A.  LONG FORM

B.  SHORT FORM

RECITALS

In a series of announcements beginning in September 2017, Equifax Inc. announced that it had been the victim of a criminal cyberattack on its computer systems in which the attacker/s gained unauthorized access to the personal information of approximately 147 million U.S. individuals.

After announcement of the Data Breach (as hereinafter defined), multiple putative class action lawsuits were filed by consumers against Equifax alleging it had failed to properly protect personal information in accordance with its duties, had inadequate data security, and improperly delayed notifying potentially impacted individuals.

On December 7, 2017, the Judicial Panel on Multidistrict Litigation transferred more than 200 putative class action lawsuits to the Honorable Thomas W. Thrash in the United States District Court for the Northern District of Georgia (the “Court”) for coordinated pretrial proceedings.

Additional lawsuits against Equifax were also transferred to, filed in, or otherwise assigned to the Court and included in coordinated pretrial proceedings as part of In re: Equifax Inc. Customer Data Security Breach Litigation , Case No. 1:17-md-2800-TWT (N.D. Ga.).

On February 12, 2018, the Court appointed leadership for consumer plaintiffs and interim class counsel pursuant to Federal Rule of Civil Procedure 23(g).

Class Counsel filed a Consolidated Consumer Class Action Complaint (“Complaint”) in In re: Equifax Inc. Customer Data Security Breach Litigation , Equifax moved to dismiss the Complaint, and the Court denied in part and granted in part the motion by Order dated January 28, 2019.

Beginning in September 2017, the Parties engaged in arm’s-length settlement negotiations overseen by former United States District Court Judge Layn R. Phillips. The Parties engaged in five in-person mediation sessions, on November 27 and 28, 2017, May 25, 2018, August 9, 2018, November 16, 2018, and March 30, 2019, under the direction of Judge Phillips. The last mediation session resulted in the Parties executing a binding term sheet, to be superseded by this Agreement.

Class Counsel has investigated the facts relating to the Data Breach with the assistance of consultants and experts in cybersecurity and identity theft, interviewed witnesses, reviewed Congressional testimony, analyzed the evidence adduced during pretrial and confirmatory discovery, including over a half-million pages of documents, spreadsheets, and other native files produced by Equifax, and researched the applicable law with respect to Plaintiffs’ claims against Equifax and the potential defenses thereto.

Defendants (as hereinafter defined) deny any wrongdoing whatsoever, and this Agreement shall in no event be construed or deemed to be evidence of or an admission or concession on the part of any Defendant with respect to any claim of any fault or liability or wrongdoing or damage whatsoever, any infirmity in the defenses that Defendants have asserted or would assert, or to the requirements of Federal Rule of Civil Procedure 23 and whether Plaintiffs satisfy those requirements.

Based upon their investigation, pretrial discovery, confirmatory discovery, and legal motion practice, as set forth above, Class Counsel have concluded that the terms and conditions of this Agreement are fair, reasonable and adequate to Plaintiffs and Settlement Class Members and are in their best interests, and have agreed to settle the consumer claims asserted in In re: Equifax Inc. Customer Data Security Breach Litigation pursuant to the terms and provisions of this Agreement.

It is the intention of the Parties to resolve the disputes and claims which they have between them on the terms set forth below.

DEFINITIONS

“Action” or “Actions” means all the actions listed in Exhibit 1, which are consumer cases that have been filed in, transferred to, or otherwise assigned to the Court and included in coordinated or consolidated pretrial proceedings as part of In re: Equifax Inc. Customer Data Security Breach Litigation , Case No. 1:17-md-2800-TWT (N.D. Ga.).

“Administrative Costs” means all reasonable costs and expenses of the Settlement Administrator incurred in carrying out its duties under this Agreement, including, without limitation, validating Settlement Class Members and determining eligibility for benefits under the Settlement, administering, calculating, and distributing the Consumer Restitution Fund and its benefits to Settlement Class Members, and paying Taxes.

“Affiliate” means, with respect to any Entity, any other Entity that directly or indirectly controls or is controlled by, or is under common control with, such Entity. For purposes of this definition, “control” when used with respect to any Entity means an ownership interest of at least twenty-five percent (25%) and/or the power to direct the management and policies of such Entity, directly or indirectly, whether through the ownership of voting securities, by contract, or otherwise.

“Agreement” means this Settlement Agreement and Release. The terms of the Agreement are set forth herein including the exhibits hereto.

“Alternative Reimbursement Compensation” means compensation to Settlement Class Members as set forth in Section 7.5.

“Business Days” means Monday, Tuesday, Wednesday, Thursday, and Friday, excluding holidays observed by the federal government.

“Business Practices Commitments” means the measures provided for in Exhibit 2.

“Claim Form” means the form Settlement Class Members submit (either in paper form or via the Settlement Website) to claim benefits under the Settlement, attached hereto as Exhibit 8.

“Claims Administration Protocol” means the protocol to be followed by the Settlement Administrator in processing claims made under this Agreement, attached hereto as Exhibit 9.

“Class Counsel” means Kenneth S. Canfield of Doffermyre Shields Canfield & Knowles, LLC, Amy E. Keller of DiCello Levitt Gutzler LLC, Norman E. Siegel of Stueve Siegel Hanson LLP, and Roy E. Barnes of Barnes Law Group, LLC.

“Consumer Restitution Fund” means three hundred eighty million, five hundred thousand United States Dollars ($380,500,000), any interest on or other income or gains earned while such amount is held in the Consumer Restitution Fund Account, and such additional amounts that Equifax may be required to contribute under the terms of this Agreement.

“Consumer Restitution Fund Account” means the account described in Sections 3.1 and 3.3 through 3.10.

“Court” means the United States District Court for the Northern District of Georgia.

“Credit Monitoring Services” means the services described in Section 7.1.

“Data Breach” means the data breach announced by Equifax Inc. on or about September 7, 2017.

“Defendants” means Equifax Inc., Equifax Information Services, LLC, and Equifax Consumer Services LLC.

“Effective Date” means the date upon which the Settlement contemplated by this Agreement shall become effective as set forth in Section 17.1.

“Entity” means any corporation, partnership, limited liability company, association, trust, or other organization of any type.

“Equifax” means Equifax Inc., Equifax Information Services, LLC, and Equifax Consumer Services LLC.

“Extended Claims Period” means the period beginning with the end of the Initial Claims Period through 4 years after the end of the Initial Claims Period.

“Fairness Hearing” means the hearing to be conducted by the Court to determine the fairness, adequacy, and reasonableness of the Agreement pursuant to Federal Rule of Civil Procedure 23 and whether to issue the Final Approval Order and Judgment.

“Final Approval Order and Judgment” means an order and judgment that the Court enters after the Fairness Hearing, which finally approves the Agreement, certifies the Settlement Class, dismisses Defendants with prejudice, and otherwise satisfies the settlement-related provisions of Federal Rule of Civil Procedure 23 in all respects.

“Initial Claims Period” means the 6 months after the date of the entry of the Order Permitting Issuance of Notice of Class Action Settlement.

“Notice” means notice of the proposed class action settlement to be provided to Settlement Class Members pursuant to the Notice Plan approved by the Court in connection with its Order Permitting Issuance of Notice of Class Action Settlement, substantially in the forms attached hereto as Exhibits 6.A through 6.F and 7.

“Notice Costs” means all reasonable costs and expenses of the Notice Provider, including, without limitation, all expenses or costs associated with the Notice Plan and providing Notice to the Settlement Class.

“Notice Date” means 60 days after the Court enters the Order Permitting Issuance of Notice of Class Action Settlement.

“Notice Plan” means the settlement notice program developed by the Notice Provider substantially in the form attached hereto as Exhibit 6, as approved by the Court.

“Notice Provider” means Signal Interactive Media LLC. A different Notice Provider may be substituted if approved by the Court.

“Objection Deadline” means 60 days after the Notice Date.

“One-Bureau Credit Monitoring Services” means the services described in Section 7.4.

“Opt-Out Deadline” means 60 days after the Notice Date.

“Order Permitting Issuance of Notice of Class Action Settlement” means an order determining that the Court will likely be able to approve the Settlement under Federal Rule of Civil Procedure 23(e)(2) and will likely be able to certify the Settlement Class for purposes of judgment. Such order will include the forms and procedure for providing notice to the Settlement Class, establish a procedure for Settlement Class Members to object to or opt-out of the Settlement, and set a date for the Fairness Hearing, without material change to the Parties’ agreed-upon proposed order attached hereto as Exhibit 5.

“Out-of-Pocket Losses” means losses as defined in Section 6.

“Parent” means, with respect to any Entity, any other Entity that owns or controls, directly or indirectly, at least a majority of the securities or other interests that have by their terms ordinary voting power to elect a majority of the board of directors, or a majority of others performing similar function, of such Entity.

“Parties” means the Settlement Class Representatives, on behalf of themselves and the Settlement Class, and Defendants.

“Plaintiffs” means all plaintiffs named in the Consumer Consolidated Class Action Complaint filed in In re: Equifax Inc. Customer Data Security Breach Litigation , Case No. 1:17-md-2800-TWT (N.D. Ga.).

“Preventative Measures” means Out-of-Pocket Losses associated with freezing or unfreezing credit reports and purchasing credit monitoring services as set forth in Sections 6.2.2 and 6.2.4.

“Released Claim” means any claims, liabilities, rights, demands, suits, obligations, damages, including but not limited to consequential damages, losses or costs, punitive damages, attorneys’ fees and costs, action or causes of action, penalties, remedies, of every kind or description—whether known or Unknown (as the term “Unknown Claims” is defined herein), suspected or unsuspected, asserted or unasserted, liquidated or unliquidated, legal, administrative, statutory, or equitable—that relate to or arise from the Data Breach or the facts alleged in the Actions.

“Restoration Services” means the services described in Section 7.2.

“Service Awards” means compensation awarded and paid to Settlement Class Representatives in recognition of their role in this litigation, subject to Court approval, as set forth in Section 10.

“Settlement” means the settlement of the Actions by and between the Parties, and the terms thereof as stated in this Agreement.

“Settlement Administrator” means JND Legal Administration. A different Settlement Administrator may be substituted if approved by the Court.

“Settlement Class” means the approximately 147 million U.S. consumers identified by Equifax whose personal information was compromised as a result of the cyberattack and data breach announced by Equifax Inc. on September 7, 2017. Excluded from the Settlement Class are: (i) Defendants, any entity in which Defendants have a controlling interest, and Defendants’ officers, directors, legal representatives, successors, subsidiaries, and assigns; (ii) any judge, justice, or judicial officer presiding over this matter and the members of their immediate families and judicial staff; and (iii) any individual who timely and validly opts out of the Settlement Class.

“Settlement Class Member” means a member of the Settlement Class.

“Settlement Class Representatives” are the Plaintiffs listed in Exhibit 10.

“Settlement Website” means a website established by the Settlement Administrator to provide information about the Settlement including deadlines and case documents, and permit Settlement Class Members to electronically submit Claim Forms.

“Subsidiary” means, with respect to any Entity, any other Entity of which the first Entity owns or controls, directly or indirectly, at least a majority of the securities or other interests that have by their terms ordinary voting power to elect a majority of the board of directors, or others performing similar functions, of the other Entity.

“Successor” means, with respect to a natural person, that person’s heir, successors, and assigns, and, with respect to an Entity, any other Entity that through merger, buyout, assignment, or any other means or transaction, acquires all of the first Entity’s duties, rights, obligations, shares, debts, or assets.

“Taxes” means (i) any and all applicable taxes, duties and similar charges imposed by a government authority (including any estimated taxes, interest or penalties) arising in any jurisdiction, if any, with respect to the income or gains earned by or in respect of the Consumer Restitution Fund, including, without limitation, any taxes that may be imposed upon Defendants or their counsel with respect to any income or gains earned by or in respect of the Consumer Restitution Fund for any period while it is held in the Consumer Restitution Fund Account; (ii) any other taxes, duties and similar charges imposed by a government authority (including any estimated taxes, interest or penalties) relating to the Consumer Restitution Fund that the Settlement Administrator determines are or will become due and owing, if any; and (iii) any and all expenses, liabilities and costs incurred in connection with the taxation of the Consumer Restitution Fund (including without limitation, expenses of tax attorneys and accountants).

“Unknown Claims” means any and all Released Claims that any Settlement Class Representative or Settlement Class Member does not know or suspect to exist in his or her favor as of the Effective Date and which, if known by him or her, might have affected his or her decision(s) with respect to the Settlement. With respect to any and all

CREATION AND TREATMENT OF THE CONSUMER RESTITUTION FUND

Equifax Inc. agrees to make a non-reversionary settlement payment of three hundred eighty million, five hundred thousand United States Dollars ($380,500,000) and deposit that settlement payment into the Consumer Restitution Fund Account as follows: (i) it shall deposit one hundred and fifty thousand United States Dollars ($150,000) into the Consumer Restitution Fund Account 5 Business Days after the date of this Agreement, to cover reasonable set-up costs of the Notice Provider; (ii) it shall deposit twenty-five million United States Dollars ($25,000,000) into the Consumer Restitution Fund Account 5 Business Days after the Court enters the Order Permitting Issuance of Notice of Class Action Settlement to cover reasonable Notice and Administrative Costs incurred prior to the Effective Date, and set-up costs for the Credit Monitoring and Restoration Services vendor; and (iii) it shall deposit the balance of the three hundred eighty million, five hundred thousand United States Dollars ($380,500,000) into the Consumer Restitution Fund Account within 10 Business Days after the Effective Date.

Additional Amounts for Out-of-Pocket Losses: In addition to the Consumer Restitution Fund, Equifax Inc. agrees to pay up to one hundred twenty-five million United States Dollars ($125,000,000) in additional amounts for valid Out-of-Pocket Losses submitted during both the Initial Claims Period and the Extended Claims Period in the event the Consumer Restitution Fund is exhausted. Additional amounts (up to $125,000,000) will be paid by Equifax Inc. as needed on a monthly basis within 14 Business Days after receipt of written notification from the Settlement Administrator that there are insufficient funds remaining in the Consumer Restitution Fund to pay valid Out-of-Pocket Losses. These amounts will be paid only on an as-needed basis and may not be used for any purpose other than paying valid Out-of-Pocket Losses once the Consumer Restitution Fund no longer has any available funds to pay such claims.

The Consumer Restitution Fund Account shall be an account established at a financial institution approved by Class Counsel and Defendants and, pursuant to Section 3.9, shall be maintained as a qualified settlement fund pursuant to Treasury Regulation § 1.468B-1, et seq .

No amounts may be withdrawn from the Consumer Restitution Fund Account unless (i) expressly authorized by this Agreement or (ii) approved by the Court. Class Counsel may authorize the payment of actual reasonable Administrative Costs and Notice Costs from the Consumer Restitution Fund Account without further order of the Court. The Settlement Administrator shall provide Class Counsel and Defendants with notice of any withdrawal or other payment the Settlement Administrator proposes to make from the Consumer Restitution Fund Account before the Effective Date at least 5 Business Days prior to making such withdrawal or payment.

The Settlement Administrator, subject to such supervision and direction of the Court and Class Counsel as may be necessary or as circumstances may require, shall administer and oversee distribution of the Consumer Restitution Fund to Settlement Class Members pursuant to this Agreement.

The Settlement Administrator and Class Counsel are responsible for communicating with Settlement Class Members regarding the distribution of the Consumer Restitution Fund and amounts paid under the Settlement.

All funds held in the Consumer Restitution Fund Account relating to the Settlement shall be deemed to be in the custody of the Court until such time as the funds shall be distributed to Settlement Class Members or otherwise disbursed pursuant to this Agreement or further order of the Court.

Any funds in the Consumer Restitution Fund Account in excess of two hundred fifty thousand United States Dollars ($250,000) shall be invested in short term United States Agency or Treasury Securities, repurchase agreements collateralized by such instruments, or a mutual fund invested solely in such instruments, and shall collect and reinvest all earnings accrued thereon. Any funds held in the Consumer Restitution Fund Account in an amount of less than $250,000 may be held in an interest-bearing account insured by the Federal Deposit Insurance Corporation (“FDIC”) or may be invested as funds in excess of $250,000 are invested. Funds may be placed in a non-interest-bearing account as may be reasonably necessary during the check clearing process.

The Parties agree that the Consumer Restitution Fund is intended to be maintained as a qualified settlement fund within the meaning of Treasury Regulation § 1.468B-1, and that the Settlement Administrator, within the meaning of Treasury Regulation § 1.468B-2(k)(3), shall be responsible for filing tax returns and any other tax reporting for or in respect of the Consumer Restitution Fund and paying from the Consumer Restitution Fund any Taxes owed with respect to the Consumer Restitution Fund. The Parties agree that the Consumer Restitution Fund shall be treated as a qualified settlement fund from the earliest date possible, and agree to any relation-back election required to treat the Consumer Restitution Fund as a qualified settlement fund from the earliest date possible.

All Taxes relating to the Consumer Restitution Fund shall be paid out of the Consumer Restitution Fund, shall be considered to be an Administrative Cost of the Settlement, and shall be timely paid by the Settlement Administrator without prior order of the Court. Further, the Consumer Restitution Fund shall indemnify and hold harmless the Parties and their counsel for Taxes (including, without limitation, taxes payable by reason of any such indemnification payments).

The Parties and their respective counsel have made no representation or warranty with respect to the tax treatment by any Settlement Class Representative or any Settlement Class Member of any payment or transfer made pursuant to this Agreement or derived from or made pursuant to the Consumer Restitution Fund.

Each Settlement Class Representative and Settlement Class Member shall be solely responsible for the federal, state and local tax consequences to him, her or it of the receipt of funds from the Consumer Restitution Fund pursuant to this Agreement.

RELIEF PROVIDED OUTSIDE OF THE CONSUMER RESTITUTION FUND

Business Practices Commitments.

Equifax will adopt, pay for, and implement, (or maintain where such Business Practices Commitments have been implemented) the Business Practices Commitments related to information security to safeguard Settlement Class Members’ “Personal Information” as defined and as set forth in Exhibit 2.

Equifax’s Business Practices Commitments will be memorialized in an order to be entered by the Court in connection with the Judgment and materially identical to the Proposed Consent Order attached as Exhibit 3 to this Agreement, and thereby will be subject to independent supervision and judicial enforcement.

From the Effective Date neither Equifax nor any of its Affiliates will use or seek to enforce any arbitration provision or class action waiver in any Equifax product or service that has been offered in response to the Data Breach as of the date of this Agreement, or that is otherwise provided by Equifax under this

Equifax will implement a program to provide prompt notice of any future breaches of consumer information consistent with the requirements of all federal and state regulations.

Plaintiffs through Class Counsel began negotiating a potential resolution of the Actions in September 2017, which included proposed business practices commitments, and the settlement process continued over approximately 18 months resulting in the Business Practices Commitments as described in Exhibit 2, which were finalized as part of the Parties’ binding term sheet executed on March 30, 2019.

