OKLAHOMA CITY (KFOR) – Oklahoma and a coalition of other attorneys general were able to obtain two multistate settlements with Experian concerning data breaches in 2012 and 2015.

Those data breaches compromised the personal information of millions of Americans.

The coalition also obtained a separate settlement with T-Mobile in connection with the 2015 Experian breach, which impacted 15 million people who submitted credit applications with T-Mobile.

Under the settlements, the companies have agreed to improve their data security practices to pay the states more than $16 million. Oklahoma will receive a total of $219,888.28 from the settlements.

“We trust sensitive personal information to these companies. They have to protect our privacy and be accountable for breaches,” Oklahoma Attorney General John O’Connor said. “As a part of these settlements, these companies are required to take steps to improve their data security practices. I appreciate and applaud attorneys general from across the nation for joining together to protect all of us and our personal information.”

Under the settlement with Experian, the company agreed to strengthen its due diligence and data security practices going forward. Those include:

  • Prohibition against misrepresentations to its clients regarding the extent to which Experian protects the privacy and security of personal information;
  • Implementation of a comprehensive Information Security Program, incorporating zero-trust principles, regular executive-level reporting, and enhanced employee training;
  • Due diligence provisions requiring the company to properly vet acquisitions and evaluate data security concerns prior to integration;
  • Data minimization and disposal requirements, including specific efforts aimed at reducing use of Social Security numbers as identifiers; and
  • Specific security requirements, including with respect to encryption, segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, penetration testing, and risk assessments.

The settlement also requires Experian to offer 5 years of free credit monitoring services to affected consumers, as well as two free copies of their credit reports annually during that timeframe.

If you were a class member in the 2019 class action settlement, you are eligible to enroll in these extended credit monitoring services. Affected consumers can enroll in the 5-year extended credit monitoring services and find more information on eligibility here. The enrollment window will remain open for six months.

In a separate $2.43 million settlement, T-Mobile has agreed to detailed vendor management provisions designed to strengthen its vendor oversight going forward. Those include:

  • Implementation of a Vendor Risk Management Program;
  • Maintenance of a T-Mobile vendor contract inventory, including vendor criticality ratings based on the nature and type of information that the vendor receives or maintains;
  • Imposition of contractual data security requirements on T-Mobile’s vendors and sub-vendors, including related to segmentation, passwords, encryption keys, and patching;
  • Establishment of vendor assessment and monitoring mechanisms; and
  • Appropriate action in response to vendor non-compliance, up to contract termination.