BOISE – Attorney General Lawrence Wasden announced last week that Idaho, along with a coalition of other states, has agreed to two multistate settlements with Experian concerning data breaches in 2012 and 2015 that compromised the personal information of millions of consumers nationwide. The coalition has also obtained a separate settlement with T-Mobile in connection with the 2015 Experian breach, which impacted more than 15 million individuals who submitted credit applications with T-Mobile. Under the settlements, the companies have agreed to improve their data security practices and to pay the states more than $16 million.
The 2015 breach impacted 54,645 Idaho residents. Idaho will receive $172,000 from the settlements. Per Idaho Code, the money will be deposited into the state’s Consumer Protection Fund.
“My office is committed to ensuring that businesses protect Idahoans’ sensitive personal information,” Wasden said. “The security and reporting changes these settlements require help ensure Experian and T-Mobile better secure consumer data.”
In September 2015, Experian, one of the big-three credit reporting bureaus, reported it had experienced a data breach in which an unauthorized actor gained access to part of Experian’s network storing personal information on behalf of its client, T-Mobile. The breach involved private information associated with consumers who had applied for T-Mobile postpaid services and device financing between September 2013 and September 2015 and included names, addresses, dates of birth, Social Security numbers, identification numbers (such as driver’s license and passport numbers), and related information used in T-Mobile’s own credit assessments. Neither Experian’s consumer credit database nor T-Mobile’s own systems were compromised in the breach.
The settlement requires Experian to strengthen its due diligence and data security practices going forward. Experian is prohibited from misrepresenting to its clients the extent to which it protects the privacy and security of personal information and requires Experian to:
- implement a comprehensive Information Security Program that incorporates zero-trust principles, regular executive-level reporting, and enhanced employee training.
- vet acquisitions and evaluate data security concerns prior to integration.
- reduce its use of Social Security numbers as identifiers and implement other data minimization and disposal procedures.
- adopt security mandates regarding encryption, segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, penetration testing, and risk assessments.
The settlement also requires Experian to offer five years of free credit monitoring services to affected consumers, as well as two free copies of their credit reports annually during that timeframe. Affected consumers are those who were members of the 2019 Experian class action settlement. Eligibility and enrollment information is available here.
In a separate $2.43 million settlement, T-Mobile agreed to detailed vendor management provisions designed to strengthen its vendor oversight going forward. Those provisions include:
- implementation of a Vendor Risk Management Program.
- maintenance of a T-Mobile vendor contract inventory, including vendor criticality ratings based on the nature and type of information that the vendor receives or maintains.
- imposition of contractual data security requirements on T-Mobile’s vendors and sub-vendors, including related to segmentation, passwords, encryption keys, and patching.
- establishment of vendor assessment and monitoring mechanisms.
- appropriate action in response to vendor non-compliance, up to contract termination.
The settlement with T-Mobile does not concern the unrelated, massive data breach announced by the company in August 2021, which is still under investigation.
Concurrently with the 2015 data breach settlements, Experian will pay an additional $1 million to resolve a separate multistate investigation into another Experian-owned company—Experian Data Corp. (“EDC”)— in connection with EDC’s failure to prevent or provide notice of a 2012 data breach that occurred when an identity thief posing as a private investigator was given access to sensitive personal information stored in EDC’s commercial databases. Under that resolution, EDC agrees to strengthen its vetting and oversight of third parties that are allowed access to personal information, investigate and report data security incidents to the attorneys general, and maintain a “Red Flags” program to detect and respond to potential identity theft.