Credit Freezes and Unfreezes . Separate from and in addition to the Consumer Restitution Fund, and notwithstanding any provision of law related to payment for placement and removal of credit freezes, all Settlement Class Members will be eligible to place and remove credit freezes on their Equifax Information Services, LLC (“EIS”) credit files, free of charge, enforceable under this Agreement for 10 years without filing a claim.

Continuation of Monitoring . Separate from and in addition to the Consumer Restitution Fund, Equifax has provided Settlement Class Members who enrolled in TrustedID Premier monitoring provided by Equifax following the Data Breach with an additional one year of credit monitoring services known as IDNotify to allow for continuity of these services.

PAYMENTS FROM THE CONSUMER RESTITUTION FUND

The Consumer Restitution Fund will be used to fund the consumer restitution and redress described in the Settlement provisions listed in Sections 6, 7.1, 7.2, 7.5, 9, 10, and 11. Equifax will separately pay all other costs of the Settlement.

To the extent the aggregate amounts required to fund the Settlement provisions listed in Sections 6 and 7.5 exceed the amount of the Consumer Restitution Fund (and, for Out-of-Pocket Losses, exceeds the amounts available in Section 3.2 providing for Additional Amounts for Out-of-Pocket Losses) remaining after distributions are made to fund the Settlement provisions listed in Sections 7.1, 7.2, 9, 10, and 11 at the end of the Initial Claims Period, the cash payments provided in these provisions shall be reduced on a pro rata basis, meaning cash payments shall be allocated based on each claimant’s proportional share of the remainder of the Consumer Restitution Fund.

Payment of Approved Out-of-Pocket Loss Claims During Extended Claims Period . Subject to the requirements of Section 8.1.2, approved Out-of-Pocket Loss claims filed during the Extended Claims Period will be paid in full from the Consumer Restitution Fund on a rolling basis in the order that such claims are received by the Settlement Administrator, up to an amount that exhausts the Consumer Restitution Fund, and, if applicable, the Additional Amounts for Out-of-Pocket Losses available in Section 3.2.

Use of Remaining Amounts in the Consumer Restitution Fund . Any remaining funds in the Consumer Restitution Fund after the payments described in Sections 6, 7.1, 7.2, 7.5, 9, 10, and 11, and after the conclusion of the Extended Claims Period and payment of approved Out-of-Pocket Loss claims filed during the Extended Claims Period, will be used as follows:

First, the caps in Sections 6.2.6 and 7.5 will be lifted (if applicable) and payments increased pro rata to Settlement Class Members with valid claims up to the full amount of the approved claim submitted under those Sections.

Second, if the payments described in Sections 5.4.1 do not exhaust the Consumer Restitution Fund, then any remaining funds shall be used to purchase up to 36 months of additional Restoration Services (purchased in full-month increments).

Third, if the payments described in Sections 5.4.1 and 5.4.2 do not exhaust the Consumer Restitution Fund, remaining amounts in the Consumer Restitution Fund will be used to purchase additional Credit Monitoring Services (purchased in monthly, weekly, or daily increments to exhaust any remaining funds) for those Settlement Class Members who have enrolled in such services under Section 7.1.

Use of Unclaimed Funds . Upon completion of the distributions identified in Sections 5.1 through 5.4, and after the Settlement Administrator completes its duties with respect to delivering settlement funds to Settlement Class Members with valid claims as set forth in Section 14.1.16, any remaining funds resulting from the failure of Settlement Class Members to timely negotiate a settlement check or to timely provide required tax information such that a settlement check could issue, shall be distributed to Settlement Class Members, or as otherwise ordered by the Court, for consumer restitution and redress but in no event shall any of the Consumer Restitution Fund revert to Equifax.

REIMBURSEMENT FOR OUT-OF-POCKET LOSSES

The Settlement Administrator will use the Consumer Restitution Fund to compensate those Settlement Class Members who submit valid claims for Out-of-Pocket Losses. Settlement Class Members will be subject to an aggregate claims cap of twenty thousand United States Dollars ($20,000) paid directly from the Consumer Restitution Fund regardless of the number of claims submitted by the Settlement Class Member during the Initial Claims Period and Extended Claims Period. This provision does not prevent Settlement Class Members from submitting claims under applicable insurance policies.

“Out-of-Pocket Losses” are verifiable unreimbursed costs or expenditures that a Settlement Class Member actually incurred and that are fairly traceable to the Data Breach. Out-of-Pocket Losses may include, without limitation, the following:

unreimbursed costs, expenses, losses or charges incurred as a result of identity theft or identity fraud, falsified tax returns, or other alleged misuse of a Settlement Class Member’s personal information;

costs incurred on or after September 7, 2017, associated with placing or removing a credit freeze on a Settlement Class Member’s credit file with any credit reporting agency;

other miscellaneous expenses incurred related to any Out-of-Pocket Loss such as notary, fax, postage, copying, mileage, and long-distance telephone charges;

credit monitoring costs that were incurred on or after September 7, 2017, through the date of the Settlement Class Member’s claim submission;

up to 25% reimbursement for costs incurred by a Settlement Class Member in connection with Equifax credit or identity monitoring subscription products in the 12 months preceding September 7, 2017;

subject to the provisions of Section 8.4 regarding Documented Time and Self-Certified Time and Section 8.1.2 regarding claims during the Extended Claims Period, up to 20 total hours for time spent taking Preventative Measures and time spent remedying fraud, identity theft, or other misuse of a Settlement Class Member’s personal information that is fairly traceable to the Data Breach at $25 per hour. Up to thirty-one million United States Dollars ($31,000,000) of the Consumer Restitution Fund will be used to compensate Settlement Class Members for time under this Section that is claimed during the Initial Claims Period. If the settlement payments for time claimed during the Initial Claims Period exceed this amount, then payments for time shall be distributed pro rata to those making valid claims for time during the Initial Claims Period. Approved claims for Documented Time and Self-Certified Time filed during the Extended Claims Period will be paid in

CREDIT MONITORING, RESTORATION SERVICES, AND ALTERNATIVE REIMBURSEMENT COMPENSATION

All Settlement Class Members will be eligible to claim and enroll in at least 4 years of Credit Monitoring Services, a description of which is set forth in Exhibit 4. These services will be provided by Experian, which will be appointed by the Court as the provider of Credit Monitoring Services and be subject to the Court’s jurisdiction for enforcement of the terms of this Settlement.

Minors: For Settlement Class Members who were under the age of 18 on May 13, 2017, during the period when a Settlement Class Member is under the age of 18 the monitoring made available will be the minor monitoring services provided by Experian as described in Exhibit 4.

All Settlement Class Members (regardless of whether the Settlement Class Member makes any claim under the Settlement) will also be able to access Restoration Services, a description of which is set forth in Exhibit 4. These services will be provided by Experian. The Restoration Services include access to a U.S. based call center providing services relating to identity theft, fraud and identity restoration for a period of 7 years.

Equifax represents and warrants that it is not an Affiliate of Experian and has no financial interest in Experian. Equifax will not receive any monetary or other financial consideration for the Credit Monitoring Services or Restoration Services made available under this Settlement. Equifax will provide its data necessary to carry out these services to Experian free of charge.

Settlement Class Members who elect to enroll in Credit Monitoring Services within the Initial Claims Period shall have the option to make a claim for One-Bureau Credit Monitoring Services at the same time they claim Credit Monitoring Services. The One-Bureau Credit Monitoring Services will be provided by Equifax for a period of no more than 6 years beginning after the date on which the Credit Monitoring Services described in Section 7.1 above (including any additional monthly increments provided pursuant to Section 5.4.3) expire. The aggregate term of the Credit Monitoring Services and the One-Bureau Credit Monitoring Services will equal 10 years. A description of the One Bureau Credit Monitoring Services is set forth in Exhibit 4. The cost of the One-Bureau Credit Monitoring Services will be paid separately by Equifax, not from the Consumer Restitution Fund.

Minors : For Settlement Class Members who were under the age of 18 on May 13, 2017, One-Bureau Credit Monitoring Services will be provided by Equifax for a period of no more than 14 years beginning after the date on which the Credit Monitoring Services described in Section 7.1 above expire. The aggregate term of the Credit Monitoring Services and the One Bureau Credit Monitoring Services will equal 18 years. During the period when a Settlement Class Member is under the age of 18, the monitoring made available will be the minor monitoring services provided by Equifax described in Exhibit 4.

Settlement Class Members who already have some form of credit monitoring or protection and do not claim the Credit Monitoring Services available under Section 7.1 may file a claim for Alternative Reimbursement Compensation of $125. The Settlement Class Member must identify the monitoring service and certify that he or she has some form of credit monitoring or protection as of the date the Settlement Class Member submits the claim and will have such credit monitoring in place for a minimum of six (6) months from the claim date. Settlement Class

Claims for Credit Monitoring Services and Alternative Reimbursement Compensation can be made only within the Initial Claims Period.

The Parties, Class Counsel, and Defendants’ Counsel shall not have any liability whatsoever with respect to any act or omission of Experian, or any of its respective designees or agents, in connection with its provision of Credit Monitoring Services or Restoration Services or the performance of its duties under this Agreement.

If, at the end of the Initial Claims Period, more than 7 million Settlement Class Members have enrolled in the Credit Monitoring Services, the following obligations apply:

If the total payments required under Sections 6, 7.2, 7.5, 9, and 10, plus the cost of providing the Credit Monitoring Services to 7 million Settlement Class Members (the “Costs”) are greater than or equal to Three Hundred Million Dollars ($300,000,000), Equifax Inc. shall pay into the Consumer Restitution Fund an amount equal to the cost of providing Credit Monitoring Services to enrollees above 7 million (the “Additional Credit Monitoring Cost”)

If the Costs are less than Two Hundred Fifty Six Million Five Hundred Thousand Dollars ($256,500,000) and the Additional Credit Monitoring Cost is greater than Forty Three Million Five Hundred Thousand Dollars ($43,500,000), Equifax Inc. shall pay into the Consumer Restitution Fund an amount equal to the Additional Credit Monitoring Cost less Forty Three Million Five Hundred Thousand Dollars ($43,500,000)

If (i) the Costs are greater than or equal to Two Hundred Fifty Six Million Five Hundred Thousand Dollars ($256,500,000), but less than Three Hundred Million Dollars ($300,000,000) and (ii) the Costs plus the Additional Credit Monitoring Costs are greater than or equal to Three Hundred Million Dollars ($300,000,000), Equifax Inc. shall pay into the Consumer Restitution Fund an amount equal to the Costs plus Additional Credit Monitoring Costs less Three Hundred Million Dollars ($300,000,000).

If, during the Extended Claims Period, more than 7 million Settlement Class Members have enrolled in Credit Monitoring Services and either (i) the Costs are greater than or equal to Two Hundred Fifty Six Million Five Hundred Thousand Dollars ($256,500,000) or (ii) the Additional Credit Monitoring Costs are greater than Forty Three Million Five Hundred Thousand Dollars ($43,500,000) then, at least on a monthly basis, Equifax Inc. shall recalculate its obligations under Sections 7.8.1 through 7.8.3, and shall deposit any additional money into the Consumer Restitution Fund that would be required, less any amounts previously deposited pursuant to Sections 7.8.1 through 7.8.3, or previously under this Section.

CLAIMS PERIODS AND PROCESS

Claims Periods . There will be two claims periods: the Initial Claims Period and the Extended Claims Period.

The Initial Claims Period will run for 6 months after the Order Permitting Issuance of Notice of Class Action Settlement.

The Extended Claims Period will run for 4 years after the conclusion of the Initial Claims Period. During the Extended Claims Period, Settlement Class Members can seek reimbursement for valid Out-of-Pocket Losses (excluding losses of money and time associated with Preventative Measures) incurred during the Extended Claims Period only if the Settlement Class Member provides a certification that he or she has not obtained reimbursement for the claimed expense through other means.

Claims Process . Settlement Class Members may submit Claim Forms to the Settlement Administrator electronically through the Settlement Website or physically by mail to the Settlement Administrator. Claim Forms must be submitted electronically or postmarked during the Initial Claims Period, or, where applicable, during the Extended Claims Period. Where applicable, the Settlement Administrator shall apply the Claims Administration Protocol, attached as Exhibit 9.

Claims for Reimbursement for Out-of-Pocket Losses under Section 6 . The Settlement Administrator shall verify that each person who submits a Claim Form is a Settlement Class Member and shall be responsible for evaluating claims and making a determination as to whether claimed Out-of-Pocket Losses are valid and fairly traceable to the Data Breach. Settlement Class Members with Out-of-Pocket Losses must submit Reasonable Documentation supporting their claims, except no documentation is required for claims for reimbursement for Equifax subscription products as provided in Section 6.2.5. As used herein, “Reasonable Documentation” means documentation supporting a claim, including but not limited to: credit card statements, bank statements, invoices, telephone records, and receipts. Except as expressly provided herein, personal certifications, declarations, or affidavits from the claimant do not constitute Reasonable Documentation but may be included to provide clarification, context or support for other submitted Reasonable Documentation.

In assessing what qualifies as “fairly traceable,” the Parties agree to instruct the Settlement Administrator to consider (i) the timing of the loss, including whether the loss occurred on or after May 13, 2017, through the date of the Class Member’s claim submission; (ii) whether the loss involved the possible misuse of the type of personal information accessed in the Data Breach (i.e., name, address, birth date, Social Security Number, driver’s license number, payment card information); (iii) whether the personal information accessed in the Data Breach that is related to the Class Member is of the type that was possibly misused; (iv) the Class Member’s explanation as to how the loss is fairly traceable to the Data Breach; (v) the nature of the loss, including whether the loss was reasonably incurred as a result of the Data Breach; and (vi) any other factor that the Settlement Administrator considers to be relevant. The Settlement Administrator shall have the sole discretion and authority to determine whether claimed Out-of-Pocket Losses are valid and fairly traceable to the Data Breach.

Out-of-Pocket Losses associated with placing or removing credit freezes on credit files (Section 6.2.2.) and purchasing credit monitoring services (Section 6.2.4) (“Preventative Measures”), shall be deemed fairly traceable to the Data Breach if (i) they were incurred on or after September 7, 2017, through the date of the Settlement Class Member’s claim submission, and (ii) the claimant certifies that they incurred such Out-of-Pocket Losses as a result of the Data Breach and not as a result of any other compromise of the Settlement Class Member’s information.

Claims for Time . Settlement Class Members who spent time remedying fraud, identity theft, or other alleged misuse of the Settlement Class Member’s personal information fairly traceable to the Data Breach, or subject to Section 8.1.2, Settlement Class Members who spent time on Preventative Measures fairly traceable to the Data Breach, can receive reimbursement for such time expenditures subject to the following provisions.

Documented Time . Settlement Class Members with (i) Reasonable Documentation of fraud, identity theft, or other alleged misuse of the Settlement Class Member’s personal information fairly traceable to the Data Breach and (ii) time spent remedying these issues, or time spent taking Preventative Measures, may submit a claim for up to 20 hours of such time to be compensated at $25 per hour. This documentation may overlap with documents submitted to support other Out-of-Pocket Losses. In the event the Settlement Administrator does not approve a claim for Documented Time, that claim shall be treated as a claim for Self-Certified Time and be subject to the provisions of Section 8.4.2.

Self-Certified Time . Settlement Class Members who attest (i) to fraud, identity theft, or other alleged misuse of the Settlement Class Member’s personal information fairly traceable to the Data Breach, or Preventative Measures, and (ii) that they spent time remedying such misuse or taking Preventative Measures, but who cannot provide Reasonable Documentation of such issues may self-certify the amount of time they spent remedying the foregoing by providing a certified explanation of the misuse or Preventative Measures taken and how the time claimed was spent remedying the misuse or taking Preventative Measures. Settlement Class Members may file a claim for Self-Certified Time for up to 10 hours at $25 per hour.

Time Increments . Valid claims for both Documented Time and Self-Certified Time will be reimbursed in 15-minute increments, with a minimum reimbursement of 1-hour per valid Out-of-Pocket Loss claim for time.

Disputes and Appeals.

To the extent the Settlement Administrator determines a claim for Out-of-Pocket Losses, Alternative Reimbursement Compensation, or Credit Monitoring Services is deficient in whole or part, within 14 days after making such a determination, the Settlement Administrator shall notify the Settlement Class Member in writing (including by e-mail where the Settlement Class Member selects e-mail as his or her

If a Settlement Class Member disputes a determination in writing (including by e-mail where the Settlement Class Member selects e-mail as his or her preferred method of communication) and requests an appeal, the Settlement Administrator shall provide Class Counsel and Defendants’ Counsel a copy of the Settlement Class Member’s dispute and Claim Form along with all documentation or other information submitted by the Settlement Class Member. Class Counsel and Defendants’ Counsel will confer regarding the claim submission, and their agreement on approval of the Settlement Class Member’s claim, in whole or part, will be final. If Class Counsel and Defendants’ Counsel cannot agree on approval of the Settlement Class Member’s claim, in whole or part, the dispute will be submitted to a mutually-agreeable neutral third-party who will serve as the claims referee. If no agreement is reached on selection of the claims referee, the Parties will submit proposals to the Court. The Court will have final, non-appealable decision-making authority over designating the claims referee. The claims referee’s decision will be final and not subject to appeal or further review.

ADMINISTRATIVE COSTS AND NOTICE COSTS

The Administrative Costs and Notice Costs will be paid from the Consumer Restitution Fund. However, if the amount of Notice Costs exceeds more than a specified dollar amount, as agreed to by the Parties and submitted to the Court for in camera review, either of the Parties may terminate this Agreement.

SERVICE AWARDS

Settlement Class Representatives and Class Counsel may seek Service Awards for the Settlement Class Representatives. Any requests for such awards must be filed at least 21 days before the Objection Deadline. Equifax agrees not to oppose requests for such Service Awards to the extent they do not exceed two thousand five hundred United States Dollars ($2,500) per Settlement Class Representative.

The Settlement Administrator shall pay the Service Awards approved by the Court to the Settlement Class Representatives from the Consumer Restitution Fund, which shall not exceed two hundred and fifty thousand United States Dollars ($250,000) of the Consumer Restitution Fund. Such Service Awards shall be paid in the amount approved by the Court within 10 Business Days of the Effective Date.

In the event the Court declines to approve, in whole or in part, the payment of the Service Awards in the amounts requested, the remaining provisions of this Agreement shall remain in full force and effect. No decision by the Court, or modification or reversal or appeal of any decision by the Court, concerning the amount of Service Awards shall constitute grounds for cancellation or termination of this Agreement.

ATTORNEYS’ FEES AND EXPENSES

Plaintiffs, through Class Counsel, will request up to $77,500,000 of the Consumer Restitution Fund (representing 25% of the Settlement Fund negotiated as part of the March 30, 2019, term sheet) to pay reasonable

The Settlement Administrator shall pay the attorneys’ fees, costs, and expenses awarded by the Court, plus any interest accrued on the amount of the approved attorneys’ fees, to Class Counsel from the Consumer Restitution Fund. Such attorneys’ fees, costs, and expenses shall be paid in the amount approved by the Court within 10 Business Days of the Effective Date.

Defendants shall have no responsibility for, interest in, or liability whatsoever with respect to any payment or allocation of attorneys’ fees, costs, and expenses to or made by Class Counsel under this Agreement.

