Attorney General Lynn Fitch has announced that Mississippi has obtained two multi-state settlements with Experian and T-Mobile concerning data breaches experienced in 2012 and 2015 that compromised the personal information of millions of consumers nationwide.
Under the settlements, the companies have agreed to improve their data security practices and to pay the states a combined amount of more than $16 million. Mississippi will receive a total of $175,612.90 from the settlements.
The breach involved information associated with consumers who had applied for T-Mobile postpaid services and device financing between September 2013 and September 2015, including names, addresses, dates of birth, Social Security numbers, identification numbers, and related information used in T-Mobile’s own credit assessments. 89,046 Mississippians were impacted by the 2015 breach. Neither Experian’s consumer credit database, nor T-Mobile’s own systems, were compromised in the breach.
“Your identity is your most valuable possession,” Attorney General Lynn Fitch said. “My office will help to protect it. But we need companies to exercise vigilance as well. We are pleased that through these settlements, both Experian and T-Mobile have agreed to enhanced due diligence, vendor oversight, and data security practices.”
Under a $12.67 million settlement, Experian has agreed to strengthen its due diligence and data security practices going forward. Included are:
- Prohibition against misrepresentations to its clients regarding the extent to which Experian protects the privacy and security of personal information
- Implementation of a comprehensive Information Security Program, incorporating zero-trust principles, regular executive-level reporting, and enhanced employee training
- Due diligence provisions requiring the company to properly vet acquisitions and evaluate data security concerns prior to integration
- Data minimization and disposal requirements, including specific efforts aimed at reducing use of Social Security numbers as identifiers
- Specific security requirements, including with respect to encryption, segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, penetration testing, and risk assessments
The settlement also requires Experian to offer five years of free credit monitoring services to affected consumers, as well as two free copies of their credit reports annually during that timeframe.
In a separate $2.43 million settlement, T-Mobile has agreed to detailed vendor management provisions designed to strengthen its vendor oversight going forward. Those include:
- Implementation of a Vendor Risk Management Program
- Maintenance of a T-Mobile vendor contract inventory, including vendor criticality ratings based on the nature and type of information that the vendor receives or maintain
- Imposition of contractual data security requirements on T-Mobile’s vendors and sub-vendors, including related to segmentation, passwords, encryption keys, and patching
- Establishment of vendor assessment and monitoring mechanisms
- Appropriate action in response to vendor non-compliance, up to contract termination