LAUNCHING — Michigan Attorney General Dana Nessel announced today that the state of Michigan, along with a coalition of other attorneys general, has reached two multi-party settlements with Experian over the data breaches it suffered in 2012 and 2015 that put the personal information of millions of consumers nationwide at risk. The coalition also secured a separate agreement with T-Mobile for 2015. Experian breach that affected more than 15 million of individuals who have submitted credit applications to T-Mobile. Under the settlements, the companies agreed to improve their data security practices and pay the states a total of more than $16 million. In total, Michigan will receive $359,896 from the settlements.
“When consumers do business with a company, they should be able to trust that their personal information will only be used for legitimate purposes,” Nesel said. “Data thieves are ruthless when it comes to stealing personal information and using it for nefarious purposes. Companies need to be just as ruthless in protecting their data. These agreements are steps in the right direction when it comes to holding companies accountable for the security of user data.
in 2015 In September, Experian, one of the Big Three credit reporting bureaus, reported a data breach in which an unauthorized actor gained access to a portion of Experian’s network that stores personal information on behalf of its customer T-Mobile. The breach involved information related to consumers who had applied for T-Mobile’s postpaid services and device financing since 2013. September. until 2015 including names, addresses, dates of birth, social security numbers, identification numbers (such as driver’s license and passport numbers). , and related information used in T-Mobile’s credit evaluations. Michigan residents affected by the 2015 breach, the number was 330,892. The breach did not compromise Experian’s consumer credit database or T-Mobile’s own systems.
The 40-state multinational group received separate agreements from Experian and T-Mobile for 2015. data breach. According to a 12.67 million Experian has agreed to further strengthen its due diligence and data security practices. That includes:
- Prohibition of misrepresenting to our customers the extent to which Experian protects the privacy and security of personal information;
- Implementation of a comprehensive information security program that includes zero-trust principles, regular management-level reporting, and enhanced employee training;
- Due diligence provisions requiring the company to properly vet acquisitions and assess data security concerns before integration;
- Data reduction and deletion requirements, including specific efforts to reduce the use of social security numbers as identifiers; and
- Specific security requirements including encryption, segmentation, patch management, intrusion detection, firewalls, access control, logging and monitoring, penetration testing and risk assessment.
Experian must also be offered for billing 5 years of free credit monitoring services for affected consumers, as well as two free copies of their credit reports annually during that period. This is in addition to the four years of credit monitoring services already offered to affected consumers – two of which were offered by Experian after the breach and two of which were provided separately in 2019. class action agreement. Registration periods for these previous offers have since expired.
If you were in 2019 class member, you are eligible to participate in these extended credit monitoring services. Affected consumers can sign up for 5-year extended credit monitoring services and more information on eligibility can be found here. The registration window will be open for 6 months. Experian Information Solutions billing terms can be viewed here.
Separately 2.43 million T-Mobile has agreed to detailed vendor management provisions to strengthen vendor oversight going forward. That includes:
- Implementation of the seller’s risk management program;
- T-Mobile vendor contract inventory maintenance, including vendor criticality assessments based on the nature and type of information received or processed by the vendor;
- Enforcing contractual data security requirements for T-Mobile’s suppliers and sub-vendors, including those related to segmentation, passwords, encryption keys and patching;
- Creation of vendor evaluation and monitoring mechanisms; and
- Appropriate actions in response to seller non-compliance up to termination.
The settlement with T-Mobile is not related to an unrelated massive data breach that T-Mobile announced in 2021. in August, which is still under investigation by a multi-state coalition of attorneys general led by Connecticut. See T-Mobile’s billing terms here.
Along with 2015 Experian agreed to pay an additional fee in data breach settlements 1 million dollars resolve a separate multi-party investigation into another Experian subsidiary, Experian Data Corp. (hereinafter EDC) due to EDC’s failure to prevent the 2012 or failed to report a data breach in which an identity thief posing as a private investigator was given access to sensitive personal information stored in EDC’s commercial databases. Under the resolution, which was approved by a separate group of 40 states, the EDC agreed to increase third-party verification and oversight to provide personal information, investigate and report data security incidents to attorneys general, and maintain “red flags.” program to detect and respond to potential identity theft. Check out Experian Data Corp. billing terms here.