Equifax Victims Jump Through Hoops To Nab Settlement Money They Won't Get Anyway
from the dysfunction-junction dept
So we've noted that the FTC's settlement over the Equifax hack that exposed the public data of 147 million Americans is a bit of a joke. The FTC originally promised that impacted users would be able to nab 10 years of free credit reporting or a $125 cash payout if users already subscribed to a credit reporting service. But it didn't take long for the government to backtrack, claiming it was surprised by the number of victims interested in modest compensation, while admitting the settlement failed to set aside enough money to pay even 248,000 of the hack's 147 million victims.
This week, the Equifax Settlement Administrator sent out an email doubling down on the dysfunction, demanding that users who applied for their $125 prove they already have credit monitoring services. Users are being told they need to prove they subscribe to such services by October 15, or they won't get the money. Worse perhaps, the notice reiterates that even if you can prove you subscribe to credit monitoring services, you probably won't get anywhere near $125 because the settlement failed to set aside enough money to fulfill even a fraction of its promise:
"This latest email again reminds users that even if you can prove you have credit reporting already, you still may not get the full $125 thanks to the limitations of the settlement. In response to what it’s calling “overwhelming” demand, the FTC also urges those who submitted a claim for $125 switch to the free credit reporting offer instead."
One problem is that "free credit monitoring" is largely a useless perk. Such services are routinely doled out for free every time there's a major hack or privacy breach, which drop at a rate of around once a week now. Usually these services are included as a settlement freebie to make the settlement itself seem more substantive than it actually is. But the other major problem is that the FTC and its settlement partners gave the impression that users would at least get $125 for their troubles, set aside a tiny fraction of the money they'd need, then acted shocked when users signed up.
Most of the legal experts I've talked to about this say it would have been fairly easy to strike a more productive, less chaotic settlement. Instead of free credit reporting, the settlement could have simply requested victims have their credit reporting temporarily frozen (until needed), something which costs nothing. And while it still may have been underwhelming, the settlement also could have promised individual users a cash payout they could have actually met. The general consensus remains that the settlement, as structured, teeters somewhere between negligence and incompetence:
"James Grimmelmann, a professor of law at Cornell Tech and Cornell Law School told Motherboard the FTC’s failure to predict the public’s interest teeters toward negligence. “Even a single-digit percentage claim rate for this one would have exhausted the $31 million 50 times over,” he says. “It was negligent on the part of the FTC not to expect that more victims would choose the cash payment in a case this prominent and this egregious, instead of the worthless credit monitoring.”
Users can still apply for up to $20,000 in compensation if they can clearly prove the hack directly contributed to concrete harm like identity theft, but by and large the settlement is the poster child for meaningless privacy wrist slaps. Outside of bad press coverage, there's absolutely nothing here that would deter Equifax from future lax security and privacy practices, and consumers get little to compensate them for what is one of the biggest data breaches in American history. The FTC's primary function appears to have been to act as a PR proxy for Equifax's reputation, primarily by pretending the company had been held accountable via a "record" fine, inflated to appear far more meaningful than it actually is.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: class action, credit monitoring, ftc, settlement
Companies: equifax
Reader Comments
Subscribe: RSS
View by: Time | Thread
ROI
Even with this shoddy, undervalued settlement, wouldn't it be cheaper to secure their network, rather than undergo the embarrassment (and all the PR costs related to that) and eventual payout when they get hacked.
Given yesterday's article on Cyber-Insurance, how much of this settlement was controlled by their insurance company, rather than themselves?
[ link to this | view in chronology ]
Re: ROI
I agree with the general sentiment, but I don't think Equifax has really had to endure much in the way of PR costs.
Equifax's customers are not the people it harmed. Its stature as a major credit reporting agency has not changed. This is an externality.
[ link to this | view in chronology ]
Re: Re: ROI
I wonder how much information of those buying credit reports on individuals is kept in their database? I wonder how much of that information was exposed, but not reported? If I was buying credit reports from a company with such lousy network security, and was providing sensitive information to them, I would be very concerned.
By the same token, I wouldn't necessarily suspect that any of the other credit reporting agencies had any better security, and since the FTC let this one off so easily, we shouldn't expect any improvement any time soon. For any of them.
Now the problem is, which credit reporting agency is the least riskiest?
[ link to this | view in chronology ]
Re: Re: Re: ROI
Well, at least TransUnion has an agreement with CreditKarma that results in the potential for free credit monitoring on ALL their credit data.
This also means that it's probably even easier to steal that data from them, however. I see no evidence of 2FA being required to access data, and they don't have an annual privacy report.
[ link to this | view in chronology ]
Re: Re: Re: ROI
I think that's an excellent way of putting it.
[ link to this | view in chronology ]
I just got that email. Talk about a load of horseshit. Wish there was something I could do about it.
[ link to this | view in chronology ]
Re:
There are two things you can do:
Jump through the hoops. Doing so will cost Equifax twice the penalty, as the cost of creating and mailing you your check will be just as high as the amount you get.
