Joseph Guglielmo (from left), Judge Thomas Thrash and Gary Lynch.

A federal judge in Atlanta gave final approval Thursday to a $7.75 million settlement—including $2 million in legal fees—to resolve claims against Equifax by hundreds of financial institutions. 

The settlement deal—which stems from a 2017 data breach—also includes a promise by Equifax to invest an additional $25 million over two years in enhanced data security measures tailored to financial institutions.

Chief Judge Thomas Thrash of the Northern District of Georgia approved the settlement from the bench during a Zoom hearing.

The Atlanta-based credit bureau’s settlement with financial institutions forced to absorb expenses associated with the data breach is separate from a $1.4 billion settlement Equifax reached last December with attorneys representing an estimated 147 million consumers whose personal and financial information was compromised after hackers burrowed into Equifax’s databases. That settlement also included $77.5 million in legal fees and more than $1.4 million in expenses for class lawyers. 

But payouts in the consumer settlement remain in limbo ten months after Thrash issued his final written order because a handful of litigants the judge has branded as “serial objectors” continue to challenge the arrangement on appeal. 

Equifax has set aside $5.5 million to pay up to $5,000 to each financial institution for costs associated with fraud losses or the theft of customers’ personal information. The fund will also pay as much as $4.50 for each payment card that generated an alert. It will also pay $1,500 to each of 21 financial institutions listed as plaintiffs in the multidistrict litigation.

Class lawyers said in briefs filed before Thursday’s hearing that similar settlements stemming from data breaches at Target and Home Depot have paid between $1.50 to $2 per alerted payment card.

Notices were sent to class members after Thrash gave his preliminary approval to the settlement terms last June. Financial institutions have until Dec. 31 to make a claim.

Early in the litigation, Thrash split hundreds of lawsuits generated by the data breach into two tracks—one for consumers and one for more than 2,900 U.S. financial institutions.  

The card alerts went out after those financial institutions, many of them credit unions, discovered that hackers also stole 209,000 credit and debit card numbers from the credit bureau’s databases.

Attorney Joseph Guglielmo of Scott+Scott in New York and Gary Lynch of Carlson Lynch in Pittsburgh are co-lead counsel for the plaintiff financial institutions. The Equifax settlement is the fourth major data breach settlement where Carlson Lynch and Scott+Scott have teamed up on behalf of financial institutions. Three previous data breach settlements with Home Depot, Eddie Bauer and Wendy’s were approved with no objections by class members.

On Thursday, Thrash also approved class lawyers’ request for $2 million in legal fees and about $278,000 in expenses that Equifax attorney Stewart Haskins, a partner at King & Spalding in Atlanta, confirmed that Equifax agreed to pay.

Thrash called the settlement “an excellent one,” particularly considering what he said were the risks of continued litigation.

“The fact there there were no objections from class members weighs in favor of approving the settlement,” he added.

He also called the legal fee request “appropriate.” 

“It’s been a long way since that telephone call asking me if I would accept this MDL case,” the judge concluded. “It’s not over yet. But we’ve made some progress.”