The finality or effectiveness of the Settlement will not be dependent on the Court awarding Class Counsel any particular amount of attorneys’ fees and costs. In the event the Court declines to approve, in whole or in part, the payment of the attorneys’ fees, costs, or expenses in the amounts requested, the remaining provisions of this Agreement shall remain in full force and effect. No decision by the Court, or modification or reversal or appeal of any decision by the Court, concerning the amount of attorneys’ fees, costs, and expenses shall constitute grounds for cancellation or termination of this Agreement.

PRESENTATION TO THE COURT

On or after July 15, 2019, Settlement Class Representatives and Class Counsel will file this Agreement and Exhibits, along with a motion for Order Permitting Issuance of Notice of Class Action Settlement pursuant to the requirements of Federal Rule of Civil Procedure 23(e)(1).

Class Counsel shall apply to the Court for entry of the Order Permitting Issuance of Notice of Class Action Settlement attached hereto as Exhibit 5.

CLASS NOTICE, OPT-OUTS, OBJECTIONS, AND CAFA NOTICE

Notice shall not be distributed or disseminated until after the Court enters the Order Permitting Issuance of Notice of Class Action Settlement.

The Notice Provider is responsible for distributing and disseminating the Notice in accordance with the Notice Plan, Exhibit 6 hereto.    

Defendants shall provide the Settlement Administrator with the names, last known mailing address, date of birth, and last known e-mail addresses of Settlement Class Members to the extent reasonably available, no later than 5 Business Days after the date on which the Court enters the Order Permitting Issuance of Notice of Class Action Settlement. To the extent that Equifax has reasonably available names or other identifying information about Settlement Class Members, but not mailing or email addresses, those names and other identifying information shall also be provided to the Settlement Administrator for use in verifying the identity of Settlement Class Members. The Notice Provider and Settlement Administrator shall make all necessary efforts to ensure the security and privacy of Settlement Class Member information.

Class Counsel shall provide the Settlement Administrator with the names, last known mailing address, and last known email addresses of Settlement Class Representatives and any other putative class member who has reported updated address information to Class Counsel, no later than 5 Business Days after the date on which the Court enters the Order Permitting Issuance of Notice of Class Action Settlement.

The Notice shall explain the procedure for Settlement Class Members to opt-out and exclude themselves from the Settlement Class by notifying the Settlement Administrator in writing, postmarked no later than 60 days after the Notice Date (the “Opt-Out Deadline”). Each written request for exclusion must set forth the name of the individual seeking exclusion, be signed by the individual seeking exclusion, and can only request exclusion for that one individual.

The Notice shall explain the procedure for Settlement Class Members to object to the Settlement by submitting written objections to the Court no later than 60 days after the Notice Date (the “Objection Deadline”). The written objection must include the objector’s name, address, personal signature, a statement of the specific grounds for the objection, a statement indicating the basis for the objector’s belief that he or she is a member of the Settlement Class, a statement of whether the objection applies only to the objector, to a specific subset of the Settlement Class, or to the entire Settlement Class, a statement identifying all class action settlements objected to by the Settlement Class Member in the previous 5 years, a statement whether the objector intends to appear at the Fairness Hearing, either in person or through counsel, and if through counsel, identifying counsel by name, address, and telephone number, and four dates between the Objection Deadline and a date two weeks before Fairness Hearing, during which the Settlement Class Member is available to be deposed by counsel for the Parties. In addition to the foregoing, if the Settlement Class Member is represented by counsel and such counsel intends to speak at the Fairness Hearing, the written objection must include a detailed statement of the specific legal and factual basis for each and every objection and a detailed description of any and all evidence the objecting Settlement Class Member may offer at the Fairness Hearing, including copies of any and all exhibits that the objecting Settlement Class Member may introduce at the Fairness Hearing. In addition to the foregoing, if the Settlement Class Member is represented by counsel, and such counsel intends to seek compensation for his or her services from anyone other than the Settlement Class Member, the objection shall contain the following information: (a) the identity of all counsel who represent the objector, including any former or current counsel who may be entitled to compensation for any reason related to the objection; (b) a statement identifying all instances in which the counsel or the counsel’s law firm have objected to a class action settlement within the preceding 5 years, giving the style and court in which the class action settlement was filed; (c) a statement identifying any and all agreements that relate to the objection or the process of objecting—whether written or oral—between

The Notice will also state that any Settlement Class Member who does not file a timely and adequate notice of intent in accordance with this Section waives the right to object or to be heard at the Fairness Hearing and shall be forever barred from making any objection to the Settlement.

Equifax will serve the notice required by the Class Action Fairness Act of 2005, 28 U.S.C. § 1715, no later than 10 days after this Agreement is filed with the Court.

DUTIES OF SETTLEMENT ADMINISTRATOR

The Settlement Administrator shall perform the functions as are specified in this Agreement and its Exhibits, including, but not limited to, overseeing administration of the Consumer Restitution Fund; operating the Settlement Website and a toll-free number; administering the claims processes; and distributing the Settlement benefits described herein. These functions may need to be performed in conjunction with the Notice Provider, as described herein. In addition to other responsibilities that are described in this Agreement, the duties of the Settlement Administrator include:

Reviewing, determining the validity of, and processing all claims submitted by Settlement Class Members;

Establishing a reasonably practical procedure, using information obtained from Equifax pursuant to Section 13.3, to verify that claimants are Settlement Class Members.

Establishing and maintaining a post office box for mailed 29 written objections and notifications of exclusion from the Settlement Class;

Establishing and maintaining the Settlement Website that, among other things, allows Settlement Class Members to submit Claims Forms electronically;

Responding to Settlement Class Member inquiries via U.S. mail, e-mail, and telephone;

Establishing and maintaining a toll-free telephone line for Settlement Class Members to call with Settlement-related inquiries, and answering the questions of Settlement Class Members who call with or otherwise communicate such inquiries;

Mailing to Settlement Class Members who request it paper copies of the Notice and Claim Forms;

Reviewing, determining the validity of, and processing all claims submitted by Settlement Class Members, pursuant to Section 8;

Paying Taxes;

Processing all objections and requests for exclusion from the Settlement Class;

Coordinating with Experian to receive and send activation codes for Credit Monitoring Services no later than 45 days after the Effective Date or the conclusion of the Initial Claims Period, whichever is later;

Receiving requests for exclusion and objections from Settlement Class Members and promptly providing copies thereof to Class Counsel and Defendants’ Counsel. If the Settlement Administrator receives any requests for exclusion, objections, or other requests from Settlement Class Members after the Opt-Out and Objection Deadlines, the Settlement Administrator shall promptly provide copies thereof to Class Counsel and Defendants’ Counsel;

Providing, no later than 5 Business Days after the Opt-Out and Objection Deadlines, a final report to Class Counsel and Defendants’ Counsel that summarizes the number of written requests for exclusion, objections, and other pertinent information as requested by Class Counsel or Defendants’ Counsel;

Providing weekly reports and a final report to Class Counsel and Defendants’ Counsel that summarize the number of Claims since the prior reporting period, the total number of Claims received to date, the number of any Claims approved and denied since the prior reporting period, the total number of Claims approved and denied to date, and other pertinent information as requested by Class Counsel or Defendants’ Counsel. The Settlement Administrator shall also, as requested by Class Counsel or Defendants’ Counsel and from time to time, provide information about the amounts remaining in the Consumer Restitution Fund;

Making available for inspection by Class Counsel and Defendants’ Counsel the Claim Forms and any supporting documentation received by the Settlement Administrator at any time upon reasonable notice;

After the Effective Date, processing and transmitting distributions to Settlement Class Members;

In advance of the Fairness Hearing, preparing an affidavit to submit to the Court that: (i) provides pertinent information relating to the claims process as requested by Class Counsel; and (ii) identifies each Settlement Class Member who timely and properly provided written notification of exclusion from the Settlement Class; and

Performing any function at the agreed-upon instruction of both Class Counsel and Defendants’ Counsel, including, but not limited to, verifying that cash payments have been distributed in accordance with Section 5.

The Parties, Class Counsel, and Defendants’ Counsel shall not have any liability whatsoever with respect to (i) any act, omission or determination of the Settlement Administrator, or any of its respective designees or agents, in connection with the administration of the Settlement or otherwise; (ii) the management, investment or distribution of the Consumer Restitution Fund; (iii) the formulation, design or terms of the disbursement of the Consumer Restitution Fund; (iv) the determination, administration, calculation or payment of any claims asserted against the Consumer Restitution Fund; (v) any losses suffered by or fluctuations in the value of the Consumer Restitution Fund; or (vi) the payment or withholding of any Taxes, expenses or costs incurred in connection with the taxation of the Consumer Restitution Fund or the filing of any returns.

The Settlement Administrator shall indemnify and hold harmless the Parties, Class Counsel, and Defendants’ Counsel for (i) any act or omission or determination of the Settlement Administrator, or any of Settlement Administrator’s designees or agents, in connection with the administration of the Settlement; (ii) the management, investment or distribution of the Consumer Restitution Fund; (iii) the formulation, design or terms of the disbursement of the Consumer Restitution Fund; (iv) the determination, administration, calculation or payment of any claims asserted against the Consumer Restitution Fund; (v) any losses suffered by, or fluctuations in the value of the Consumer Restitution Fund; or (vi) the payment or withholding of any Taxes, expenses, or costs incurred in connection with the taxation of the Consumer Restitution Fund or the filing of any returns.

DUTIES OF NOTICE PROVIDER

The Notice Provider shall perform the functions as are specified in this Agreement and its Exhibits, including, but not limited to implementing the Notice Plan attached hereto as Exhibit 6, using the methods and forms of Notice approved by the Court. In addition to other responsibilities that are described in this Agreement and the Notice Plan, the duties of the Notice Provider include:

Coordinating with the Settlement Administrator, Class Counsel, and Defendants’ Counsel to effectuate this Agreement.

Assisting the Settlement Administrator in creating and maintaining the Settlement Website.

Reporting to the Parties and the Court regarding the status and effectiveness of the Notice Plan.

The Parties, Class Counsel, and Defendants’ Counsel shall not have any liability whatsoever with respect to any act or omission of the Notice Provider, or any of its respective designees or agents, in connection with its implementation of the Notice Plan and performance of its duties under this Agreement.

The Notice Provider shall indemnify and hold harmless the Parties, Class Counsel, and Defendants’ Counsel for any liability arising from the Notice Provider’s implementation of the Notice Plan and performance of its duties under this Agreement.

RELEASE

As of the Effective Date, all Settlement Class Members and all Settlement Class Representatives, on behalf of themselves, their heirs, assigns, executors, administrators, predecessors, and Successors, and any other person purporting to claim on their behalf, hereby expressly, generally, absolutely and unconditionally release and discharge any and all Released Claims against Equifax and its current, former, and future Affiliates, Parents, Subsidiaries, representatives, officers, agents, directors, employees, insurers, Successors, assigns, and attorneys, except for claims relating to the enforcement of the Settlement or this Agreement.

As of the Effective Date, Equifax and its representatives, officers, agents, directors, Affiliates, Successors, Subsidiaries, Parents, employees, insurers, and attorneys absolutely and unconditionally release and discharge Settlement Class Members, Settlement Class Representatives, and Class Counsel from any claims that arise out of or relate in any way to the institution, prosecution, or settlement of the claims against Defendants, except for claims relating to the enforcement of the Settlement or this Agreement, and for the submission of false or fraudulent claims for Settlement benefits.

The Parties understand that if the facts upon which this Agreement is based are found hereafter to be different from the facts now believed to be true, each Party expressly assumes the risk of such possible difference in facts, and agrees that this Agreement, including the releases contained herein, shall remain effective notwithstanding such difference in facts. The Parties agree that in entering this Agreement, it is understood and agreed that each Party relies wholly upon its own judgment, belief, and knowledge and that each Party does not rely on inducements, promises, or representations made by anyone other than those embodied herein.

Notwithstanding any other provision of this Agreement (including, without limitation, this Section), nothing in this Agreement shall be deemed to in any way impair, limit, or preclude the Parties’ rights to enforce any provision of this Agreement, or any court order implementing this Agreement, in a manner consistent with the terms of this Agreement.

EFFECTIVE DATE AND TERMINATION

The Effective Date of the Settlement shall be the first Business Day after all of the following conditions have occurred:

Defendants and Class Counsel execute this Agreement;

The Court enters the Order Permitting Issuance of Notice of Class Action Settlement, without material change to the Parties’ agreed-upon proposed order attached hereto as Exhibit 5;

Notice is provided to the Settlement Class consistent with the Order Permitting Issuance of Notice of Class Action Settlement;

The Court enters the Final Approval Order and Judgment; and

The Final Approval Order and Judgment has become final because (i) the time for appeal, petition, rehearing or other review has expired, or (ii) if any appeal, petition, request for rehearing or other review has been filed, the Final Approval Order and Judgment is affirmed without material change or the appeal is dismissed or otherwise disposed of, no other appeal, petition, rehearing or other review is pending, and the time for further appeals, petitions, requests for rehearing or other review has expired.

In the event that the Court declines to enter the Order Permitting Issuance of Notice of Class Action Settlement as specified in Section 17.1.2, declines to enter the Final Approval Order and Judgment in substantially similar form as submitted by the Parties, or the Final Approval Order and Judgment does not become final as specified in Section 17.1.5, the Parties shall have 60 days during which the Parties shall work together in good faith in considering, drafting, and submitting reasonable modifications to this Agreement to address any issues with the Settlement identified by the Court or that otherwise caused the Final Approval Order and Judgment not to become final. If such efforts are unsuccessful or the Court declines to approve the revised Settlement, Defendants and Plaintiffs may at their sole discretion terminate this Agreement on 5 Business Days written notice to Class Counsel or Defendants, respectively. For avoidance of doubt, neither Defendants nor Plaintiffs may terminate the Agreement while an appeal from an order granting approval of the Settlement is pending.

Defendants also may at their sole discretion terminate this Agreement on 5 Business Days written notice to Class Counsel if more than a specified number of individuals submit valid requests to exclude themselves from the Settlement Class, as agreed to by the Parties and submitted to the Court for in camera review .

In the event this Agreement is terminated pursuant to Sections 17.2 or 17.3, the Settlement Administrator, within 10 Business Days of receiving written notification of such event from counsel for Defendants, shall pay to Defendants an amount equal to the Consumer Restitution Fund together with any interest or other income earned thereon, less (i) any Taxes paid or due with respect to such income, (ii) any reasonable Administrative Costs or Notice Costs actually incurred and paid or payable from the Consumer Restitution Fund as authorized in this Agreement.

Except as otherwise provided herein, in the event this Agreement is terminated, the Parties to this Agreement, including Settlement Class Members, shall be deemed to have reverted to their respective status in the Actions immediately prior to the execution of this Agreement and, except as otherwise expressly provided, the Parties shall proceed in all respects as if this Agreement and any related orders had not been entered. In addition, the Parties agree that in the event this Agreement is terminated:

Any Court orders approving certification of the Settlement Class and any other orders entered pursuant to this Agreement shall be deemed null and void and vacated and shall not be used in or cited by any person or entity in support of claims or defenses or in support or in opposition to a class certification motion; and

This Agreement shall become null and void, and the fact of this Settlement and that Defendants did not oppose certification of any class under this Settlement, shall not be used or cited by any person or entity, including in any contested proceeding relating to certification of any proposed class.

NO ADMISSION OF WRONGDOING

This Agreement, whether or not consummated, any communications and negotiations relating to this Agreement or the Settlement, and any proceedings taken pursuant to this Agreement:

Shall not be offered or received against any Defendant as evidence of or construed as or deemed to be evidence of any presumption, concession, or admission by any Defendant with respect to the truth of any fact alleged by any Plaintiff or the validity of any claim that has been or could have been asserted in the Actions or in any litigation, or the deficiency of any defense that has been or could have been asserted in the Actions or in any litigation, or of any liability, negligence, fault, breach of duty, or wrongdoing of any Defendant;

Shall not be offered or received against any Defendant as evidence of a presumption, concession or admission of any fault, misrepresentation or omission with respect to any statement or written document approved or made by any Defendant;

Shall not be offered or received against any Defendant as evidence of a presumption, concession or admission with respect to any liability, negligence, fault, breach of duty, or wrongdoing, or in any way referred to for any other reason as against any Defendant, in any other civil, criminal or administrative action or proceeding, other than such proceedings as may be necessary to effectuate the provisions of this Agreement; provided, however, that if this Agreement is approved by the Court, the Parties may refer to it to effectuate the liability protection granted them hereunder;

Shall not be construed against any Defendant as an admission or concession that the consideration to be given hereunder represents the amount that could be or would have been recovered after trial; and

Shall not be construed as or received in evidence as an admission, concession or presumption against any Settlement Class Representative or any Settlement Class Member that any of their claims are without merit, or that any defenses asserted by any Defendants have any merit, or that damages recoverable under the Actions would not have exceeded the Consumer Restitution Fund, provided, however, that if this Agreement is approved by the Court, the Defendants may refer to it to enforce the release of claims granted to them hereunder.

REPRESENTATIONS

Each Party represents that (i) such Party has full legal right, power and authority to enter into and perform this Agreement, subject to Court approval, (ii) the execution and delivery of this Agreement by such Party and the consummation by such Party of the transactions contemplated by this Agreement have been duly authorized by such Party, (iii) this Agreement constitutes a valid, binding and enforceable agreement, and (iv) no consent or approval of any person or entity is necessary for such Party to enter into this Agreement.

NOTICES

All notices to Class Counsel provided for in this Agreement shall be sent by e-mail and First Class mail to the following:

All notices to Defendants or counsel to Defendants provided for in this Agreement shall be sent by e-mail and First Class mail to the following:

All notices to the Settlement Administrator provided for in this Agreement shall be sent by e-mail and First Class mail to the following:

The notice recipients and addresses designated in this Section may be changed by written notice posted to the Settlement Website.

MISCELLANEOUS PROVISIONS

Further Steps . The Parties agree that they each shall undertake any required steps to effectuate the purposes and intent of this Agreement.

Representation by Counsel . The Settlement Class Representatives and Defendants represent and warrant that they have been represented by, and have consulted with, the counsel of their choice regarding the provisions, obligations, rights, risks, and legal effects of this Agreement and have been given the opportunity to review independently this Agreement with such legal counsel and agree to the particular language of the provisions herein.

Contact with Settlement Class Members . The Parties agree that Class Counsel may communicate with Settlement Class Members regarding the Settlement, and Equifax shall not otherwise interfere with such communications.

Contractual Agreement . The Parties understand and agree that all terms of this Agreement, including the Exhibits hereto, are contractual and are not a mere recital, and each signatory warrants that he or she is competent and possesses the full and complete authority to execute and covenant to this Agreement on behalf of the Party that he or she represents.

Integration . This Agreement constitutes the entire agreement among the Parties and no representations, warranties or inducements have been made to any Party concerning this Agreement other than the representations, warranties and covenants contained and memorialized herein.

Drafting . The Parties agree that no single Party shall be deemed to have drafted this Agreement, or any portion thereof, for purpose of the invocation of the doctrine of contra proferentem. This Agreement is a collaborative effort of the Parties and their attorneys.

Modification or Amendment . This Agreement may not be modified or amended, nor may any of its provisions be waived, except by a writing signed by the Parties who executed this Agreement or their successors-in-interest.

Waiver . The failure of a Party hereto to insist upon strict performance of any provision of this Agreement shall not be deemed a waiver of such Party’s rights or remedies or a waiver by such Party of any default by another Party in the performance or compliance of any of the terms of this Agreement. In addition, the waiver by one Party of any breach of this Agreement by any other Party shall not be deemed a waiver of any other prior or subsequent breach of this Agreement.

Severability . Should any part, term or provision of this Agreement be declared or determined by any court or tribunal to be illegal or invalid, the Parties agree that the Court may modify such provision to the extent necessary to make it valid, legal and enforceable. In any event, such provision shall be separable and shall not limit or affect the validity, legality or enforceability of any other provision hereunder.

Successors . This Agreement shall be binding upon and inure to the benefit of the heirs, Successors and assigns of the Parties thereto.

Survival . The Parties agree that the terms set forth in this Agreement shall survive the signing of this Agreement.

Governing Law . All terms and conditions of this Agreement shall be governed by and interpreted according to the laws of the State of Georgia, without reference to its conflict of law provisions, except to the extent the federal law of the United States requires that federal law governs.

Interpretation .

Definitions apply to the singular and plural forms of each term defined.

Definitions apply to the masculine, feminine, and neuter genders of each term defined.

Whenever the words “include,” “includes” or “including” are used in this Agreement, they shall not be limiting but rather shall be deemed to be followed by the words “without limitation.”

No Precedential Value . The Parties agree and acknowledge that this Agreement carries no precedential value.

Fair & Reasonable . The Parties and their counsel believe this Agreement is a fair and reasonable compromise of the disputed claims, in the best interest of the Parties, and have arrived at this Agreement as a result of extensive arms-length negotiations.

Retention of Jurisdiction . The administration and consummation of the Settlement as embodied in this Agreement shall be under the authority of the Court, and the Court shall retain jurisdiction over the Settlement and the Parties for the purpose of enforcing the terms of this Agreement.

Headings . Any headings contained herein are for informational purposes only and do not constitute a substantive part of this Agreement. In the event of a dispute concerning the terms and conditions of this Agreement, the headings shall be disregarded.

Exhibits . The Exhibits to this Agreement are expressly incorporated by reference and made part of the terms and conditions set forth herein.

Counterparts . This Agreement may be executed in one or more counterparts. All executed counterparts and each of them shall be deemed to be one and the same instrument provided that counsel for the Parties to this Agreement shall exchange among themselves original signed counterparts.

Facsimile and Electronic Mail . Transmission of a signed Agreement by facsimile or electronic mail shall constitute receipt of an original signed Agreement by mail.

Name: John J. Kelley III

Name: John J. Kelley III

Name: John J. Kelley III

/s/ Roy E. Barnes

/s/ Kenneth S. Canfield

/s/ Amy E. Keller

/s/ Norman E. Siegel

The Complaint charges that Defendant engaged in acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45, and the Standards for Safeguarding Customer Information Rule (“Safeguards Rule”), 16 C.F.R. Part 314, issued pursuant to Sections 501(b) and 505(b)(2) of the Gramm-Leach-Bliley Act (“GLB Act”), and 15 U.S.C. §§ 6801(b) and 6805(6b)(2), by failing to reasonably secure sensitive consumer personal information in Defendant’s networks and computer systems.

Defendant neither admits nor denies any of the allegations in the Complaint, except as specifically stated in this Order. Only for purposes of this action, Defendant admits the facts necessary to establish jurisdiction.

Defendant waives any claim that it may have under the Equal Access to Justice Act, 28 U.S.C. § 2412, concerning the prosecution of this action through the date of this Order, and agrees to bear its own costs and attorneys’ fees.

Defendant and the Commission waive all rights to appeal or otherwise challenge or contest the validity of this Order.

“ Affected Consumer ” means the approximately One Hundred Forty Seven Million (147,000,000) U.S. consumers whom Defendant has identified whose Personal Information was accessed without authorization as a result of the Breach.

“ Alternative Reimbursement Compensation ” means compensation for any Affected Consumer who does not make a claim to enroll in the Product, and instead, has or has concurrent with their claim obtained a credit monitoring or protection product.

“ Assisted Identity Restoration Services ” means the identity restoration services, as set forth in Section IX and described in Exhibit A, offered to all Affected Consumers who have or may have experienced identity theft or fraud.

“ Breach ” means the information security incident publicly disclosed by Defendant on or about September 7, 2017.

“ Claims Administration Protocol ” means the protocol that has been approved by a representative of the Commission and which will be submitted to and approved by the MDL Court, to implement the claims administration and Settlement process in the Multi-District Litigation.

“ Claims Forms ” are the forms that have been approved by a representative of the Commission and which will be submitted to and approved by the MDL Court, that Affected Consumers submit to the Settlement Administrator in paper or via the Settlement Website to make claims for Out-of-Pocket Losses, Alternative Reimbursement Compensation, the Product, and Single-Bureau Monitoring.

“ Class  Action Effective Date ” means the first business day after the MDL Court enters final approval of the Settlement, and either:

the time for appeal, petition, rehearing or other review has expired, or

if one or more appeals, petitions, requests for rehearing or other reviews are filed regarding any issue with the Settlement, when

the final approval order and judgment is affirmed without material change and the time for further appeals, petitions, requests for rehearing or other reviews has expired, or

all appeals, petitions, rehearings, or other reviews are dismissed or otherwise disposed of and the time for further appeals, petitions, requests for rehearing or other review has expired.

“ Clear(ly) and Conspicuous(ly) ” means that a required disclosure is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers, including in all of the following ways:

In any communication that is solely visual or solely audible, the disclosure must be made through the same means through which the communication is presented. In any communication made through both visual and audible means, such as a television advertisement, the disclosure must be presented simultaneously in both the visual and audible portions of the communication even if the representation requiring the disclosure (“Triggering Representation”) is made in only one means.

A visual disclosure, by its size, contrast, location, the length of time it appears, and other characteristics, must stand out from any accompanying text or other visual elements so that it is easily noticed, read, and understood.

An audible disclosure, including by telephone or streaming video, must be delivered in a volume, speed, and cadence sufficient for ordinary consumers to easily hear and understand it.

In any communication using an interactive electronic medium, such as the Internet or software, the disclosure must be unavoidable.

The disclosure must use diction and syntax understandable to ordinary consumers and must appear in a language in which the Triggering Representation appears.

The disclosure must comply with these requirements in each medium through which it is received, including all electronic devices and face-to-face communications.

The disclosure must not be contradicted or mitigated by, or inconsistent with, anything else in the communication.

When the representation or sales practice targets a specific audience, such as children, the elderly, or the terminally ill, “ordinary consumers” includes reasonable members of that group.

“ Consumer Fund ” means the account established to provide restitution and redress to Affected Consumers as described in Sections VIII, IX and X, and which will be overseen by the MDL Court and which represents an undifferentiated portion of the consumer restitution fund as defined in the Settlement.

“ Consumer Report ” has the meaning provided in the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 et seq. , and any amendments thereto. As of the date of entry of this Order, “Consumer Report” is defined under the FCRA as any written, oral, or other communication of any information by a Consumer Reporting Agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for:

credit or insurance to be used primarily for personal, family, or household purposes;

employment purposes; or

any other purpose authorized under FCRA Section 604, 15 U.S.C. § 1681b.

“ Consumer Reporting Agency ” has the meaning provided in the FCRA, 15 U.S.C. § 1681 et seq. , and any amendments thereto. As of the date of entry of this Order, “Consumer Reporting Agency” is defined under the FCRA as any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing Consumer Reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing Consumer Reports.

“ Covered Incident ” means any instance in which any U.S. federal, state, or local law or regulation requires Defendant to notify any U.S. federal, state, or local government entity that Personal Information collected or received, directly or indirectly, by Defendant from or about an individual consumer was, or is reasonably believed to have been, accessed or acquired without authorization, and the incident affects at least 250 U.S. consumers.

“ Defendant ” means (1) Equifax Inc., and its successors and assigns, and (2) Equifax Inc.’s subsidiaries, and their successors and assigns, incorporated in the United States, that do business in the United States, or that collect, store, or process Personal Information from or about consumers in the United States to the extent that their conduct falls within the Commission’s jurisdiction.

“ Extended Claims Period ” means the period of time ending four years after the conclusion of the Initial Claims Period.

“ Full Service Identity Restoration Services ” means the identity restoration services offered to all Affected Consumers enrolled in the Product, as described in Exhibit A.

“ Initial Claims Period ” means the period of time ending six months after entry of the order permitting issuance of notice in the Multi-District Litigation.

“ MDL Court ” means the Court presiding over the Multi-District Litigation.

“ Multi-District Litigation ” means those actions filed against Equifax Inc. and/or one or more of its subsidiaries asserting claims related to the Breach by or on behalf of one or more consumers that have been or will be transferred to the federal proceedings styled In re Equifax Inc. Customer Data Breach Litigation , 1:17-md-02800-TWT (N.D. Ga.).

“ Notice and Settlement Administration Costs and Expenses ” means the costs and expenses of the Notice Provider, Notice Plan, Claims Administration Protocol, and Settlement Administrator.

“ Notice Date ” means sixty days after the MDL Court issues an order permitting issuance of notice of the Settlement.

“ Notice Plan ” means the plan that has been approved by a representative of the Commission and which will be submitted to, approved by, and overseen by the MDL Court, for providing notice to Affected Consumers in the Multi-District Litigation.

“ Notice Provider ” means Signal Interactive Media or another independent third-party agent or administrator that has been approved by a representative of the Commission, and which will be submitted to, approved by, and overseen by the MDL Court to implement the Notice Plan.

“ Out-of-Pocket Losses ” means verifiable unreimbursed costs or expenditures that an Affected Consumer incurred and that are fairly traceable to the Breach, which are eligible for reimbursement from the Consumer Fund as set forth in Sections IX.B.1.c and IX.B.2.

“ Personal Consumer Report ” means the Consumer Report made available to consumers by any entity within Defendant that compiles and maintains files on consumers on a nationwide basis as defined under 15 U.S.C. § 1681a(p) .

“ Personal Information ” means individually identifiable information from or about an individual consumer, including:

first and last name;

home or other physical address;

email address;

telephone number;

date of birth;

Social Security number;

other government-issued identification numbers, such as a driver’s license number, military identification number, passport number, or other personal identification number;

financial institution account number;

credit or debit card information; or

authentication credentials, such as a username and password.

“ Preventative Measures ” means placement or removal of security freezes or obtaining credit monitoring services.

“ Product ” means the three-bureau credit and identity monitoring product, including any changes, as described in Exhibit A and approved by a representative of the Commission and then approved by the MDL Court.

“ Service Awards ” means compensation awarded to the consumers named as plaintiffs in the Multi-District Litigation.

“ Settlement ” means the settlement resolving the Multi-District Litigation.

“ Settlement Administrator ” means JND Legal Administration, or another independent third-party agent or administrator that has been approved by a representative of the Commission, and which will be submitted to, approved by, and overseen by the MDL Court to implement the processes described in the Claims Administration Protocol, and claims and Settlement process in the Multi-District Litigation.

“ Settlement Website ” means the website established by the Settlement Administrator, and described in the Claims Administration Protocol, that has been approved by a representative of the Commission to provide information about the Settlement, including deadlines and case documents, and permit Affected Consumers to electronically submit Claims Forms.

“ States’ Attorneys General ” means the 50 state and territory attorneys general that are each entering into a stipulated judgment on or about July 22, 2019 with Equifax Inc. for claims related to the Breach.

“ Time Compensation ” means compensation to an Affected Consumer for time spent by that Affected Consumer (1) taking Preventative Measures and/or (2) remedying fraud, identity theft, or other misuse of an Affected Consumer’s Personal Information that is fairly traceable to the Breach.

Document in writing the content, implementation, and maintenance of the Information Security Program, including the following:

Documented risk assessments required under Section II.D;

Documented safeguards required under Section II.E; and

A description of the procedures adopted to implement and monitor the Information Security Program, including procedures for evaluating and adjusting the Information Security Program as required under Section II.I;

Provide the written Information Security Program and any material evaluations thereof or updates thereto to Defendant’s board of directors or a relevant subcommittee thereof, or equivalent governing body or, if no such board or equivalent governing body exists, to a senior officer of Defendant responsible for Defendant’s Information Security Program at least once every twelve months;

Designate a qualified employee or employees to coordinate, oversee, and be responsible for the Information Security Program;

Assess, at least once every twelve months, internal and external risks to the security, confidentiality, or integrity of Personal Information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information and document those risks that are material. Defendant shall further assess and document internal and external risks as described above as they relate to a Covered Incident promptly (not to exceed forty-five days) following verification of such a Covered Incident;

Design, implement, maintain, and document safeguards that control for the material internal and external risks Defendant identifies to the security, confidentiality, or integrity of Personal Information identified in response to Section II.D. Each safeguard shall be based on the volume and sensitivity of the Personal Information that is at risk, and the likelihood, given the existence of other safeguards, that the risk could be realized and result in the unauthorized access, collection, use, alteration, destruction, or disclosure of the Personal Information. Such safeguards shall also include:

Establishing patch management policies and procedures that require confirmation that any directives to apply patches or remediate vulnerabilities are received and completed and that include timelines for addressing vulnerabilities that account for the severity and exploitability of the risk implicated;

Establishing and enforcing policies and procedures to ensure the timely remediation of critical and/or high-risk security vulnerabilities;

Identifying and documenting a comprehensive information technology (“IT”) asset inventory that includes hardware, software, and location of the assets;

Designing and implementing protections such as network intrusion protection, host intrusion protection, and file integrity monitoring, across Defendant’s network and IT assets, including Defendant’s legacy technologies;

Designing, implementing, and maintaining measures to limit unauthorized access in any network or system that stores, collects, maintains, or processes Personal Information, such as segmentation of networks and databases and properly configured firewalls;

Implementing access controls across Defendant’s network, such as multi-factor authentication and strong password requirements;

Limiting user access privileges to systems that provide access to Personal Information to employees, contractors, or other authorized third parties with a business need to access such information and establishing regular documented review of such access privileges;

Implementing protections, such as encryption, tokenization, or other at least equivalent protections, for Personal Information collected, maintained, processed, or stored by Defendant, including in transit and at rest. To the extent that any of the identified protections are infeasible, equivalent protections shall include effective alternative compensating controls designed to protect unencrypted data at rest or in transit, which shall be reviewed and approved by the qualified employee or employees designated to coordinate, oversee, and be responsible for the Information Security Program;

Establishing and enforcing written policies, procedures, guidelines, and standards designed to:

Ensure the use of secure development practices for applications developed in-house; and

Evaluate, assess, or test the security of externally developed applications used within Defendant’s technology environment;

Establishing regular information security training programs, updated, as applicable, to address internal or external risks identified by Defendant, including, at a minimum:

At least annual information security awareness training for all employees, including notifying employees of the process for submitting complaints and concerns pursuant to Section II.E.12; and

Training for software developers relating to secure software development principles and intended to address well-known and reasonably foreseeable vulnerabilities, such as cross-site scripting, structured query language injection, and other risks identified by Defendant through risk assessments and/or penetration testing;

Establishing a clear and easily accessible process for receiving and addressing security vulnerability reports from third parties such as security researchers and academics; and

By August 30, 2019, establishing a clear and easily accessible process overseen by a senior corporate manager for employees to submit complaints or concerns about Defendant’s information security practices, including establishing a clear process for reviewing, addressing, and escalating employee complaints or concerns.

Assess, at least once every twelve months, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of Personal Information, and evaluate and implement any needed modifications to the Information Security Program based on the results. Defendant shall further assess the sufficiency of safeguards as described above, as they relate to a Covered Incident, promptly (not to exceed forty-five days) following verification of such an incident. Each such assessment must evaluate safeguards in each area of relevant operation, including:

Employee training and management;

Information systems, such as network and software design, or information processing, storage, transmission, and disposal; and

Prevention, detection, and response to attacks, intrusions, or other system failures;

Test and monitor the effectiveness of the safeguards at least once every twelve months and, as they relate to a Covered Incident, promptly (not to exceed sixty days) following verification of such an incident, and modify the Information Security Program based on the results. Such testing shall include vulnerability testing of Defendant’s network at least once every four months and, as it relates to a Covered Incident, promptly (not to exceed sixty days) following verification of such an incident, and penetration testing of Defendant’s network at least once every twelve months and, as it relates to a Covered Incident, promptly (not to exceed sixty days) following verification of such an incident;

Select and retain service providers capable of safeguarding Personal Information they access through or receive from Defendant, and contractually require service providers to implement and maintain safeguards tailored to the amount and the type of Personal Information at issue; and

Evaluate and adjust the Information Security Program in light of any changes to Defendant’s operations or business arrangements, including, without limitation, acquisition or licensing of any new information systems, technologies, or assets through merger or acquisition, a Covered Incident, or any other circumstances that Defendant knows or has reason to know may have a material impact on the effectiveness of the Information Security Program. At a minimum, Defendant must evaluate the Information Security Program at least once every twelve months and, as it relates to a Covered Incident, promptly (not to exceed sixty days) following verification of such an incident and modify the Information Security Program based on the results.

The Assessments must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who: (1) uses procedures and standards generally accepted in the profession; (2) is a Certified Information Systems Security Professional (“CISSP”) or a Certified Information Systems Auditor (“CISA”), or other similarly qualified person or organization;

For each Assessment, Defendant shall provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name and affiliation of the person selected to conduct the Assessment, which the Associate Director shall have the authority to approve in his or her sole discretion. If the Associate Director for Enforcement does not approve of the person Defendant has selected, Defendant must choose a person or entity to conduct the Assessment from a list of at least three Assessors provided by a representative of the Commission.

The reporting period for the Assessments must cover: (1) the first 180 days after the entry date of the Order for the initial Assessment; and (2) each two-year period thereafter for twenty years after entry of the Order for the biennial Assessments.

Each Assessment must:

Evaluate whether Defendant has implemented and maintained the Information Security Program required by Section II of this Order, titled Mandated Information Security Program;

Assess the effectiveness of Defendant’s implementation and maintenance of subsections A-I of Section II;

Identify gaps or weaknesses in the Information Security Program and make recommendations to remediate or cure any such gaps and weaknesses; and

Identify specific evidence (including, but not limited to, documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely solely on assertions or attestations by Defendant’s management. The Assessment shall be signed by the Assessor and shall state that the Assessor conducted an independent review of the Information Security Program, and did not rely solely on assertions or attestations by Defendant’s management.

Each Assessment must be completed within sixty days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Defendant must submit each Assessment to the Commission within ten days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “Federal Trade Commission v. Equifax Inc., FTC File No. 1723203.” Defendant must notify the Commission of any portions of the Assessment containing trade secrets, commercial or financial information, or information about a consumer or other third party, for which confidential treatment is requested pursuant to the Commission’s procedures concerning public disclosure set forth in 15 U.S.C. 46(f) and 16 CFR 4.10.

For a total of twenty years and commencing one year after the entry date of this Order, and each year thereafter, provide the Commission with a certification from the board of directors, or a relevant subcommittee thereof, or other equivalent governing body or, if no such board or equivalent governing body exists, a senior officer of Defendant responsible for Defendant’s Information Security Program, that: (1) Defendant has established, implemented, and maintained the requirements of this Order; (2) Defendant is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; (3) Defendant has cooperated with the Assessor as required by Section IV of this Order; and (4) includes a brief description of any Covered Incident. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the board of directors, or relevant subcommittee thereof, or other equivalent governing body, reasonably relies in making the certification.

Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue N.W., Washington, D.C. 20580. The subject line must begin, “Federal Trade Commission v. Equifax Inc., FTC File No. 1723203.”

The report must include, to the extent possible:

The date, estimated date, or estimated date range when the Covered Incident occurred;

A description of the facts relating to the Covered Incident, including the causes and scope of the Covered Incident, if known;

A description of each type of information that triggered the notification obligation to the U.S. federal, state, or local government entity;

The number of consumers whose information triggered the notification obligation to the U.S. federal, state, or local government entity;

The acts that Defendant has taken to date to remediate the Covered Incident and protect Personal Information from further exposure or access, and, if applicable, to protect affected individuals from identity theft or other harm that may result from the Covered Incident; and

A representative copy of each materially different notice required by U.S. federal, state, or local law or regulation and sent by Defendant to consumers or to any U.S. federal, state, or local government entity.

No more than thirty days after every calendar quarter, Defendant must provide Defendant’s board of directors or a relevant subcommittee thereof, or equivalent governing body or, if no such board or equivalent governing body exists, to a senior officer of Defendant responsible for Defendant’s Information Security Program, a report summarizing all Covered Incidents that occurred in that calendar quarter.

Unless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue N.W., Washington, D.C. 20580. The subject line must begin, “Federal Trade Commission v. Equifax Inc., File No. 172 3203.” Defendant must notify the Commission of any portions of the Covered Incident Report containing trade secrets, commercial or financial information, or information about a consumer or other third party, for which confidential treatment is requested pursuant to the Commission’s procedures concerning public disclosure set forth in 15 U.S.C. § 46(f) and 16 CFR Part 4.10.

Judgment in the amount of Four Hundred Twenty-Five Million Dollars ($425,000,000) is entered in favor of the Commission against Defendant.

This order imposes additional financial obligations (“Additional Financial Obligations”) on Defendant for the purpose of monetary relief for Affected Consumers. If more than seven million Affected Consumers enroll in the Product, then Defendant’s Additional Financial Obligations will be calculated using the following formulas:

If, at the end of the Initial Claims Period, more than seven million Affected Consumers enroll in the Product, then:

If the total payments for Alternative Reimbursement Compensation, Out-of-Pocket Losses, Assisted Identity Restoration Services, Notice and Settlement Administration Costs and Expenses, Service Awards, and the cost of providing the Product to seven million Affected Consumers (the “Costs”) are greater than or equal to Three Hundred Million Dollars ($300,000,000), Equifax Inc., its successors and assigns, shall pay the Commission an amount equal to the cost of providing the Product to enrollees above seven million (the “Additional Credit Monitoring Cost”);

If the Costs are less than Two Hundred Fifty-Six Million Five Hundred Thousand Dollars ($256,500,000) and the Additional Credit Monitoring Cost is greater than Forty-Three Million Five Hundred Thousand Dollars ($43,500,000), Equifax Inc., its successors and assigns, shall pay the Commission an amount equal to the Additional Credit Monitoring Cost less Forty-Three Million Five Hundred Thousand Dollars ($43,500,000); or

If (i) the Costs are greater than or equal to Two Hundred Fifty-Six Million Five Hundred Thousand Dollars ($256,500,000) but less than Three Hundred Million Dollars ($300,000,000) and (ii) the Costs plus the Additional Credit Monitoring Costs are greater than Three Hundred Million Dollars ($300,000,000), Equifax Inc., its successors and assigns, shall pay the Commission an amount equal to the Costs plus Additional Credit Monitoring Costs less Three Hundred Million Dollars ($300,000,000); and

If, during the Extended Claims Period, more than seven million Affected Consumers have enrolled in the Product and either (i) the Costs are greater than or equal to Two Hundred Fifty-Six Million Five Hundred Thousand Dollars ($256,500,000)or (ii) the Additional Credit Monitoring Costs are greater than or equal to Forty-Three Million Five Hundred Thousand Dollars ($43,500,000) then, on a monthly basis, Equifax Inc., its successors and assigns, shall deposit any additional money to the Commission that would be required pursuant to the calculations in Section VII.B.1.a-c, less any amounts previously deposited as the Additional Financial Obligations.

Equifax Inc., its successors and assigns, shall deposit Three Hundred Million Dollars ($300,000,000) (the “Payment”) into the Consumer Fund as follows: (i) One Hundred Fifty Thousand Dollars ($150,000) no later than fifteen days after the filing of this Order, to cover reasonable set-up costs of the Notice Provider; (ii) Twenty-Five Million Dollars ($25,000,000) no later than fifteen days after the MDL Court enters an order permitting issuance of notice of the Settlement, to cover reasonable costs and expenses of the Settlement Administrator and Notice Provider and set-up costs for the independent third-party provider of the Product and Assisted Identity Restoration Services; and (iii) Three Hundred Million Dollars ($300,000,000) into the Consumer Fund, less any amounts paid pursuant to (i) and (ii), no later than fifteen days after the Class Action Effective Date.

If the Consumer Fund lacks sufficient funds to pay claims for Out-of-Pocket Losses made during the Initial and Extended Claims Periods, Equifax Inc., its successors and assigns, deposits into the Consumer Fund, as needed to pay such claims on a monthly basis, up to an additional aggregate amount of One Hundred Twenty-Five Million Dollars ($125,000,000) within fourteen days after receipt of written notification from the Settlement Administrator that there are insufficient funds remaining in the Consumer Fund.

Equifax Inc., its successors and assigns, pays any Additional Financial Obligations required under Section VII into the Consumer Fund.

Sections IX and X of this Order shall be construed in a manner consistent with the Settlement.

An amount no less than Three Hundred Million Dollars ($300,000,000), plus any amount deposited in the Consumer Fund pursuant to Sections VIII.B and VIII.C, including all accumulated interest, must be used and administered as described in Section IX for the exclusive purpose of providing restitution and redress to Affected Consumers.

Subject to Sections IX.C and IX.D, the Consumer Fund shall be used to pay:

After either the Class Action Effective Date or the conclusion of the Initial Claims Period, whichever is later, for claims submitted during the Initial Claims Period:

Four years of enrollment in the Product to Affected Consumers, which shall include One Million Dollars ($1,000,000) in identity theft insurance and Full Service Identity Restoration Services.

The Product shall be offered, provided and maintained by an independent third party and shall not be provided to any Affected Consumer by Defendant. Defendant shall not receive any monetary benefit from the Product;

Defendant shall, through the independent third party provider of the Product, provide activation codes for enrollment in the Product to Affected Consumers who file a valid claim for the Product. Activation codes shall be sent no later than forty-five days after either the Class Action Effective Date or the conclusion of the Initial Claims Period, whichever is later. Affected Consumers shall be eligible to enroll in the Product for a period of at least ninety days following receipt of the activation code.

Alternative Reimbursement Compensation of up to One Hundred Twenty-Five Dollars ($125);

Claims for Out-of-Pocket Losses, including, without limitation, the following:

Up to twenty-five percent (25%) reimbursement for costs incurred by an Affected Consumer enrolled in an Equifax credit or identity monitoring subscription product on or after September 7, 2016, through September 7, 2017;

Credit monitoring costs that were incurred by an Affected Consumer on or after September 7, 2017, through the date of the Affected Consumer’s claim submission;

Costs incurred on or after September 7, 2017, associated with placing or removing a security freeze on a Consumer Report with any Consumer Reporting Agency;

Unreimbursed costs, expenses, losses, or charges incurred by an Affected Consumer as a result of identity theft or identity fraud, falsified tax returns, or other alleged misuse of Affected Consumers’ personal information;

Other miscellaneous expenses incurred related to any Out-Of-Pocket Loss such as notary, fax, postage, copying, mileage, and long-distance telephone charges; and

Time Compensation for up to twenty hours.

For claims submitted during the Extended Claims Period, reimbursement of claims for the following Out-of-Pocket Losses incurred during the Extended Claims Period:

Unreimbursed costs, expenses, losses, or charges incurred by an Affected Consumer as a result of identity theft or identity fraud, falsified tax returns, or other alleged misuse of Affected Consumers’ Personal Information;

Other miscellaneous expenses, incurred by an Affected Consumer related to remedying fraud, identity theft, or other misuse of an Affected Consumer’s Personal Information, such as notary, fax, postage, copying, mileage, and long-distance telephone charges; and

Time Compensation limited to time spent remedying fraud, identity theft, or other misuse of an Affected Consumer’s Personal Information that is fairly traceable to the Breach.

For a period of seven years from the Class Action Effective Date, Assisted Identity Restoration Services to an Affected Consumer. Affected Consumers shall not be required to enroll in the Product to obtain Assisted Identity Restoration Services.

The Assisted Identity Restoration Services shall be offered, provided and maintained by the independent third party that has been approved by a representative of the Commission and that will be presented to the MDL Court for its approval. Assisted Identity Restoration Services shall not be provided to any Affected Consumer by Defendant. Defendant shall not receive any monetary benefit from the Assisted Identity Restoration Services.

Notice and Settlement Administration Costs and Expenses;

Applicable taxes, duties, and similar charges due from the Consumer Fund to the extent that the principal is not reduced; and

Service Awards in an aggregate amount not to exceed Two Hundred Fifty Thousand Dollars ($250,000). To the extent the MDL Court approves Service Awards in excess of Two Hundred Fifty Thousand Dollars ($250,000), such amount shall not be paid from the funds deposited into the Consumer Fund pursuant to this Order and shall be paid solely by the Defendant.

Subject to Section IX.D, payments from the Consumer Fund shall be subject to the following limitations:

Each Affected Consumer will be eligible to receive a maximum aggregate reimbursement of Twenty Thousand Dollars ($20,000) for Out-of-Pocket Losses.

No more than Thirty-One Million Dollars ($31,000,000) shall be used to pay Alternative Reimbursement Compensation (the “Alternative Reimbursement Compensation Cap”). To the extent valid claims for Alternative Reimbursement Compensation exceed the Alternative Reimbursement Compensation Cap, then payments for valid Alternative Reimbursement Compensation claims shall be reduced on a pro rata basis.

No more than Thirty-One Million Dollars ($31,000,000) shall be paid as Time Compensation for valid Time Compensation claims made during the Initial Claims Period (the “Initial Time Compensation Cap”). To the extent valid claims for Time Compensation made during the Initial Claims Period exceed the Initial Time Compensation Cap, payments for such valid claims will be reduced on a pro rata

If amounts remain in the Consumer Fund at the conclusion of the Extended Claims Period, the remaining funds shall be distributed to provide restitution and redress as follows:

First, the Aggregate Time Compensation Cap and Alternative Reimbursement Compensation Cap shall both be lifted (if applicable) and payments increased pro rata to Affected Consumers with valid claims up to the full amount of those claims; then,

Second, to provide Assisted Identity Restoration Services to all Affected Consumers for up to an additional thirty-six months; then,

Third, to extend the duration of the Product to Affected Consumers enrolled in the Product until the funds in the Consumer Fund are exhausted.

Defendant shall supply the Notice Provider with information in its possession, custody, or control, to the extent reasonably available, regarding Affected Consumers sufficient to enable the Notice Provider to implement the Notice Plan.

Defendant shall supply the Settlement Administrator with information in its possession, custody, or control, to the extent reasonably available, regarding Affected Consumers sufficient to enable the Settlement Administrator to implement the Claims Administration Protocol. This shall include providing the Settlement Administrator with sufficient information to identify consumers who are eligible for reimbursement pursuant to IX.B.1.c.i, as those consumers are not required to submit supporting documentation for this type of Out-of-Pocket Loss.

Defendant must notify a designated representative of the Commission of any requested modifications to the Notice Plan or Claims Administration Protocol, including any change of the Notice Provider or Settlement Administrator, and any such modification requested by the Defendant must be approved by a designated representative of the Commission, with such approval not unreasonably withheld, and shall also require approval from the MDL Court.

In connection with the administration of the Consumer Fund overseen by the MDL Court:

The Commission may send a request for information regarding compliance with Sections VII – X of this Order to the Notice Provider and/or Settlement Administrator, and any request will include all parties to the Settlement and the Bureau. Discussion and fulfillment of responses to a request from the Commission shall be made consistent with the Claims Administration Protocol;

Defendant shall provide to the Commission the weekly reports prepared by the Settlement Administrator pursuant to the Multi-District Litigation that summarize information related to the claims administration; and

Defendant shall provide to the Commission copies of any information requested by and submitted to the Bureau.

From the beginning of the Initial Claims Period until the Consumer Fund is exhausted, Defendant shall provide a representative of the Commission, on an annual basis, with the following information for the prior year:    

A summary by month of the total number of claims submitted to the Settlement Administrator, the total dollar amount of claims submitted to the Settlement Administrator, the total number of claims paid by the Settlement Administrator, the total amount of claims paid by the Settlement Administrator, and the total amount of claim payments negotiated.

Regarding the Product and Assisted Identity Restoration Services outlined in Exhibit A, the following information:

The number of Affected Consumers who enrolled in the Product;

The number and total dollar amount of claims filed by Affected Consumers under the identity theft insurance provided pursuant to the Product and what percentage of those claims were paid;

The number of Affected Consumers who availed themselves of Full Service Identity Restoration Services in the year preceding the publication of the annual report; and

The number of Affected Consumers who availed themselves of Assisted Identity Restoration Services in the year preceding the publication of the annual report.

Information regarding notice, including the number of viewers who opened emails sent pursuant to the Notice Plan, the number of unique visitors to the Settlement Website, and the number of unique visitors who arrived from a hyperlink to the Settlement Website posted on or in each of the following:

www.equifax.com;

www.equifaxsecurity2017.com;

Defendant’s Twitter notifications referenced in Section XV.A.4;

Defendant’s Facebook notifications referenced in Section XV.A.5; and

The emails sent pursuant to the Notice Plan.

Regarding consumer complaints:

The number of unique consumer complaints received by the Settlement Administrator or the third party providing the Product regarding:

Access to the Settlement Website;

Enrollment in the Product;

Any of the Product components, including identity theft insurance;

Any other consumer rights to obtain relief under this Order; or

Identity theft; and

Defendant shall develop and implement a process to direct consumers that contact Defendant with issues related to the Settlement or the Consumer Fund to the Settlement Administrator and/or the Settlement Website.

The reporting period must cover: (1) the first year after the entry date of the order permitting issuance of notice of the Settlement; and (2) each year thereafter until the Consumer Fund has been exhausted.

This information must be submitted to the Commission within sixty days after the reporting period has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue N.W., Washington, D.C. 20580. The subject line must begin, “Federal Trade Commission v. Equifax Inc., FTC File No. 1723203.”

Defendant shall transmit the information required pursuant to Section X.D without alteration and shall disclose any fact material to the information submitted. No information may be withheld on the basis of (1) a claim of confidentiality, proprietary or trade secrets, or any similar claim, or (2) any privilege asserted between Defendant and the Settlement Administrator, although such documents can be designated for confidential treatment in accordance with applicable law.    

The information described in Section X.D shall be treated as confidential until the Class Action Effective Date. Defendant shall not object to publication of this information by the Commission, to the extent that such publication occurs after the Class Action Effective Date.    

The forbearance will terminate upon written notice to Defendant upon the occurrence of one or more Termination Events. If any of the following Termination Events should occur, a representative of the Commission and the Bureau may, in their sole discretion, jointly send Defendant a written notice of a Termination Event:

An executed Settlement agreement, and a motion for an order permitting issuance of notice of the Settlement, containing terms materially similar to those outlined in Sections VIII, IX, X, and XIII and Exhibit A of this Order, are not submitted to the MDL Court within fourteen days after the filing of this proposed Order, provided however that the Defendant, Commission, or the Bureau are not the cause of such failure;

The MDL Court declines to enter an order permitting issuance of notice of the Settlement and either (i) a modified Settlement agreement is not submitted to the MDL Court within sixty days or (ii) a modified Settlement agreement is submitted to the MDL Court without Defendant first obtaining written approval from a representative of the Commission;

The MDL Court enters a final approval of a Settlement agreement in the Multi-District Litigation with terms that are materially different from the terms in Sections VIII-X and Exhibit A of this Order and Defendant has not obtained written approval from a representative of the Commission;

The MDL Court declines to enter a final approval of a Settlement agreement in the Multi-District Litigation with terms materially similar to those outlined in Sections VIII, IX, X, and XIII and Exhibit B of this Order and (i) a modified Settlement agreement is not submitted to the MDL Court within sixty days, or (ii) a modified Settlement agreement is submitted to the MDL Court without Defendant first obtaining written approval from a representative of the Commission;

The MDL Court’s Final Approval Order is overturned on appeal and either (i) a modified Settlement agreement in the Multi-District Litigation is not submitted to the MDL Court within sixty days or (ii) a modified Settlement agreement in the Multi-District Litigation is submitted to the MDL Court without Defendant first obtaining approval from a representative of the Commission;

The MDL Court approves a Settlement agreement or modified Settlement agreement, other than one approved by the Commission, resolving the Multi-District Litigation that interferes in any way with the Commission’s ability to enforce this Order; or

If at any time the Settlement is terminated by any party to the Multi-District Litigation.

If an event described in Sections XI.B.2 – 6 results from an objection from the Commission, Bureau, or the States’ Attorneys General in the MDL Court to either (i) the Settlement or (ii) a modified Settlement agreement in the Multi-District Litigation, and such Settlement or modified Settlement agreement contains terms that are materially similar to Sections VIII, IX, X, and XIII and Exhibit A, such event shall not constitute a Termination Event.

If the Commission and the Bureau jointly send Defendant a written notice of a Termination Event, Section XI of this Order will not be construed in a way that interferes with the Multi-District Litigation.

If the forbearance ends, within twenty-one days of receipt of written notice of a Termination Event, Equifax Inc., its successors and assigns, is ordered to pay the following amounts, plus any interest accumulated, less any payments that have already been disbursed by the Settlement Administrator from the Consumer Fund; Defendant is not entitled to any offset or other deduction unless a representative of the Commission agrees in writing in advance:

Three Hundred Million Dollars ($300,000,000), plus any interest accumulated, less any payments that have already been disbursed by the Settlement Administrator from the Consumer Fund;

If the funds paid pursuant to Section XI.D.1 are insufficient to pay claims for Out-of-Pocket Losses made during the Initial and Extended Claims Periods, and subject to the monetary limits, if applicable, set forth in Sections IX.B, IX.C and IX.D, Equifax Inc., its successors and assigns, shall make additional payments of up to One Hundred Twenty-Five Million Dollars ($125,000,000) in the aggregate as needed on a monthly basis within fourteen days after receipt of written notification from a representative of the Commission that there are insufficient funds remaining; and

Additional Financial Obligations, subject to the monetary limits, if applicable, set forth in Section IX.B, IX.C and IX.D, pursuant to Section VII.B.

