsel. | Lead Security Engineer produces architecture memo for General Counsel. |
| Risk Register | Justify risk acceptance or mitigation for legal or audit. | Security Director maintains risk register for leadership and audit. |
| Security Decision Documentation | Record a significant security decision and rationale. | Security Director documents decision record for board and counsel. |
| Policy and governance | ||
| Security Policy Draft | Draft or update an enterprise security policy. | Security Director drafts policy for CISO, Legal, and board review. |
| Security Governance Memo | Define or clarify governance roles and escalation. | CISO issues internal governance memo to leadership. |
| Security Program Justification | Justify program scope, resourcing, or structure. | CISO presents program justification to CEO and board. |
| Internal Security Directive | Directive or mandate from leadership on security. | CISO issues internal directive on priority control requirements. |
| Public communication | ||
| Security Public Statement | Draft for press or public breach or incident statement. | CISO drafts public statement for consumers and partners. |
| Customer Security Explanation | Explain a security topic or incident to customers. | CISO drafts formal customer explanation for affected users. |
| Security Transparency Report Section | Section for an annual or ad-hoc transparency report. | CISO drafts security section of transparency report for external audiences. |
| Operational (case-pack specific) | ||
| Audit Packet Checklist | What to produce within 48 hours for evidence readiness. | Checklist for audit or regulator request. |
| Implementation Checklist | 0-30 / 30-60 / 60-90 day execution plan. | Security or program owner executes plan for leadership or board. |
Facts and Timeline¶
- Sep. 2017 — Public breach disclosure.
- Jul. 2019 — FTC stipulated order; CFPB action public materials.
- 2020+ — MDL settlement administration (see docket).
References¶
Primary
Cited
- Federal Trade Commission. Equifax enforcement materials (case page and order).
https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement