Forty states will split a $16 million settlement from credit reporting bureau Experian and telecom company T-Mobile.
The settlements come from data breaches that happened between 2012 and 2015.
The breach impacted over 15 million people who submitted credit applications with T-Mobile. Nearly 69,000 Hawaiʻi residents were impacted by the data breach in 2015.
Hawaiʻi will receive $181,981 from the settlements.
Under a $12.67 million settlement, Experian has agreed to strengthen its due diligence and data security practices going forward. Those include:
- Prohibition against misrepresentations to its clients regarding the extent to which Experian protects the privacy and security of personal information;
- Implementation of a comprehensive Information Security Program, incorporating zero-trust principles, regular executive-level reporting, and enhanced employee training;
- Due diligence provisions requiring the company to properly vet acquisitions and evaluate data security concerns prior to integration;
- Data minimization and disposal requirements, including specific efforts aimed at reducing use of Social Security numbers as identifiers; and
- Specific security requirements, including with respect to encryption, segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, penetration testing, and risk assessments.
In a separate $2.43 million settlement, T-Mobile has agreed to strengthen its vendor oversight going forward. Those include:
- Implementation of a Vendor Risk Management Program;
- Maintenance of a T-Mobile vendor contract inventory, including vendor criticality ratings based on the nature and type of information that the vendor receives or maintains;
- Imposition of contractual data security requirements on T-Mobile’s vendors and sub-vendors, including related to segmentation, passwords, encryption keys, and patching;
- Establishment of vendor assessment and monitoring mechanisms; and
- Appropriate action in response to vendor non-compliance, up to contract termination.
Experian has agreed to pay an additional $1 million to resolve a separate multistate investigation into Experian Data Corp. — in connection with its failure to prevent or provide notice of a 2012 data breach that occurred when an identity thief posing as a private investigator was given access to sensitive personal information stored in Experian’s commercial databases.
Experian is involved in a separate 2019 class action settlement. Those involved in that case are eligible to enroll in a five-year extended credit monitoring service. The enrollment window will remain open for six months.
Information on eligibility can be found here.