Hawaii is among a coalition of states receiving a portion of two settlements with Experian due to data breaches in 2012 and 2015 that impacted millions of consumers nationwide.
The states also achieved a separate settlement with T-Mobile in connection with a 2015 Experian breach that impacted more than 15 million people who submitted credit applications, according to a release from Gov. David Ige’s office.
“Companies must do a better job of protecting people’s personal information. In this day and age, not having stringent safeguards in place is simply unacceptable,” Stephen Levins, executive director of the Office of Consumer Protection, said in the release. “Any business that fails to have appropriate safety measures in place runs the risk of facing the consequences from law enforcement. These cases go a long way in holding Experian and T-Mobile accountable for the security breaches.”
Hawaii will receive $181,981 of a combined more than $16 million settlement where the companies have vowed to improve their data security practices.
In September 2015, Experian, one of the nation’s three major credit-reporting bureaus, reported a breach into Experian’s network storing personal information on behalf of T-Mobile. The breach involved information from those who had applied for T-Mobile postpaid services and device financing between September 2013 and September 2015.
The information included names, addresses, dates of birth, Social Security numbers, identification numbers (such as driver’s licenses and passport numbers) and related information used in T-Mobile’s own credit assessments. A total of 68,978 Hawaii residents were impacted by the 2015 breach. Neither Experian’s consumer credit database nor T-Mobile’s own systems were compromised in the breach.
A 40-state coalition has obtained separate settlements from Experian and T-Mobile in connection with the 2015 data breach. In the $13 million settlement, Experian agreed to strengthen its data security practices going forward.
According to the release, those practices include:
Prohibition against misrepresentations to its clients regarding the extent to which Experian protects the privacy and security of personal information;
Implementation of a comprehensive Information Security Program, incorporating zero-trust principles, regular executive-level reporting and enhanced employee training;
Due diligence provisions requiring the company to properly vet acquisitions and evaluate data security concerns prior to integration;
Data minimization and disposal requirements, including specific efforts aimed at reducing the use of Social Security numbers as identifiers;
Specific security requirements, including with respect to encryption, segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, penetration testing and risk assessments.
Additionally, Experian must offer five years of free credit monitoring services to affected consumers, as well as two free copies of their credit reports annually. This is on top of the four years of credit monitoring services already offered to affected consumers—two of which were offered by Experian in the wake of the breach, and two that were secured through a separate 2019 class action settlement. The deadlines to enroll in these prior offerings have since passed.
Those who are class members in the 2019 class action settlement are eligible to enroll in these extended credit monitoring services. Affected consumers can enroll in the five-year extended credit monitoring services and find more information on eligibility by clicking here. The enrollment window will remain open for six months.