[ link to this | view in chronology ]
Re: Re:
"Send a letter/fax to the FTC AND your federal representatives explaining how this personally impacts you and how it impacts your confidence in the office of the FTC AND your federal representatives who have not held the FTC nor Equifax responsible for this."
Not to sound cynical... okay, to sound cynical... but what good will this do? You're one person and collectively, maybe we're 1,000 or 10,000 people.
Our voices don't come close to matching the millions of lobbying dollars that companies like Equifax throw at the government.
Now, if someone in the FTC or Congress had their identity stolen by one of these data breaches and were personally affected, then it would become an issue.
[ link to this | view in chronology ]
Is CCPA required for Equifax?
Can I have Equifax remove my personal information from their system under CCPA? I mean, TransUnion and Experian can easily pick up the slack. I get that I'd have extra hoops to jump through if I did that, but heck... it'd almost be worth a sustained effort for people to request that they not use their information. Not much of a business if you don't have users!
[ link to this | view in chronology ]
Re: Is CCPA required for Equifax?
Probably not. Now I don't know much about CCPA, but Wikipedia says"
Besides, none of us ever signed up with any of the credit reporting agencies, but they have files on us anyway. All of the information they have is from other sources, and it is likely that we never gave any of them permission to create files on us, yet there they are.
The CCPA seems to require them to tell us what they have, that is if you are a California resident, and possibly make corrections. It would be interesting if they actually started to inform us of each and every request made each and every time a request is made. That might raise the cost of making a request to the point where the requester's might think twice about requesting.
[ link to this | view in chronology ]
Re: Re: Is CCPA required for Equifax?
Governments are complicit in these data breaches when they send personal information to, and receive it from, the credit rating agencies. For example, if you sign up with the local electric company and they check your credit, or if it's used for security checks.
It's almost certainly in the fine print somewhere. Forbidding this coerced "consent", and having government agencies cut ties, could do a lot to limit the power and harm of these credit bureaus. If politicians wanted to.
[ link to this | view in chronology ]
I propose we pay the FTC personnel $100k yearly or a rectal exam
Of course they are eligible for a paycheck only if they can present ocular proof that they have already been anally probed. And we set aside $1mil for all the agency's paychecks just to be on the safe side.
[ link to this | view in chronology ]
You seem to be suggesting that the government is in bed with corporations. That's just crazy.
[ link to this | view in chronology ]
Re:
The government would not be in bed with corporations: they are fighters of the pen. Or the sty. I don't remember which of those words applied to the British and which to the Americans.
[ link to this | view in chronology ]
Re:
REALLY??!!!
rally, really really?
Thankyou for the joke..Next time just get another job.
[ link to this | view in chronology ]
Re: of course they're not in bed together!
... they use a pair of sleeping bags zipped together.
[ link to this | view in chronology ]
Re: Re: of course they're not in bed together!
What does "together" even mean for conjoined twins sharing a brain?
[ link to this | view in chronology ]
Re: Re: Re: of course they're not in bed together!
A head ache??
[ link to this | view in chronology ]
$18,375,000,000
$31,000,000 for the 147,000,000 Affected...
Anyone want $4.74..
wonder WHO is doing the math, because this is about 3rd-4th grade..
[ link to this | view in chronology ]
Re:
Uhm you got the numerator and denominator backwards.
Each person affected gets 21cents
Even with bulk mailing discounts the letter and check costs more.
[ link to this | view in chronology ]
Re: Re:
ya got me...
Still wondering Who is doing the math..
Or..
Is the $32million the Fine, and we get what comes after...
And Eq. messed it up BIG TIME..
Who can trust a Credit agency, if they cant do the math??
[ link to this | view in chronology ]
??
Corporate socialism..
They get our money All the time to pay for Their mistakes..
[ link to this | view in chronology ]
At the time news of this hack broke, Equifax had purchased Veda, an Australian credit monitoring company. The hack news filled me with confidence that my personal details would be appropriately safeguarded.
And there's nothing you can do about it. If you refuse to submit to a credit check (and in doing so, consent to your details being sent to Equifax), you can't get a home loan or credit card. Even if you never take out a loan, there's a good chance there's a credit profile on you anyway, just waiting to be leaked.
[ link to this | view in chronology ]
Section 230 couldn't protect newspapers from Craigslist.
[ link to this | view in chronology ]
Equifax would rather spend it on the lawyers
People might get more of that $125 settlement, if Equifax wasn't spending $124.98 of it on a lawyer to see whether or not the claimant is really eligible.
But that's often the way that these awards go. Companies would rather give the money to the lawyers than to capitulate and give any of the money to people they wronged..
Odd that the lawyers don't complain.
[ link to this | view in chronology ]
Perhaps its time for those people to tell the settlement oficials to go fuck themselves and sue individually directly. A few hundred thousand lawsuits ought to stop this very clear fuckery.
[ link to this | view in chronology ]
Imagine That
I'm one of those that's affected and, knowing lawyers and knowing Equifuxyouover, I opted out of the settlement and will be suing them for about 1/2Mil and I'll settle for 125K.
[ link to this | view in chronology ]