Equifax Victims Jump Through Hoops To Nab Settlement Money They Won't Get Anyway

from the dysfunction-junction dept

So we’ve noted that the FTC’s settlement over the Equifax hack that exposed the public data of 147 million Americans is a bit of a joke. The FTC originally promised that impacted users would be able to nab 10 years of free credit reporting or a $125 cash payout if users already subscribed to a credit reporting service. But it didn’t take long for the government to backtrack, claiming it was surprised by the number of victims interested in modest compensation, while admitting the settlement failed to set aside enough money to pay even 248,000 of the hack’s 147 million victims.

This week, the Equifax Settlement Administrator sent out an email doubling down on the dysfunction, demanding that users who applied for their $125 prove they already have credit monitoring services. Users are being told they need to prove they subscribe to such services by October 15, or they won’t get the money. Worse perhaps, the notice reiterates that even if you can prove you subscribe to credit monitoring services, you probably won’t get anywhere near $125 because the settlement failed to set aside enough money to fulfill even a fraction of its promise:

“This latest email again reminds users that even if you can prove you have credit reporting already, you still may not get the full $125 thanks to the limitations of the settlement. In response to what it?s calling ?overwhelming? demand, the FTC also urges those who submitted a claim for $125 switch to the free credit reporting offer instead.”

One problem is that “free credit monitoring” is largely a useless perk. Such services are routinely doled out for free every time there’s a major hack or privacy breach, which drop at a rate of around once a week now. Usually these services are included as a settlement freebie to make the settlement itself seem more substantive than it actually is. But the other major problem is that the FTC and its settlement partners gave the impression that users would at least get $125 for their troubles, set aside a tiny fraction of the money they’d need, then acted shocked when users signed up.

Most of the legal experts I’ve talked to about this say it would have been fairly easy to strike a more productive, less chaotic settlement. Instead of free credit reporting, the settlement could have simply requested victims have their credit reporting temporarily frozen (until needed), something which costs nothing. And while it still may have been underwhelming, the settlement also could have promised individual users a cash payout they could have actually met. The general consensus remains that the settlement, as structured, teeters somewhere between negligence and incompetence:

“James Grimmelmann, a professor of law at Cornell Tech and Cornell Law School told Motherboard the FTC?s failure to predict the public?s interest teeters toward negligence. ?Even a single-digit percentage claim rate for this one would have exhausted the $31 million 50 times over,? he says. ?It was negligent on the part of the FTC not to expect that more victims would choose the cash payment in a case this prominent and this egregious, instead of the worthless credit monitoring.?

Users can still apply for up to $20,000 in compensation if they can clearly prove the hack directly contributed to concrete harm like identity theft, but by and large the settlement is the poster child for meaningless privacy wrist slaps. Outside of bad press coverage, there’s absolutely nothing here that would deter Equifax from future lax security and privacy practices, and consumers get little to compensate them for what is one of the biggest data breaches in American history. The FTC’s primary function appears to have been to act as a PR proxy for Equifax’s reputation, primarily by pretending the company had been held accountable via a “record” fine, inflated to appear far more meaningful than it actually is.

Filed Under: , , ,
Companies: equifax

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Equifax Victims Jump Through Hoops To Nab Settlement Money They Won't Get Anyway”

Subscribe: RSS Leave a comment
Anonymous Anonymous Coward (profile) says:


Even with this shoddy, undervalued settlement, wouldn’t it be cheaper to secure their network, rather than undergo the embarrassment (and all the PR costs related to that) and eventual payout when they get hacked.

Given yesterday’s article on Cyber-Insurance, how much of this settlement was controlled by their insurance company, rather than themselves?

Anonymous Anonymous Coward (profile) says:

Re: Re: ROI

I wonder how much information of those buying credit reports on individuals is kept in their database? I wonder how much of that information was exposed, but not reported? If I was buying credit reports from a company with such lousy network security, and was providing sensitive information to them, I would be very concerned.

