| Topics and Issues | Data breach (4) |
In November 2022, 40 states “announced separate settlements with Experian Information Solutions, Inc. (Experian) and TMobile USA, Inc. (T-Mobile) concerning a 2015 data breach experienced by Experian that compromised the personal information of more than 15 million individuals who submitted credit applications with T-Mobile. Under the settlements, the companies have agreed to improve their data security practices and to pay the states a combined amount of more than $15 million.”
The investigation into the 2015 data breach was co-led by Connecticut, the District of Columbia, Maryland, and Illinois, with the assistance of Massachusetts and Texas. The settlement was also joined by Arizona, Arkansas, Delaware, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, Tennessee, Vermont, Virginia, Washington, and Wisconsin.
As noted in a press release,
In September 2015, Experian, one of the big-three credit reporting bureaus, reported it had experienced a data breach in which an unauthorized actor gained access to part of Experian’s network storing personal information on behalf of its client, T-Mobile. The breach involved information associated with consumers who had applied for T-Mobile’s postpaid services and device financing between September 2013 and September 2015, including names, addresses, dates of birth, Social Security numbers, identification numbers (such as driver’s license numbers, and passport numbers), and related information used in T-Mobile’s own credit assessments. Neither Experian’s consumer credit database, nor T-Mobile’s own systems, were compromised in the breach.
The multistate coalition obtained separate settlements from Experian and T-Mobile in connection with the 2015 data breach. Under a $12.67 million settlement, Experian has agreed to strengthen its due diligence and data security practices going forward, including:
-
-
- Prohibition against misrepresentations to its clients regarding the extent to which Experian protects the privacy and security of personal information;
- Implementation of a comprehensive Information Security Program, incorporating zerotrust principles, regular executive-level reporting, and enhanced employee training;
- Due diligence provisions requiring the company to properly vet acquisitions and evaluate data security concerns prior to integration;
- Data minimization and disposal requirements, including specific efforts aimed at reducing use of Social Security numbers as identifiers; and
- Specific security requirements, including with respect to encryption, segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, penetration testing, and risk assessments.
-
The settlement also requires Experian to offer five years of free credit monitoring services to affected consumers, as well as two free copies of their credit reports annually during that timeframe. This is in addition to the four years of credit monitoring services that had already been offered to affected consumers – two of which were offered by Experian in the wake of the breach, and two that were secured through a separate 2019 class action settlement. Enrollment in these prior offerings is now closed.