Wed November 09, 2022

By Jeff Smithpeters

Business

Arkansas Attorney General's office announces multi-state settlements of suits against Experian, T-Mobile for data breaches

Attorney General Leslie Rutledge Multistate Settlements T Mobile Experian Data Breaches
Arkansas Attorney General's office announces multi-state settlements of suits against Experian, T-Mobile for data breaches

PRESS RELEASE

LITTLE ROCK – Arkansas Attorney General Leslie Rutledge announced that Arkansas, along with a coalition of states, has obtained two multistate settlements with Experian related to data breaches it experienced in 2012 and 2015. The breaches compromised the personal information of millions of consumers nationwide. The coalition has also obtained a separate settlement with T-Mobile in connection with the 2015 Experian breach, which impacted more than 15 million individuals who submitted credit applications with T-Mobile. Under the signed settlements, the companies have agreed to improve their data security practices and to pay the states a combined amount of more than $16 million. Arkansas will receive a total of $139,146.62 from the settlements.

“Con artists will stop at nothing to exploit our personal information for their gain. Unfortunately, consumers who were harmed by the data breaches in 2012 and 2015 are still dealing with the fallout,” said Attorney General Rutledge. “As con artists continue to look for ways to gain access to our personal information, my office will continue to educate and enforce the laws that protect consumers and their hard earned money.”

In September 2015, Experian, one of the big-three credit reporting bureaus, reported it had experienced a data breach. An unauthorized actor gained access to part of Experian’s network that was storing personal information on behalf of its client, T-Mobile. The breach involved information associated with consumers who had applied for T-Mobile postpaid services and device financing between September 2013 and September 2015, including names, addresses, dates of birth, Social Security numbers, identification numbers (such as driver’s license and passport numbers), and related information used in T-Mobile’s own credit assessments. 3585 Arkansas residents were impacted by the 2015 breach. Neither Experian’s consumer credit database, nor T-Mobile’s own systems, were compromised in the breach.

A 40-state multistate group has obtained separate settlements from Experian and T-Mobile in connection with the 2015 data breach. Under a $12.67 million settlement, Experian has agreed to strengthen its due diligence and data security practices going forward. Those include:

  1. Prohibition against misrepresentations to its clients regarding the extent to which Experian protects the privacy and security of personal information;

  2. Implementation of a comprehensive Information Security Program, incorporating zero-trust principles, regular executive-level reporting, and enhanced employee training;

  3. Due diligence provisions requiring the company to properly vet acquisitions and evaluate data security concerns prior to integration;

  4. Data minimization and disposal requirements, including specific efforts aimed at reducing use of Social Security numbers as identifiers; and

  5. Specific security requirements, including with respect to encryption, segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, penetration testing, and risk assessments.

The settlement also requires Experian to offer 5 years of free credit monitoring services to affected consumers, as well as two free copies of their credit reports annually during that timeframe. This is in addition to the four years of credit monitoring services already offered to affected consumers— two of which were offered by Experian in the wake of the breach, and two that were secured through a separate 2019 class action settlement. The deadlines to enroll in these prior offerings have since passed.

If you were a class member in the 2019 class action settlement, you are eligible to enroll in these extended credit monitoring services. Affected consumers can enroll in the 5-year extended credit monitoring services and find more information on eligibility here: www.tmobileapplicant2015eisdatabreachsettlement.com. The enrollment window will remain open for 6 months.

In a separate $2.43 million settlement, T-Mobile has agreed to detailed vendor management provisions designed to strengthen its vendor oversight going forward. Those include:

  1. Implementation of a Vendor Risk Management Program;

  2. Maintenance of a T-Mobile vendor contract inventory, including vendor criticality ratings based on the nature and type of information that the vendor receives or maintains;

  3. Imposition of contractual data security requirements on T-Mobile’s vendors and sub-vendors, including related to segmentation, passwords, encryption keys, and patching;

  4. Establishment of vendor assessment and monitoring mechanisms; and

  5. Appropriate action in response to vendor non-compliance, up to contract termination.

The settlement with T-Mobile does not concern the unrelated, massive data breach announced by T-Mobile in August 2021, which is still under investigation by a multistate coalition of Attorneys General co-led by Connecticut.

Concurrently with the 2015 data breach settlements, Experian has agreed to pay an additional $1 million to resolve a separate multistate investigation into another Experian-owned company—Experian Data Corp. (“EDC”)— in connection with EDC’s failure to prevent or provide notice of a 2012 data breach that occurred when an identity thief posing as a private investigator was given access to sensitive personal information stored in EDC’s commercial databases. Under that resolution, entered into by a separate group of 40 states, EDC has agreed to strengthen its vetting and oversight of third parties that it provides personal information, investigate and report data security incidents to the Attorneys General, and maintain a “Red Flags” program to detect and respond to potential identity theft.

About Attorney General Leslie Rutledge

Leslie Carol Rutledge is the 56th Attorney General of Arkansas. Elected on November 4, 2014, and sworn in on January 13, 2015, she is the first woman and first Republican in Arkansas history to be elected as Attorney General. She was resoundingly re-elected on November 6, 2018. Since taking office, she has significantly increased the number of arrests and convictions against online predators who exploit children and con artists who steal taxpayer money through Social Security Disability and Medicaid fraud. Further, she has held Rutledge Roundtable meetings and Mobile Office hours in every county of the State each year, and launched a Military and Veterans Initiative. She has led efforts to roll back government regulations that hurt job creators, fight the opioid epidemic, teach internet safety, combat domestic violence and make the office the top law firm for Arkansans. Rutledge serves on committees for Consumer Protection, Criminal Law and Veterans Affairs for the National Association of Attorneys General. She also served as the former Chairwoman of the Republican Attorneys General Association.

A native of Batesville, she is a graduate of the University of Arkansas at Fayetteville and the University of Arkansas at Little Rock William H. Bowen School of Law. Rutledge clerked for the Arkansas Court of Appeals, was Deputy Counsel for former Governor Mike Huckabee, served as a Deputy Prosecuting Attorney in Lonoke County and was an Attorney at the Department of Human Services before serving as Counsel at the Republican National Committee. Rutledge and her husband, Boyce, have one daughter. The family has a home in Pulaski County and a farm in Crittenden County.

SHARE
Close