All payments to the Commission must be made by electronic fund transfer in accordance with instructions provided by a representative of the Commission.

The Notice Provider and Settlement Administrator’s acceptance of funds shall constitute the Notice Provider and Settlement Administrator’s agreement to consent to the jurisdiction of this Court.

In addition to payment, Defendant remains obligated to cooperate in the administration of consumer relief. If a representative of the Commission requests in writing any information related to consumer relief, Defendant must provide it, in the form prescribed by the Commission, within fourteen days. Defendant shall provide the Commission with:

Sufficient information to enable the Commission to efficiently administer consumer relief.

Sufficient information regarding any steps toward consumer notice, claims, and relief that has been provided pursuant to the Consumer Fund by the Notice Provider or the Settlement Administrator to enable the Commission to efficiently administer consumer relief.

The Commission may, at its sole discretion, continue to work with the Notice Provider and Settlement Administrator on behalf of itself, the Bureau, and the States’ Attorneys General.

Whether the Commission elects to continue to retain them, the Notice Provider and the Settlement Administrator shall provide the Commission with sufficient information regarding any steps toward consumer notice, claims, and relief that has been provided pursuant to the Consumer Fund to enable the Commission to efficiently administer consumer relief.

If a representative of the Commission requests in writing any information related to consumer relief, Defendant shall require the Notice Provider and the Settlement Administrator to provide it, to the extent reasonably available, in the form prescribed by the Commission, within fourteen days.

All other provisions of this Order shall remain in full force and effect.

Defendant relinquishes dominion and all legal and equitable right, title, and interest in all assets transferred pursuant to this Order and may not seek the return of any assets.

The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalf of the Commission in a proceeding to enforce its rights to any payment or monetary judgment pursuant to this Order, such as a nondischargeability complaint in any bankruptcy case.

The facts alleged in the Complaint establish all elements necessary to sustain an action by the Commission pursuant to Section 523(a)(2)(A) of the Bankruptcy Code, 11 U.S.C. § 523(a)(2)(A), and this Order will have collateral estoppel effect for such purposes.

Defendant acknowledges that its Taxpayer Identification Number, which Defendant must submit to the Commission, may be used for collecting and reporting on any delinquent amount arising out of this Order, in accordance with 31 U.S.C. § 7701.

All money paid to the Commission shall be deposited into a fund administered by the Commission or its designee to be used for consumer relief, on behalf of the Commission, the Bureau, and States’ Attorneys General, including the types of consumer relief enumerated in Section IX (such as enrollment in a credit monitoring product, out-of-pocket losses, time compensation, miscellaneous expenses, and identity theft restoration services), and any attendant expenses for the administration of any fund. If a

Offer a single-bureau monitoring service with the features described in Exhibit A (“Single-Bureau Monitoring) that has been approved by a representative of the Commission, to Affected Consumers who file a valid claim for Single-Bureau Monitoring and who enroll in the Product. Such Affected Consumers may enroll in the Single-Bureau Monitoring upon expiration of the Product, including any extensions thereof pursuant to Section IX, such that the aggregate number of years of credit monitoring provided under Section IX and the Single-Bureau Monitoring equals ten years, except as described in Subsection XIII.B, below.

Offer Affected Consumers who were under the age of eighteen on May 13, 2017, additional years of Single-Bureau Monitoring such that the aggregate number of years of credit monitoring provided under Section IX and the Single-Bureau Monitoring equals eighteen years. If an Affected Consumer who enrolled in the Product is under the age of eighteen when the Product expires, the Single-Bureau Monitoring offered will be child monitoring services until such Affected Consumer reaches eighteen years of age.

Provide all Affected Consumers with an easily accessible process to place or remove security freezes or locks on their Personal Consumer Report for free for a period of ten years following the date of entry of this Order. Defendant shall not dissuade Affected Consumers from placing or choosing to place a security freeze. Should Defendant offer any standalone product or service as an alternative with substantially similar features as a security freeze (e.g., Lock & Alert), Defendant shall not seek to persuade Affected Consumers to choose the alternative product or service instead of a security freeze.

Separate and apart from any statutory or other legal requirements, for a period of seven years starting December 31, 2019, provide to all U.S. consumers a clearly accessible process to obtain six free copies during any twelve-month period of their Personal Consumer Report.

Makes a Clear and Conspicuous disclosure, separate and apart from any “End User License Agreement,” “Privacy Policy,” “Terms of Use” page, describing how Defendant will use the Affected Consumer’s information; and

Obtains and documents the Affected Consumer’s affirmative express consent.

To Affected Consumers within seven days of entry of an order permitting issuance of notice of the Settlement, or the Commission notifying Defendant that it is exercising its rights under a Termination Event, whichever is earlier:

Posting a Clear and Conspicuous hyperlink to the Settlement Website on the top portion of the landing page for Defendant’s primary, consumer-facing website, www.equifax.com, which shall state “Visit [hyperlink to the Settlement Website] for information on the Equifax Data Breach Settlement” or “Equifax Data Breach Settlement,” which shall remain posted until the expiration of the Initial Claims Period;

Posting a Clear and Conspicuous hyperlink to the Settlement Website on the top portion for the landing page for Defendant’s www.equifaxsecurity2017.com website, which shall state “Visit [hyperlink to the Settlement Website] for information on the Equifax Data Breach Settlement” or “Equifax Data Breach Settlement,” which shall remain posted until the expiration of the Extended Claims Period;

Issuing a press release, using terms consistent with the approved Notice Plan, including a hyperlink to the Settlement Website, with information about the Product, the Consumer Fund, and the Settlement Website;

Sending a Twitter notification via Defendant’s primary Twitter account monthly during the Initial Claims Period and then biannually during the Extended Claims Period, the text of which shall read “Visit [hyperlink to the Settlement Website] for information on the Equifax Data Breach Settlement”; and

Posting a Facebook notification via Defendant’s primary account monthly during the Initial Claims Period and then biannually during the Extended Claims Period, the text of which shall read “Visit [hyperlink to the Settlement website] for information on the Equifax Data Breach Settlement.”

To U.S. consumers, issuing a press release seven days after the relief described in Section XIII.D becomes available, with information about the availability of six free copies of a U.S. consumer’s Personal Consumer Report during any twelve-month period for seven years, including a hyperlink to the webpage where consumers can request free Personal Consumer Reports.

Defendant, within seven days of entry of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.

For ten years after entry of this Order, Defendant must deliver a copy of this Order to: (a) all principals, officers, directors, and LLC managers and members; (b) all employees, agents, and representatives having managerial or supervisory responsibilities for conduct related to the subject matter of the Order; and (c) any business entity resulting from any change in structure as set forth in the Section titled Compliance Reporting; and

Delivery must occur within 7 days of entry of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.

From each individual or entity to which Defendant delivered a copy of this Order, Defendant must obtain, within 30 days, a signed and dated acknowledgment of receipt of this Order, which can be obtained electronically.

One year after entry of this Order, Defendant must submit a compliance report, sworn under penalty of perjury in which Defendant must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission may use to communicate with Defendant; (b) identify all of Defendant’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (c) describe the activities of each business, including the types of goods or services offered, the means of advertising,

For 20 years after entry of this Order, Defendant must submit a compliance notice, sworn under penalty of perjury, within 14 days of any change in the following: (a) any designated point of contact; or (b) the structure of any entity that Defendant has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.

Defendant must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against the Defendant within 14 days of its filing.

Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: ______” and supplying the date, signatory’s full name, title (if applicable), and signature.

Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin “Federal Trade Commission v. Equifax Inc., FTC File No. 1723203.”

Accounting records showing the revenues from all goods or services sold;

Personnel records showing, for each person providing services, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reasons for termination;

Copies or records of all U.S. consumer complaints concerning the subject matter of the Order, whether received directly or indirectly, such as through a third party, and any response;

A copy of each information security assessment required by this Order and any material evaluations of Defendant’s physical, technical, or administrative controls to protect the confidentiality, integrity, or availability of Personal Information;

A copy of each widely disseminated and unique representation by Defendant that describes the extent to which Defendant maintains or protects the privacy, confidentiality, security, or integrity of any Personal Information;

For five years after the date of preparation of each Assessment required by this Order, all materials and evidence that are in the Defendant’s possession and control that the Assessor considered, reviewed, relied upon or examined to prepare the Assessment, whether prepared by or on behalf of Defendant, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning Defendant’s compliance with related Sections of this Order, for the compliance period covered by such Assessment; and

All records necessary to demonstrate full compliance with each provision of this Order; including all submissions to the Commission.

Within 14 days of receipt of a written request from a representative of the Commission, Defendant must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury; appear for depositions; and produce documents for inspection and copying. The Commission is also authorized to obtain discovery, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69.

For matters concerning this Order, the Commission is authorized to communicate directly with Defendant. Defendant must permit representatives of the Commission to interview any employee or other person affiliated with Defendant who has agreed to such an interview. The person interviewed may have counsel present.

The Commission may use all other lawful means, including posing, through its representatives as consumers, suppliers, or other individuals or entities, to Defendant or any individual or entity affiliated with Defendant, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.

/s/ Jacqueline K. Connor

Federal Trade Commission

600 Pennsylvania Ave. N.W.,

Southeast Region

225 Peachtree Street, N.E., Suite 1500

/s/ John J. Kelley III

/s/ Edith Ramirez

This Court has jurisdiction over this matter.

The Complaint alleges claims for relief under Sections 1031(a) and 1036(a)(1) of the CFPA, 12 U.S.C. §§ 5531(a) and 5536(a)(1).

Defendant neither admits nor denies any of the allegations in the Complaint, except as specifically stated in this Order. For purposes of this Order, Defendant admits the facts necessary to establish jurisdiction over it and the subject matter of this action.

Defendant waives any claim that it may have under the Equal Access to Justice Act, 28 U.S.C. § 2412, concerning the prosecution of this action through the date of this Order, and agrees to bear its own costs and attorneys’ fees.

All parties waive all rights to appeal or otherwise challenge or contest the validity of this Order.

Entry of the Order is in the public interest.

purposes of this Order, the following definitions apply:

“Affected Consumer” means the approximately One Hundred Forty Seven Million (147,000,000) U.S. consumers whom Defendant has identified as having their Personal Information accessed without authorization as a result of the Breach.

“Assisted Identity Restoration” means the identity restoration services offered to all Affected Consumers, as set forth in Subsection VII.D and described in Exhibit A.

“Breach” means the information security incident publicly disclosed by Defendant on or about September 7, 2017.

“Claims Administration Protocol” means the protocol that has been approved by the Bureau, and which will be submitted to and approved by the MDL Court, to implement the claims administration process consistent with Sections VII, IX, X and XI of this Order and the Class Action Settlement.

“Class Action Settlement” means the settlement agreement, including release of settlement class member claims, filed in the Multi-District Litigation with the MDL Court.

“Class Action Effective Date” means the first business day after the MDL Court enters a Final Approval Order and Judgment, and either:

the time for appeal, petition, rehearing or other review has expired, or

if one or more appeals, petitions, requests for rehearing or other reviews are filed, when:

the Final Approval Order and Judgment is affirmed without material change and the time for further appeals, petitions, requests for rehearing or other reviews has expired, or

all appeals, petitions, rehearings, or other reviews are dismissed or otherwise disposed of, no other appeals, petitions, rehearings, or other reviews are pending, and the time for further appeals, petitions, requests for rehearing or other reviews has expired.

“Consumer Fund” means the account established to provide restitution and redress to Affected Consumers, as described in Sections IX, X, and XI, which will be overseen by the MDL Court and which represents an undifferentiated portion of the consumer restitution fund as defined in the Class Action Settlement.

“Consumer Report” has the meaning provided in the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 et seq ., and any amendments thereto. As of the date of this Order, “Consumer Report” is defined under the FCRA as any written, oral, or other communication of any information by a Consumer Reporting Agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living, which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for:

“Consumer Reporting Agency” has the meaning provided in the FCRA, 15 U.S.C. § 1681 et seq ., and any amendments thereto. As of the date of this Order, “Consumer Reporting Agency” is defined under the FCRA as any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing Consumer Reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing Consumer Reports.

“Covered Incident” means any instance in which any United States federal, state, or local law or regulation requires Defendant to notify any U.S. federal, state, or local government entity that Personal Information collected or received, directly or indirectly, by Defendant from or about an individual consumer was, or is reasonably believed to have been, accessed or acquired without authorization, and the incident affects no fewer than 250 U.S. consumers.

“Defendant” means Equifax Inc., its successors and assigns, and its subsidiaries, their successors and assigns, incorporated in the United States, that do business in the United States, or that collect, store, or process Personal Information from or about consumers in the United States to the extent that Defendant’s conduct falls within the Bureau’s jurisdiction.

“Effective Date” means the date on which this Stipulated Order is issued.

“Enforcement Director” means the Assistant Director of the Office of Enforcement for the Bureau of Consumer Financial Protection, or her delegate.

“Extended Claims Period” means the period beginning with the conclusion of the Initial Claims Period through four (4) years after the conclusion of the Initial Claims Period.

“Final Approval Order and Judgment” means an order and judgment that the MDL Court enters finally approving settlement, including release of the settlement class member claims in the Multi-District Litigation.

“FTC Order” means the Stipulated Order entered in the matter styled as Federal Trade Commission v. Equifax Inc. , filed on or about July 22, 2019 in the Federal District Court for the Northern District of Georgia.

“Full Service Identity Restoration” means the identity restoration services offered to all Affected Consumers enrolled in the Product, as set forth in Subsection VII.A and described in Exhibit A.

“Initial Claims Period” means six (6) months after the MDL Court enters an order permitting issuance of notice of class action settlement for the Class Action Settlement.

“MDL Court” means the Court presiding over the Multi-District Litigation.

“Multi-District Litigation” means those actions filed against Equifax Inc. and/or one or more of its subsidiaries asserting claims related to the Breach by or on behalf of one or more consumers that have been or will be transferred to the federal proceedings styled In re: Equifax Inc. Customer Data Security Breach Litigation , 1:17-md-02800-TWT (N.D. Ga.).

“Notice Date” means the date sixty (60) days after the MDL Court issues an order permitting issuance of notice of class action settlement for the Class Action Settlement.

“Notice Plan” means the notice plan for providing notice to Affected Consumers which has been approved by a representative of the Bureau, and is to be submitted to, approved by, and overseen by the MDL Court.

“Notice Provider” means an independent third-party agent or administrator approved by a representative of the Bureau, and which is to be submitted to, approved by, and overseen by the MDL Court to implement the notice provisions of the Notice Plan, and as set forth in Section X.

“Out-of-Pocket Losses” means verifiable unreimbursed costs or expenditures incurred by an Affected Consumer that are fairly traceable (as described in the Claims Administration Protocol) to the Breach, which are eligible for reimbursement from the Consumer Fund as set forth in Subsection IX.B.4, and defined as follows:

Costs incurred for credit monitoring services at any time between September 7, 2017 and the date of the Affected Consumer’s claim(s) submission;

Up to twenty-five percent (25%) reimbursement for costs incurred by an Affected Consumer enrolled in Equifax credit or identity monitoring subscription products at any time between September 7, 2016 and September 7, 2017;

Costs incurred by an Affected Consumer to place or remove a security freeze on a Consumer Report with any Consumer Reporting Agency at any time on or after September 7, 2017;

Unreimbursed costs, expenses, losses, or charges incurred as a result of identity theft or identity fraud, falsified tax returns, or other alleged misuse of the Affected Consumer’s Personal Information;

Reimbursement for Time Compensation; and

Miscellaneous expenses incurred by the Affected Consumer related to any Out-Of-Pocket Losses, such as notary, fax, postage, copying, mileage, and telephone charges.

“Personal Consumer Report” means, for purposes of this Order only, a Consumer Report made available to consumers by any entity within Defendant that compiles and maintains files on consumers on a nationwide basis as defined under 15 U.S.C. § 1681a(p).

“Personal Information” means individually identifiable information from or about an individual consumer, including:

first and last name;

home or other physical address;

email address;

telephone number;

date of birth;

Social Security number;

other government-issued identification numbers, such as a driver’s license number, military identification number, passport number, or other personal identification number;

financial institution account number;

credit or debit card information; or

authentication credentials, such as a username and password.

“Preventative Measures” means placement or removal of security freezes or obtaining credit monitoring services.

“Product” means the credit monitoring, identity theft insurance, and identity restoration services further described in Subsection VII.A and on pages 1-4 of Exhibit A, that has been approved by the Bureau and will be presented to the MDL Court for approval.

“Related Consumer Action” means any private action by or on behalf of one or more consumers, or enforcement action by another governmental agency, entity, or representative, brought against Defendant based on substantially the same facts as described in the Complaint.

“Settlement Administrator” means an independent third-party agent or administrator that has been approved by the Bureau, which will be submitted to, approved by, and overseen by the MDL Court, and which will implement the claims and administration process in the Multi-District Litigation.

“Settlement Website” means the website established by the Settlement Administrator that provides information to Affected Consumers about their rights and options consistent with Sections VII, IX, X and XI of this Order, including the components of the Consumer Fund available to Affected Consumers, where and how Affected Consumers may submit claims during the Initial and Extended Claims Periods, and all deadlines for making such claims.

“Single Bureau Monitoring” means credit monitoring provided by Defendant and offered to all Affected Consumers enrolled in the Product, as set forth in Subsection VII.B and described in Exhibit A.

“States’ Attorneys General” means the 50 state and territory attorneys general that are each entering into a stipulated judgment on or about July 22, 2019 with Equifax Inc. for claims related to the Breach.

“Time Compensation” means compensation to an Affected Consumer for a valid claim for time spent by that Affected Consumer (1) taking Preventative Measures and/or (2) remedying fraud, identity theft, or other misuse of an Affected Consumer’s Personal Information that is fairly traceable to the Breach.

Document in writing the content, implementation, and maintenance of the Information Security Program, including the following:

Documented risk assessment required under Subsection II.D;

Documented safeguards required under Subsection II.E; and

A description of the procedures adopted to implement and monitor the Information Security Program, including procedures for evaluating and adjusting the Information Security Program as required under Subsection II.I.

