Attorney Norman Siegel, a partner at the Kansas City law firm of Stueve Siegel Hanson, played a key role in the $700 million settlement of the Equifax data breach, in which hackers stole the personal information of nearly half of all Americans.
The settlement, announced on Monday, will give victims of the 2017 hack free credit monitoring or a $125 cash payment, up to $20,000 in compensation for the time and money spent trying to protect their identity in the wake of the breach and up to seven years of free identity restoration services.
Equifax will pay $300 million for the credit monitoring offered in the settlement and pledged to add up to $125 million to the fund if needed. The company also agreed to pay $175 million to 48 states, the District of Columbia and Puerto Rico, and $100 million to the Consumer Financial Protection Bureau in civil penalties, according to the FTC.
Siegel said that, despite its reach, the 2017 breach probably won’t have many long-term effects on data privacy legislation.
“If this breach did not prompt Congress to act, I’m not sure what will,” he said.
Three data protection bills were proposed in the immediate aftermath of the breach, Siegel said, but none of them gained traction. The civil litigation process and a patchwork of state laws are the only way to handle data security issues at this point, he said. Siegel has few expectations that the U.S. will adopt a federal-level standard like Europe’s General Data Protection Regulation any time soon.
He said Congress’ “inability to do much of anything” is the likely culprit for America’s lack of universal data protection laws, despite the work of some lawmakers, such as Sen. Elizabeth Warren, D-Massachusetts. Warren is vying for the Democratic nomination for president in 2020 and has proposed plans to “break up big tech.”
“It certainly seems to be the kind of legislation that should not break along party lines,” Siegel said, adding that the current system of civil litigation and varying state laws is “not the most efficient method.”
“If you had a universal standard that all companies knew they had to meet, it would be an efficient way to let companies know where the bar was,” he said, adding that such legislation could make data security a higher priority for companies that have experienced large data breaches, like Equifax, Yahoo and Anthem.
FTC Chairman Joe Simons said Equifax “failed to take basic steps that may have prevented the breach.”
Attackers scanned the web for vulnerable servers and found a weak spot in Equifax’s, which contained documents with personal consumer information. Hackers then obtained login information allowing them to extract data for 76 days, according to the U.S. Government Accountability Office, the investigative arm of Congress.
Consumers can find out whether they were victims of the breach and file claims online.
Siegel, a staunch advocate for data security, was appointed lead counsel in the suit and has dealt with a number of other privacy cases, including Target and Home Depot security breaches, both receiving multi-million dollar settlements. He also is also involved in a Marriott data breach case.
The international hotel chain announced last November that hackers had access to the personal information of more than 500 million customers for the past four years, including guest names, credit card numbers, passport numbers and phone numbers.