By the same token, I wouldn’t necessarily suspect that any of the other credit reporting agencies had any better security, and since the FTC let this one off so easily, we shouldn’t expect any improvement any time soon. For any of them.

Now the problem is, which credit reporting agency is the least riskiest?

Anonymous Coward says:

Re: Re: Re: ROI

Well, at least TransUnion has an agreement with CreditKarma that results in the potential for free credit monitoring on ALL their credit data.

This also means that it’s probably even easier to steal that data from them, however. I see no evidence of 2FA being required to access data, and they don’t have an annual privacy report.

Anonymous Coward says:

Re: Re:

There are two things you can do:

  1. Jump through the hoops. Doing so will cost Equifax twice the penalty, as the cost of creating and mailing you your check will be just as high as the amount you get.
  2. Send a letter/fax to the FTC AND your federal representatives explaining how this personally impacts you and how it impacts your confidence in the office of the FTC AND your federal representatives who have not held the FTC nor Equifax responsible for this.
John85851 (profile) says:

Re: Re: Re:

"Send a letter/fax to the FTC AND your federal representatives explaining how this personally impacts you and how it impacts your confidence in the office of the FTC AND your federal representatives who have not held the FTC nor Equifax responsible for this."

Not to sound cynical… okay, to sound cynical… but what good will this do? You’re one person and collectively, maybe we’re 1,000 or 10,000 people.
Our voices don’t come close to matching the millions of lobbying dollars that companies like Equifax throw at the government.

Now, if someone in the FTC or Congress had their identity stolen by one of these data breaches and were personally affected, then it would become an issue.

aerinai (profile) says:

Is CCPA required for Equifax?

Can I have Equifax remove my personal information from their system under CCPA? I mean, TransUnion and Experian can easily pick up the slack. I get that I’d have extra hoops to jump through if I did that, but heck… it’d almost be worth a sustained effort for people to request that they not use their information. Not much of a business if you don’t have users!

Anonymous Anonymous Coward (profile) says:

Re: Is CCPA required for Equifax?

"Can I have Equifax remove my personal information from their system under CCPA?"

Probably not. Now I don’t know much about CCPA, but Wikipedia says"

"Intentions of the Act. The intentions of the Act are to provide California residents with the right to: Know what personal data is being collected about them.; Know whether their personal data is sold or disclosed and to whom."

Besides, none of us ever signed up with any of the credit reporting agencies, but they have files on us anyway. All of the information they have is from other sources, and it is likely that we never gave any of them permission to create files on us, yet there they are.

The CCPA seems to require them to tell us what they have, that is if you are a California resident, and possibly make corrections. It would be interesting if they actually started to inform us of each and every request made each and every time a request is made. That might raise the cost of making a request to the point where the requester’s might think twice about requesting.

Anonymous Coward says:

Re: Re: Is CCPA required for Equifax?

Governments are complicit in these data breaches when they send personal information to, and receive it from, the credit rating agencies. For example, if you sign up with the local electric company and they check your credit, or if it’s used for security checks.

All of the information they have is from other sources, and it is likely that we never gave any of them permission to create files on us

It’s almost certainly in the fine print somewhere. Forbidding this coerced "consent", and having government agencies cut ties, could do a lot to limit the power and harm of these credit bureaus. If politicians wanted to.

Anonymous Coward says:

At the time news of this hack broke, Equifax had purchased Veda, an Australian credit monitoring company. The hack news filled me with confidence that my personal details would be appropriately safeguarded.

And there’s nothing you can do about it. If you refuse to submit to a credit check (and in doing so, consent to your details being sent to Equifax), you can’t get a home loan or credit card. Even if you never take out a loan, there’s a good chance there’s a credit profile on you anyway, just waiting to be leaked.

Coyne Tibbets (profile) says:

Equifax would rather spend it on the lawyers

People might get more of that $125 settlement, if Equifax wasn’t spending $124.98 of it on a lawyer to see whether or not the claimant is really eligible.

But that’s often the way that these awards go. Companies would rather give the money to the lawyers than to capitulate and give any of the money to people they wronged..

Odd that the lawyers don’t complain.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...