Provide the written Information Security Program and any material evaluations thereof or updates thereto to Defendant’s board of directors or a relevant subcommittee thereof, or equivalent governing body or, if no such board or equivalent governing body exists, to a senior officer of Defendant responsible for Defendant’s Information Security Program at least once every twelve (12) months;

Designate a qualified employee or employees to coordinate, oversee, and be responsible for the Information Security Program;

Assess, at least once every twelve (12) months, internal and external risks to the security, confidentiality, or integrity of Personal Information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information and document those risks that are material. Defendant shall further assess and document internal and external risks as described above as they relate to a Covered Incident promptly (not to exceed forty-five days) following verification of such a Covered Incident;

Design, implement, maintain, and document safeguards that control for the material internal and external risks Defendant identifies to the security, confidentiality, or integrity of Personal Information identified in response to Subsection D. Each safeguard shall be based on the volume and sensitivity of the Personal Information that is at risk, and the likelihood, given the existence of other safeguards, that the risk could be realized and result in the unauthorized access, collection, use, alteration, destruction, or disclosure of the Personal Information. Such safeguards shall also include:

Establishing patch management policies and procedures that require confirmation that any directives to apply patches or remediate vulnerabilities are received and completed and that include timelines for addressing vulnerabilities that account for the severity and exploitability of the risk implicated;

Establishing and enforcing policies and procedures to ensure the timely remediation of critical and/or high-risk security vulnerabilities;

Identifying and documenting a comprehensive information technology (“IT”) asset inventory that includes hardware, software, and location of the assets;

Designing and implementing protections such as network intrusion protection, host intrusion protection, and file integrity monitoring, across Defendant’s network and IT assets, including Defendant’s legacy technologies;

Designing, implementing, and maintaining measures to limit unauthorized access in any network or system that stores, collects, maintains, or processes Personal Information, such as segmentation of networks and databases and properly configured firewalls;

Implementing access controls across Defendant’s network, such as multi-factor authentication and strong password requirements;

Limiting user access privileges to systems that provide access to Personal Information to employees, contractors, or other authorized third parties with a business need to access such information and establishing regular documented review of such access privileges;

Implementing protections, such as encryption, tokenization, or other at least equivalent protections, for Personal Information collected, maintained, processed, or stored by Defendant, including in transit and at rest. To the extent that any of the identified protections are infeasible, equivalent protections shall include effective alternative compensating controls designed to protect unencrypted data at rest or in transit, which shall be reviewed and approved by the qualified employee or employees designated to coordinate, oversee, and be responsible for the Information Security Program;

Establishing and enforcing written policies, procedures, guidelines, and standards designed to:

Ensure the use of secure development practices for applications developed in-house; and

Evaluate, assess, or test the security of externally developed applications used within Defendant’s technology environment;

Establishing regular information security training programs, updated, as applicable, to address internal or external risks identified by Defendant, including, at a minimum:

At least annual information security awareness training for all employees; and

Training for software developers relating to secure software development principles and intended to address well-known and reasonably foreseeable vulnerabilities, such as cross-site scripting, structured query language injection, and other risks identified by Defendant through risk assessments and/or penetration testing;

Establishing a clear and easily accessible process for receiving and addressing security vulnerability reports from third parties such as security researchers and academics; and

By August 30, 2019, establishing a clear and easily accessible process overseen by a senior corporate manager for employees to submit complaints or concerns about Defendant’s information security practices, including establishing a clear process for reviewing, addressing, and escalating employee complaints or concerns.

Assess, at least once every twelve (12) months, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of Personal Information, and evaluate and implement any needed modifications to the Information Security Program based on the results. Defendant shall further assess the sufficiency of safeguards as described above as they relate to a Covered Incident promptly (not to exceed forty-five days) following verification of such an incident. Each such assessment must evaluate safeguards in each area of relevant operation, including:

Employee training and management;

Information systems, such as network and software design, or information processing, storage, transmission, and disposal; and

Prevention, detection, and response to attacks, intrusions, or other system failures;

Test and monitor the effectiveness of the safeguards at least once every twelve (12) months and, as they relate to a Covered Incident promptly (not to exceed sixty (60) days) following verification of such an incident, and modify the Information Security Program based on the results. Such testing shall include vulnerability testing of Defendant’s network at least once every four (4) months and, as it relates to a Covered Incident, promptly (not to exceed sixty (60) days) following verification of such an incident, and penetration testing of Defendant’s network at least once every twelve (12) months and, as it relates to a Covered Incident promptly (not to exceed sixty (60) days) following verification of such an incident;

Select and retain service providers capable of safeguarding Personal Information they access through or receive from Defendant, and contractually require service providers to implement and maintain safeguards tailored to the amount and the type of Personal Information at issue; and

Evaluate and adjust the Information Security Program in light of any changes to Defendant’s operations or business arrangements, including, without limitation, acquisition or licensing of any new information systems, technologies, or assets through merger or acquisition, a Covered Incident, or any other circumstances that Defendant knows or has reason to know may have a material impact on the effectiveness of the Information Security Program. At a minimum, Defendant must evaluate the Information Security Program at least once every twelve (12) months and, as it relates to a Covered Incident promptly (not to exceed sixty (60) days) following verification of such an incident and modify the Information Security Program based on the results.

The Assessments must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who: (1) uses procedures and standards generally accepted in the profession; (2) is a Certified Information Systems Security Professional (“CISSP”) or a Certified Information Systems Auditor (“CISA”), or other similarly qualified person or organization; (3) has at least five (5) years of experience evaluating the effectiveness of computer system security or information system security; (4) conducts an independent review of the Information Security Program; and (5) is

For each Assessment, Defendant shall provide the Enforcement Director with the name and affiliation of the person selected to conduct the Assessment, which the Bureau shall have the authority to approve in its sole discretion. If the Bureau does not approve of the person Defendant has selected, Defendant must choose a person or entity to conduct the Assessment from a list of at least three Assessors provided by a representative of the Bureau.

The reporting period for the Assessments must cover: (1) the first 180 days after the entry date of the Order for the initial Assessment; and (2) each two-year period thereafter for twenty (20) years after entry of the Order for the biennial Assessments.

Each Assessment must:

Evaluate whether Defendant has implemented and maintained the Information Security Program required by Section II of this Order, titled Mandated Information Security Program;

Assess the effectiveness of Defendant’s implementation and maintenance of Subsections A-I of Section II;

Identify gaps or weaknesses in the Information Security Program and make recommendations to remediate or cure any such gaps and weaknesses; and

Identify specific evidence (including, but not limited to, documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely solely on assertions or attestations by Defendant’s management. The Assessment shall be signed by the Assessor and shall state that the Assessor conducted an independent review of the Information Security Program, and did not rely solely on assertions or attestations by Defendant’s management.

Each Assessment must be completed within sixty days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Bureau representative in writing, Defendant must submit each Assessment to the Bureau within ten days after the Assessment has been completed via secure email to Enforcement_Compliance@cfpb.gov or by overnight courier (not the U.S. Postal Service) to Enforcement Director, Office of Enforcement, Bureau of Consumer Financial Protection, 1700 G Street NW, Washington, DC 20552. The subject line must begin, “Bureau of Consumer Financial Protection v. Equifax Inc., BCFP File No. 2017-1906-02.” Defendant must notify the Bureau of any portions of the Assessment containing trade secrets, commercial or financial information, or information about a consumer or other third party, for which confidential treatment is requested pursuant to the Bureau’s procedures concerning public disclosure set forth in 12 U.S.C. § 5512(c)(6)(A) and 12 C.F.R. § 1070.20 (2018).

An Assessment required pursuant to this Section may be satisfied by an assessment conducted in connection with the FTC Order.

For a total of twenty (20) years and commencing one year after the entry date of this Order, and each year thereafter, provide the Bureau with a certification from the board of directors, or a relevant subcommittee thereof, or other equivalent governing body or, if no such board or equivalent governing body exists, a senior officer of Defendant responsible for Defendant’s Information Security Program, that: (1) Defendant has established, implemented, and maintained the requirements of this Order; (2) Defendant is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Bureau; (3) Defendant has cooperated with the Assessor as required by Section IV of this Order; and (4) includes a brief description of any Covered Incident. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the board of directors, or relevant subcommittee thereof, or other equivalent governing body, reasonably relies in making the certification.

Unless otherwise directed by a Bureau representative in writing, submit all annual certifications to the Bureau pursuant to this Order via email to Enforcement_Compliance@cfpb.gov or by overnight courier (not the U.S. Postal Service) to Enforcement Director, Office of Enforcement, Bureau of Consumer Financial Protection, 1700 G Street NW, Washington, DC 20552. The subject line must begin, “Bureau of Consumer Financial Protection v. Equifax Inc., BCFP File No. 2017-1906-02.”

The report must include, to the extent possible:

The date, estimated date, or estimated date range when the Covered Incident occurred;

A description of the facts relating to the Covered Incident, including the causes and scope of the Covered Incident, if known;

A description of each type of information that triggered the notification obligation to the U.S. federal, state, or local government entity;

The number of consumers whose information triggered the notification obligation to the U.S. federal, state, or local government entity;

The acts that Defendant has taken to date to remediate the Covered Incident and protect Personal Information from further exposure or access, and, if applicable, to protect affected individuals from identity theft or other harm that may result from the Covered Incident; and

A representative copy of each materially different notice required by U.S. federal, state, or local law or regulation and sent by Defendant to consumers or to any U.S. federal, state, or local government entity.

No more than thirty days after every calendar quarter, Defendant must provide Defendant’s board of directors or relevant subcommittee thereof, or equivalent governing body or, if no such board or equivalent governing body exists, to a senior officer of Defendant responsible for Defendant’s Information Security Program, a report summarizing all Covered Incidents that occurred in that calendar quarter.

Unless otherwise directed by a Bureau representative in writing, all Covered Incident reports to the Bureau pursuant to this Order must be emailed to the Bureau via secure email to Enforcement_Compliance@cfpb.gov or sent by overnight courier (not the U.S. Postal Service) to Enforcement Director, Office of Enforcement, Bureau of Consumer Financial Protection, 1700 G Street NW, Washington, DC 20552. The subject line must begin, “Bureau of Consumer Financial Protection v. Equifax Inc., BCFP File No. 2017-1906-02.” Defendant must notify the Bureau of any portions of the Covered Incident Report containing trade secrets, commercial or financial information, or information about a consumer or other third party, for which confidential treatment is requested pursuant to the Bureau’s procedures concerning public disclosure set forth in 12 U.S.C. § 5512(c)(6)(A) and 12 C.F.R. § 1070.20 (2018).

Defendant must, through an independent third party that will be subject to appointment and oversight by the MDL Court, offer all Affected Consumers four (4) years of a free three-bureau credit monitoring and identity theft protection product, including $1 million in identity theft insurance and Full Service Identity Restoration, as described in the attached Exhibit A (the “Product”).

The Product shall be offered, provided, and maintained by an independent third party, and shall not be directly provided to any Affected Consumer by Defendant, Defendant’s successors or assigns, or any subsidiary, affiliate, or joint venture of Defendant. Defendant shall not receive any monetary benefit from the Product.

Affected Consumers may file a claim to enroll in the Product at any time during the Initial Claims Period, as described in the Claims Administration Protocol.

Defendant shall, through the independent third party provider of the Product, provide activation codes for enrollment in the Product to Affected Consumers who file a valid claim for the Product. Activation codes shall be sent no later than forty-five (45) days after either the Class Action Effective Date or the conclusion of the Initial Claims Period, whichever is later. An Affected Consumer shall be eligible to enroll in the Product for a period of at least ninety (90) days following receipt of an activation code.

To the extent the independent third party providing the Product assigns personal identification numbers (PINs) to Affected Consumers who made a claim to enroll in the Product, such PINs shall be randomized. As part of the enrollment process, Affected Consumers shall be authenticated using knowledge-based authentication questions, or other comparable authentication procedures. Authentication procedures shall be used any time an Affected Consumer requests a Consumer Report, if applicable, or to lock or unlock their Consumer Report through the Product.

As provided in Subsection XI.G.3, the period during which the Product shall be provided to Affected Consumers may be extended.

Defendant shall also offer Affected Consumers who file valid claims and enroll in the Product with a single-bureau credit monitoring service (“Single Bureau Monitoring”), as described in Exhibit A.

Defendant shall provide such Single Bureau Monitoring upon expiration of the Product, including any extensions thereof pursuant to Subsection XI.G.3, to Affected Consumers who enroll in the Product and file valid claims for Single Bureau Monitoring. Defendant shall provide Single Bureau Monitoring for the period of time necessary for the aggregate number of years of credit monitoring provided under Subsections VII.A, XI.G.3, and VII.B to equal ten (10) years.

Defendant shall offer Affected Consumers who were under the age of 18 as of May 13, 2017, additional years of Single Bureau Monitoring, as described in Exhibit A, necessary for the aggregate number of years of credit monitoring provided under Subsections VII.A, XI.G.3, and VII.B to equal eighteen (18) years.

For any Affected Consumer who does not make a claim to enroll in the Product and instead has or has concurrently obtained a credit monitoring or protection product, which he or she will have in place for a minimum of six (6) months, such Affected Consumer may receive One Hundred Twenty-Five Dollars ($125.00) in alternative compensation (“Alternative Reimbursement Compensation”) by submitting a claim for Alternative Reimbursement Compensation, as set forth in the Claims Administration Protocol.

Defendant shall, through an independent third party that will be subject to appointment and oversight by the MDL Court, offer all Affected Consumers, regardless of whether they have enrolled in the Product, seven (7) years of free identity restoration services, with the features described in Exhibit A (“Assisted Identity Restoration”).

Assisted Identity Restoration shall be offered, provided, and maintained by the independent third party that has been approved by a representative of the Bureau and that will be presented to the MDL Court for approval. Assisted Identity Restoration Services shall not be directly provided to any Affected Consumer by Defendant, Defendant’s successors or assigns, or any subsidiary, affiliate, or joint venture of Defendant. Defendant shall not receive any monetary benefit from Assisted Identity Restoration.

Any Affected Consumer may avail himself or herself of the free Assisted Identity Restoration, as described in Exhibit A, for seven (7) years from the Class Action Effective Date regardless of whether that Affected Consumer filed a claim to enroll in the Product during the Initial Claims Period.

Defendant shall provide all consumers, regardless of whether they are Affected Consumers, with an easily accessible process to place or remove security freezes or locks on their Personal Consumer Reports for free and without filing a claim for ten (10) years from either (1) the Effective Date of this Order or (2) the Class Action Effective Date, whichever shall occur first.

Defendant shall randomize PINs to Affected Consumers requesting a Personal Consumer Report, or lock or security freeze of a Personal Consumer Report.

Defendant, and all other persons acting at Defendant’s direction, shall not dissuade or seek to dissuade Affected Consumers from placing or choosing to place a security freeze. Should Defendant offer any standalone product or service as an alternative with substantially similar features as a security freeze, Defendant shall not seek to persuade Affected Consumers to choose the alternative product or service instead of a security freeze.

Defendant shall, for a period of seven (7) years beginning no later than December 31, 2019, provide to all U.S. consumers a clearly accessible process to obtain six (6) free copies during any 12-month period of their Personal Consumer Report, in addition to any free reports to which consumers are entitled under federal law, updated as of the time of request.

Defendant shall, for a period of ten (10) years from the Effective Date of this Order, develop and implement dispute handling procedures, including escalation to agents specially trained in fraud and a sufficient number of call center representatives to handle reasonably expected call volumes, for Affected Consumers who assert that information on their Personal Consumer Reports is inaccurate as a result of identity theft or fraud.

Equifax Inc., its successors and assigns, must deposit the amounts specified in Section XI.B below into the Consumer Fund for the purpose of providing restitution and redress to Affected Consumers, as required by this Section. All applicable taxes, duties, and similar charges due from the Consumer Fund shall be paid from the interest earned on the Consumer Fund.

Pursuant to Section XI, and as set forth in the Claims Administration Protocol, the Consumer Fund shall be used to pay or fund the following:

The cost of providing the Product, including Full Service Identity Restoration, as described in Subsection VII.A and Exhibit A, subject to the requirements of Subsection XI.E;

The cost of providing Assisted Identity Restoration, as described in Subsection VII.D and Exhibit A;

Reimbursements to Affected Consumers who file valid claims for Alternative Reimbursement Compensation, as described in Subsection VII.C;

Reimbursements to Affected Consumers who file valid claims for Out-of-Pocket Losses;

Costs and expenses of the Settlement Administrator, including but not limited to processing claims;

Costs and expenses of the Notice Provider, including but not limited to implementing and providing notice to Affected Consumers pursuant to the Notice Plan; and

Service awards, if any, to the Affected Consumers named as plaintiffs in the Multi-District Litigation in the amount approved by the MDL Court.

Such service awards are not being ordered by the Bureau. Nonetheless, the Bureau does not object to up to Two Hundred Fifty Thousand Dollars ($250,000) from the Consumer Fund being used to pay service awards to the named plaintiffs in the Multi-District Litigation. To the extent the MDL Court approves service awards in excess of $250,000, such amounts shall not be paid from the funds deposited into the Consumer Fund pursuant to Section XI.B and shall be paid solely by the Defendant.

Subject to Subsection XI.G, payments from the Consumer Fund shall be subject to the following limitations:

Any Affected Consumer may request the restitution and redress described in this Section as follows:

During the Initial Claims Period, Affected Consumers may file claims for (1) the Product, (2) Single Bureau Monitoring, (3) Alternative Reimbursement Compensation, and (4) reimbursement of Out-of-Pocket Losses;

During the Extended Claims Period, Affected Consumers may file claims for reimbursement for the following Out-of-Pocket Losses incurred during the Extended Claims Period, only if the Affected Consumer provides a certification that he or she has not obtained reimbursement for the claimed expense through other means:

Unreimbursed costs, expenses, losses, or charges incurred by an Affected Consumer as a result of identity theft or identity fraud, falsified tax returns, or other alleged misuse of an Affected Consumer’s Personal Information;

Time Compensation to an Affected Consumer, limited to time spent remedying fraud, identity theft, or other misuse of an Affected Consumer’s Personal Information that is fairly traceable to the Breach; and

Other miscellaneous expenses, incurred by an Affected Consumer related to remedying fraud, identity theft, or other misuse of an Affected Consumer’s Personal Information, such as notary, fax, postage, copying, mileage, and long-distance telephone charges.

An Affected Consumer may obtain up to an aggregate maximum amount of $20,000 in Out-of-Pocket Losses.

Time Compensation, a subcategory of Out-of-Pocket Losses, shall be subject to the following provisions:

Affected Consumers who spent or spend time (1) taking Preventative Measures or (2) remedying fraud, identity theft, or other alleged misuse of the Affected Consumer’s Personal Information fairly traceable to the Breach may seek reimbursement for their time.

Subject to Subsection IX.C.5, Time Compensation shall be paid at a rate of $25 per hour, reimbursable in 15-minute increments, with a minimum reimbursement of 1 hour per valid claim for Time Compensation.

Affected Consumers may submit a claim for up to 10 hours of Time Compensation, provided they certify (i) to taking Preventative Measures and/or remedying fraud, identity theft, or other alleged misuse of the Affected Consumer’s Personal Information fairly traceable to the Breach, and (ii) an explanation of the time they spent taking Preventative Measures or remedying fraud, identity theft, or other alleged misuse of their Personal Information.

Affected Consumers may submit a claim for up to 20 hours of Time Compensation, provided they spent time remedying fraud, identity theft, or other alleged misuse of the Affected Consumer’s Personal Information fairly traceable to the Breach, and provide (i) reasonable documentation (as defined in the Claims Administration Protocol) of the fraud, identity theft, or other alleged misuse of the Affected Consumer’s Personal Information fairly traceable to the Breach and (ii) describe the time spent remedying these issues or time spent taking Preventative Measures in response to these issues.

