Connecticut Attorney General William Tong announced last week that Connecticut is joining two multistate settlements for data breaches occurring in 2012 and 2015.
The data breaches “compromised the personal information of millions of consumers nationwide,” according to a state press release. Both breaches were connected to the consumer credit-reporting company Experian, and the 2015 breach also consisted of credit applications with T-Mobile.
The two companies have come to an agreement and will pay more than $16 million, in total, to all the states involved with the settlements. Nearly $900,000 of the payment will go to the state of Connecticut.
“Under the settlements, [Experian and T-Mobile] have agreed to improve their data security practices and to pay the states a combined amount of more than $16 million,” the press release said. “Connecticut will receive a total of $886,175 from the settlements.”
The $886,175 payment will go to the state’s general fund, according to the Office of the Attorney General’s media contact Elizabeth Benton, and is expected to arrive by January.
“[The] money goes to the general fund,” Benton said in an email. “Payment is due within 30 days of the effective date of the settlement, which is Dec. 7. So, payment [is] expected before Jan. 7, 2023.”
“Under the settlements, [Experian and T-Mobile] have agreed to improve their data security practices and to pay the states a combined amount of more than $16 million.”Press release statement
According to Attorney General Tong, the settlements serve as a message to companies that they will be held accountable for failing to protect consumers’ personal information.
“Experian and T-Mobile had independent obligations to safeguard consumers’ personal information,” Tong said. “They each failed to do so in their own respects. Our multistate settlement sends a strong message to companies that we will hold them accountable if they fail to take reasonable measures to protect consumers’ information—whether that information is managed on their own systems or entrusted to a third party.”
In the 2015 data breach, Experian reported that an unauthorized actor gained access to personal information on behalf of its client, which was T-Mobile, according to the press release. The information was linked to consumers who applied for T-Mobile’s postpaid services and device financing between September 2013 and September 2013. It included names, addresses, dates of birth, social security and identification numbers.
According to the press release, the 2015 breach affected 142,789 Connecticut residents. The corresponding settlement involves $12.67 million from Experian, and the company has also “agreed to strengthen its due diligence and data security practices going forward.”
Also included in the settlement are free credit monitoring services and two free copies of annual credit reports provided by Experian over a five-year period. Affected consumers can register for the services via an online form.
Benton spoke of the credit monitoring services as being a helpful resource for affected consumers looking to protect themselves.
“…Credit monitoring is an important way for consumers to protect themselves and we strongly encourage all impacted consumers to take advantage of this protection,” Benton said.
The separate settlement with T-Mobile covers $2.43 million of the total payment received by the state. In that settlement, T-Mobile is expected to proceed with “detailed vendor management provisions designed to strengthen its vendor oversight going forward,” according to the press release. This includes the establishment of a vendor risk management program, as well as vendor assessment and monitoring mechanisms.
The press release clarified that the settlement has no correlation with a T-Mobile data breach that happened in August 2021.
“The settlement with T-Mobile does not concern the unrelated, massive data breach announced by T-Mobile in August 2021, which is still under investigation by a multistate coalition of Attorneys General co-led by Connecticut,” said the press release.
Experian will pay an additional $1 million to resolve a separate investigation regarding Experian Data Corp.’s failure to prevent or provide notice of the 2012 data breach, the press release also said. In that data breach, an identity thief assumed the position of a private investigator and gained access to sensitive personal information.