No more than Thirty-One Million Dollars ($31,000,000) shall be paid as Alternative Reimbursement Compensation for valid claims filed during the Initial Claims Period (the “Alternative Reimbursement Compensation Cap”). To the extent valid claims for Alternative Reimbursement Compensation made during the Initial Claims Period exceed the Alternative Reimbursement Compensation Cap, payments for such valid claims shall be reduced on a pro rata basis. At the conclusion of the Extended Claims Period, after all payments required by Subsection IX.B have been made, if there are remaining unused funds in the Consumer Fund, the Alternative Reimbursement Compensation Cap shall be lifted, and payments to Affected Consumers who filed valid claims for Alternative Reimbursement Compensation shall be increased on a pro rata basis, up to the full amount of the valid claim, as set forth in Section XI.G.1 below.

No more than Thirty-One Million Dollars ($31,000,000) shall be paid as Time Compensation for valid Time Compensation claims made during the Initial Claims Period (the “Initial Time Compensation Cap”). To the extent valid claims for Time Compensation made during the Initial Claims Period exceed the Initial Time Compensation Cap, payments for such valid claims shall be reduced on a pro rata basis. Valid claims for Time Compensation made during the Extended Claims Period shall be paid in the order they are received and approved at the same pro rata rate (if applicable) as valid Time Compensation claims made during the Initial Claims Period. No more than Thirty-Eight Million Dollars ($38,000,000) in the aggregate shall be paid as Time Compensation for valid claims made during both the Initial Claims Period and Extended Claims Period (“Aggregate Time Compensation Cap”). At the conclusion of the Extended Claims Period, after payment of valid claims made during the Extended Claims Period, to the extent there are remaining unused funds in the Consumer Fund, the Aggregate Time Compensation Cap shall be lifted, and payments to all Affected Consumers who filed valid claims for Time Compensation shall be increased on a pro rata basis, up to the full amount of the valid claim, as set forth in Section XI.G.1 below.

The Notice Plan: Notice to Affected Consumers shall be provided pursuant to the Notice Plan. Defendant shall supply the Notice Provider with information in its possession, custody, or control, to the extent reasonably available, regarding the Affected Consumers to enable the Notice Provider to implement the Notice Plan.

The Claims Administration Protocol: Restitution and redress to Affected Consumers shall be administered from the Consumer Fund consistent with the Claims Administration Protocol. Defendant shall supply the Settlement Administrator with information in its possession, custody, or control, to the extent reasonably available, regarding the Affected Consumers to enable the Settlement Administrator to implement and administer the Claims Administration Protocol.

Defendant must notify the Bureau of any requested modifications to the Notice Plan or Claims Administration Protocol, including any change of the Notice Provider or Settlement Administrator, and any such modification requested by the Defendant must be approved by a designated representative of the Bureau, with such approval not unreasonably withheld, and shall also require approval from the MDL Court.

In connection with the administration of the Consumer Fund overseen by the MDL Court:

The Bureau may send a request for information regarding compliance with the Notice Plan, the claims process, and proper administration of the Consumer Fund, and any request will include all parties to the Class Action Settlement and the Commission. Discussion and fulfillment of responses to a request from the Bureau will be made consistent with the Claims Administration Protocol;

The Defendant shall provide to the Bureau the weekly reports prepared by the Settlement Administrator pursuant to the Multi-District Litigation that summarize information related to claims administration;

The Defendant shall provide to the Bureau copies of any reports submitted to the Federal Trade Commission under the FTC Order; and

The information provided to the Bureau described in this Section X.D shall be treated as confidential pursuant to 12 C.F.R. §1070 (2018) until at least the Class Action Effective Date.

Following the Class Action Effective Date, upon written request by the Bureau, Defendant shall provide the following information, if available, in accordance with instructions provided by a representative of the Bureau to Defendant.

The number of unique clicks on the hyperlink for the Settlement Website from the homepage of Defendant’s primary, consumer-facing website, www.equifax.com;

The number of unique clicks on the hyperlink for the Settlement Website from Defendant’s incident website, www.equifaxsecurity2017.com;

The number of viewers who reached the Settlement Website through the notice methods as described in the Notice Plan, where such information can be obtained, including via email communication;

The number of Affected Consumers who filed a claim to enroll in the Product;

The number of Affected Consumers who completed enrollment in the Product;

The number and total dollar amount of claims filed by Affected Consumers under the identity theft insurance provided pursuant to the Product, and the total dollar figure and percentage of claims paid;

The number of Affected Consumers who filed a claim to enroll in the Single Bureau Monitoring;

The number of Affected Consumers who completed enrollment in the Single Bureau Monitoring;

The number of Affected Consumers who availed themselves of the Full Service Identity Restoration and Assisted Identity Restoration;

The number of Affected Consumers who filed claims for Out-of-Pocket Losses; the total amounts claimed for each subcategory of Out-of-Pocket Losses; the total amount disbursed from the Consumer Fund for each subcategory of Out-of-Pocket Losses, and the average number of days between the date of the claim and the date of disbursement;

The number of Affected Consumers who filed claims for Alternative Reimbursement Compensation; the total dollar amount of claims filed for Alternative Reimbursement Compensation; the total amount disbursed from the Consumer Fund for Alternative Reimbursement Compensation; and the average number of days between the date of the claim and the date of disbursement;

The number of consumer complaints received by the Settlement Administrator or the third party providing the Product, regarding (a) access to the Settlement Website, (b) enrollment in the Product, (c) the Product components, (d) identity theft, and (e) other complaints received by the Settlement Administrator relating to the provision of restitution and redress through the Consumer Fund, including the claims process. Defendant shall develop and implement a process to direct consumers that contact Defendant with issues related to the Class Action Settlement or the Consumer Fund to the Settlement Administrator and/or the Settlement Website;

The number of consumers who file a dispute or appeal with the Settlement Administrator regarding a denial of any claim; the number of appeals denied; the number of appeals approved; the average number of days between the date of the appeal and the appeal decision; and the average number of days between the appeal decision and disbursement, if applicable; and

Any annual reports submitted to the Federal Trade Commission pursuant to the FTC Order.    

Defendant shall also take the following additional measures to notify Affected Consumers of their ability to enroll in the Product and obtain the restitution and redress set forth in this Order using terms consistent with the approved Notice Plan by, no later than:

One day after filing of this Order:

Posting a hyperlink to the Settlement Website on the top portion of the landing page for Defendant’s primary, consumer-facing website, www.equifax.com, which shall state “Visit www.EquifaxBreachSettlement.com for information on the Equifax Data Breach Settlement” or “Equifax Data Breach Settlement,” until the expiration of the Initial Claims Period; and

Posting a hyperlink to the Settlement Website on Defendant’s incident website, www.equifaxsecurity2017.com, which shall state “Visit www.EquifaxBreachSettlement.com for information on the Equifax Data Breach Settlement” or “Equifax Data Breach Settlement,” until the expiration of the Extended Claims Period.

Seven (7) days of entry of an order permitting issuance of notice of the Class Action Settlement:

Issuing a press release, including a hyperlink to www.EquifaxBreachSettlement.com with information about the Product, the Consumer Fund, and the Settlement Website;

Posting a monthly Twitter notification via Defendant’s primary Twitter account, the text of which shall read “Visit www.EquifaxBreachSettlement.com for information on the Equifax Data Breach Settlement” until the expiration of the Initial Claims Period, and biannually thereafter until the expiration of the Extended Claims Period; and

Posting a monthly Facebook notification via Defendant’s primary Facebook account, the text of which shall read “Visit www.EquifaxBreachSettlement.com for information on the Equifax Data Breach Settlement” until the expiration of the Initial Claims Period, and biannually thereafter until the expiration of the Extended Claims Period.

To U.S. Consumers, issuing a press release seven (7) days after the relief described in Section VII.F becomes available, with information about the availability of six free copies of a U.S. consumer’s Personal Consumer Report during any twelve-month period for seven years, including a hyperlink to the webpage where consumers can request free Personal Consumer Reports.

Judgment in the amount of Four Hundred Twenty-Five Million Dollars ($425,000,000) is entered in favor of the Bureau against Defendant for the purpose of providing restitution and redress to Affected Consumers.

Equifax Inc., its successors and assigns, shall pay this judgment as follows:

No later than fifteen (15) days following the date this Order is filed, Equifax Inc. shall deposit into the Consumer Fund One Hundred Fifty Thousand Dollars ($150,000) to cover reasonable set-up costs of the Notice Provider;

No later than fifteen (15) days after the MDL Court enters an order permitting issuance of notice of class action settlement for the Class Action Settlement, Equifax Inc., its successors and assigns, shall deposit into the Consumer Fund Twenty-Five Million Dollars ($25,000,000) to cover reasonable costs and expenses of the Settlement Administrator and Notice Provider and set-up costs for the independent third-party providing the Product and Assisted Identity Restoration;

No later than fifteen (15) days following the Class Action Effective Date, Equifax Inc., its successors and assigns, shall deposit Three Hundred Million Dollars ($300,000,000) into the Consumer Fund, less any amounts paid pursuant to Sections XI.B.1 and XI.B.2, to be used for the purposes set forth in Sections VII and IX; and

Equifax Inc., its successors and assigns, shall make all payments into the Consumer Fund as required by Section XI.C, up to a maximum of One Hundred Twenty-Five Million Dollars ($125,000,000).

If at any time during the Initial Claims Period or the Extended Claims Period, there are insufficient funds in the Consumer Fund (or, if it has received a written notice of a Triggering Event as described below in Subsection XI.I, a fund administered by the Federal Trade Commission or its designee on behalf of the Federal Trade Commission, the Bureau, and the States’ Attorneys’ General) to pay valid claims pursuant to Section IX (a “Shortfall”), Equifax Inc., its successors and assigns, shall make additional payments into the Consumer Fund of up to One Hundred Twenty-Five Million Dollars ($125,000,000) for the purpose of paying Out-of-Pocket Losses.

Defendant shall notify the Enforcement Director within three (3) business days of when the Settlement Administrator notifies Defendant of a Shortfall, as set forth in the Claims Administration Protocol. This notification shall identify the amount needed to pay the Shortfall. Within fourteen (14) days of receiving written notice from the Settlement Administrator of a Shortfall, Equifax Inc., its successors and assigns, shall deposit money into the Consumer Fund in the amount necessary to cure the Shortfall.

Equifax Inc., its successors and assigns, is ordered to pay into the Consumer Fund (or, if it has received a written notice of a Triggering Event as described below in Subsection XI.I, a fund administered by the Federal Trade Commission or its designee on behalf of the Federal Trade Commission, the Bureau, and the States’ Attorneys’ General) additional amounts for purposes of providing restitution and redress to Affected Consumers, as follows:

If, at the end of the Initial Claims Period, more than 7 million Affected Consumers have enrolled in the Product, the following obligations apply:

If the total payments required under Subsections IX.B.2-7 and the cost of providing the Product to 7 million Affected Consumers (the “Costs”) are greater than or equal to Three Hundred Million Dollars ($300,000,000), Equifax Inc., its successors and assigns, shall pay into the Consumer Fund an amount equal to the cost of providing the Product to enrollees above 7 million (the “Additional Credit Monitoring Cost”);

If the Costs are less than $256,500,000 and the Additional Credit Monitoring Cost is greater than $43,500,000, Equifax Inc., its successors and assigns, shall pay into the Consumer Fund an amount equal to the Additional Credit Monitoring Cost less $43,500,000; and

If (i) the Costs are greater than or equal to $256,500,000, but less than $300,000,000 and (ii) the Costs plus the Additional Credit Monitoring Costs are greater than $300,000,000, Equifax Inc., its successors and assigns, shall pay into the Consumer Fund an amount equal to the Costs plus Additional Credit Monitoring Costs less $300,000,000.

If, during the Extended Claims Period, more than 7 million Affected Consumers have enrolled in the Product and either (i) the Costs are greater than or equal to $256,500,000 or (ii) the Additional Credit Monitoring Costs are greater than or equal to $43,500,000 then, on a monthly basis, Equifax Inc., its successors and assigns shall deposit any additional money into the Consumer Fund that would be required pursuant to the calculations in Subsection XI.E.1.a-c, less any amounts previously deposited pursuant to Subsection XI.E.1 or previously under this subsection.

An amount no less than $300 million, plus any amount deposited in the Consumer Fund pursuant to Subsections XI.C and XI.E, including all accumulated interest, must be used and administered as described in Subsections VII and IX for the exclusive benefit of Affected Consumers.

At the conclusion of the Extended Claims Period, the Settlement Administrator shall distribute or use any remaining funds as follows:

First, the Aggregate Time Compensation Cap and Alternative Reimbursement Compensation Cap, as described in Subsections IX.C.4-5, shall both be lifted (if applicable) and payments increased pro rata to Affected Consumers who submitted valid claims for Time Compensations and/or Alternative Reimbursement Compensation up to the full amounts of those claims; then

Second, to provide Assisted Identity Restoration to all Affected Consumers for up to an additional thirty-six (36) months in full-month increments; then

Third, to extend the duration of the Product to Affected Consumers enrolled in the Product until the funds in the Consumer Fund are exhausted.

The money deposited into the Consumer Fund and all accumulated interest shall be administered by the Settlement Administrator consistent with the Claims Administration Protocol.

If any of the following events (“Triggering Events”) should occur, the Bureau and the Federal Trade Commission may, in their sole discretion, jointly send Defendant a written notice of a Triggering Event:

A settlement agreement releasing settlement class action member claims in the Multi-District Litigation and a motion for an order permitting issuance of notice of the Class Action Settlement containing terms materially similar to those outlined in Sections VII, IX, X, and XI, and Exhibit A of this Order, is not submitted to the MDL Court within fourteen (14) days after the filing of this Order, provided however that the Defendant, the Bureau, or the Federal Trade Commission are not the cause of such failure;

The MDL Court declines to enter an order permitting issuance of notice of class action settlement for a settlement agreement releasing settlement class member claims in the Multi-District Litigation with terms materially similar to those outlined in Sections VII, IX, X, and XI, and Exhibit A of this Order and either (i) a modified settlement agreement releasing settlement class member claims is not submitted to the MDL Court within sixty (60) days; or (ii) a modified settlement agreement releasing settlement class member claims is submitted to the MDL Court without Defendant first obtaining approval from a representative of the Bureau, which approval shall not be unreasonably withheld, shall not be refused if the proposed modification is no less favorable to Affected Consumers than the terms of this Order, and shall be timely provided;

The MDL Court declines to enter a Final Approval Order for a settlement agreement releasing settlement class member claims in the Multi-District Litigation with terms materially similar to those outlined in Sections VII, IX, X, and XI, and Exhibit A of this Order and either (i) a modified settlement agreement releasing settlement class member claims is not submitted to the MDL Court within sixty (60) days; or (ii) a modified settlement agreement releasing settlement class member claims is submitted to the MDL Court without Defendant first obtaining approval from a representative of the Bureau, which approval shall not be unreasonably withheld, shall not be refused if the proposed modification is no less favorable to Affected Consumers than the terms of this Order, and shall be timely provided;

The MDL Court’s Final Approval Order is overturned on appeal and either (i) a modified settlement agreement releasing settlement class member claims is not submitted to the MDL Court within sixty (60) days; or (ii) a modified settlement agreement releasing settlement class member claims in the Multi-District Litigation is submitted to the MDL Court without Defendant first obtaining approval from a representative of the Bureau, which approval shall not be unreasonably withheld, shall not be refused if the proposed modification is no less favorable to Affected Consumers than the terms of this Order, and shall be timely provided; and

The MDL Court approves a modified settlement agreement other than the one approved by the Bureau releasing settlement class member claims in the Multi-District Litigation that interferes in any way with the Bureau’s ability to enforce this Order.

If one of the events described in Subsection XI.I.2-4 occurs as a result of an objection filed by the Bureau, the Commission, or the States’ Attorneys General in the MDL Court to either the Class Action Settlement or a modified settlement agreement releasing settlement class member claims in the Multi-District Litigation and such Class Action Settlement or modified settlement agreement contains terms materially similar to Sections VII, IX, X, and XI, and Exhibit A, such event shall not constitute a Triggering Event. If the Commission and the Bureau jointly send Defendant a written notice of a Triggering Event, Sections XI.I-L of this Order will not be construed in a way that interferes with the Multi-District Litigation.

Any modified settlement agreement submitted to the MDL Court pursuant to Subsections XI.I.2-4 shall contain terms that provide no less relief to Affected Consumers than set forth in this Order. If Defendant fails to comply with Subsections XI.B.1, XI.B.2, XI.B.3, or XI.B.4, and receives written notice of such failure, or if the Bureau and Federal Trade Commission send Defendant a written notice of a Triggering Event pursuant to XI.I, then the Bureau may move to enforce this Order. Defendant waives any objections to the Bureau’s motion to enforce the Order under the circumstances described in this paragraph. All other provisions of this Order shall remain in full force and effect, and the Bureau and Commission shall jointly notify Defendant in writing that the Notice Plan (to the extent it has not already been administered) and the Claims Administration Protocol will be administered under the supervision of the Federal Trade Commission on behalf of the Bureau, the Federal Trade Commission, and the States’ Attorneys General pursuant to Section XI of the FTC Order.

If Defendant fails to comply with Subsections XI.B.1, XI.B.2, XI.B.3, or XI.B.4, and receives a written notice of such failure, or Defendant receives a written notice of a Triggering Event as further described in Subsection XI.I, then Equifax Inc., its successors and assigns, shall pay the judgment as follows:

Within twenty one (21) days, deposit $300,000,000 plus any interest accumulated in the Consumer Fund attributed to any payment required pursuant to Section XI.B, less any payments that have already been disbursed by the Settlement Administrator, into a fund administered by the Federal Trade Commission or its designee on behalf of the Federal Trade Commission, the Bureau, and States’ Attorneys’ General to be used for consumer restitution and redress as set forth in this Order;

Make all payments required by Subsection XI.C up to a maximum of One Hundred Twenty-Five Million Dollars ($125,000,000) into such fund; and

Make all payments required by Subsection XI.E into such fund.

Under section 1055(c) of the CFPA, 12 U.S.C. § 5565(c), by reason of the violations of law described in the Complaint, and taking into account the factors in 12 U.S.C. § 5565(c)(3), Equifax Inc., its successors and assigns, must pay a civil money penalty of One Hundred Million Dollars ($100,000,000) to the Bureau (“Civil Money Penalty”). The penalty paid under this Order will be deposited in the Civil Penalty Fund of the Bureau as required by section 1017(d) of the CFPA, 12 U.S.C. § 5497(d).

Within 30 days of the Effective Date of this Order, Equifax Inc., its successors and assigns, must pay the civil money penalty by wire transfer to the Bureau or to the Bureau’s agent in compliance with the Bureau’s wiring instructions.

Defendant must treat the penalty paid under this Order as a penalty paid to the government for all purposes. Regardless of how the Bureau ultimately uses those funds, Defendant may not: