Image by PublicDomainPictures from Pixabay
You May Be Entitled to $125 or More in the Equifax Breach Settlement
A couple of years ago, Equifax—one of the three major US credit rating agencies—acknowledged that it had suffered a security breach that exposed the private information of 147 million Americans, including Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. See our coverage in “You Can’t Protect Yourself from the Equifax Breach” (13 September 2017).
Equifax has now agreed to a $425 million settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and all 50 US states. (That’s just the amount directed to consumers—Equifax will separately pay another $175 million to the states and $100 million to the Consumer Financial Protection Bureau.) If you were affected by this breach—and chances are that you were—you’re entitled to either up to 10 years of credit monitoring or a $125 cash payment.
Most coverage has focused on the $125 amount, but as the FTC page clearly says and Jessamyn West emphasized on Twitter, you can claim up to 10 hours of compensation for dealing with the breach, at $25 per hour, without submitting any additional documentation, for a total payment of $375. You just have to describe what you did and the approximate dates you took those actions. If you have supporting documentation for things you had to do to deal with identity theft, fraud, or other misuse of your information, you can claim up to 20 hours, for a total of $625. And if you have unreimbursed losses or expenses due to the breach—such as fees paid to an attorney or accountant—you can apply to get up to $20,000 back.
If you choose a cash payment instead of credit monitoring, you’ll be asked to affirm that you already have credit monitoring. Credit Karma already offers this service for free, so you should take the cash.
We strongly recommend asking for every bit of compensation you’re owed. As Rich Mogull pointed out in his article, there’s no real way to protect yourself from the breach, and you could spend the rest of your life defending yourself from the fallout. $125 is a paltry settlement for that, and for that matter, so is $375.
Think about it: would you take $375 in cash in exchange for letting a stranger publish your name, address, and Social Security number in a list that would be acquired by criminals? Chances are, you never intended to do business with Equifax itself anyway—it compiled your information starting from the first time you applied for credit.
So as you fill out the form on Equifax’s breach settlement site, think carefully about how this breach might have wasted your time. Did you spend time:
- Worrying about the breach?
- Reading articles about the breach?
- Contacting credit bureaus to freeze your credit?
- Checking your credit report?
- Changing passwords?
- Monitoring bank statements?
Claim it all! And if you have supporting documentation for any other crap you had to do to mitigate Equifax’s negligence, claim that too—up to the 20-hour maximum. You have until 22 January 2020 to file a claim, so you have plenty of time to round up all the documents you need. And if Equifax denies your claim, at least you cost Equifax the time and money to process it.
I actually did experience some minor bank fraud earlier this year, which led to an extended project of getting a refund from the bank, tracking down the perpetrators, compiling dossiers on them, and reporting everything to the FBI. Needless to say, I claimed the entire 20 hours. I included my FBI report and documents from my bank, showing that it approved the reimbursement.
Also note that, by the terms of the settlement, you’re entitled to at least 7 years of identity restoration services. If your identity is stolen, call the settlement administrator at 833-759-2982 for instructions. Also, starting in 2020, everyone in the United States will be eligible for six free credit reports for 7 years from Equifax. You can sign up for email updates from the FTC to be notified of when that service is available.
Although Equifax had revenues of $3.41 billion in 2018, the company’s net income was just $299.8 million, so the $700 million settlement looks like it could hurt the company, unlike Facebook, whose $5 billion FTC fine was less than the company’s Q1 2019 profit.
Still, Equifax is on the hook for just $4.76 per person affected overall, which is ludicrously little, and worse, only $31 million of the $425 million for consumers is allocated to cash payments. If the claims exceed that amount, everyone’s payments will be reduced proportionally. In other words, most of the $425 million won’t cost Equifax hardly anything, since it will be in the form of free credit monitoring. Regardless, let’s make sure Equifax has to pay out that full $31 million by applying for cash payments whenever possible.
Sadly, the picture is far worse than you outline at the end of your post; according to the FAQ, there’s only $31 million allocated to the cash payments in lieu of credit monitoring. At $125 each, that only covers 248,000 people; if more request payment, the payment will be split proportionally. If all 147 million people signed up, we’d all get 21 cents each. (There’s additional breakouts listed in the FAQ outlining how the rest of the consumer-oriented money is going.)
Thanks! It’s annoying that wasn’t mentioned in the FTC information. I’ll update the article.
I have actually gotten a check for a penny, from a class action lawsuit.
Beat you there! My bank gave me less than 50¢ for a settlement, then I was assessed $1.50 for legal fees. A class action suit I didn’t ask to be a member of lost me almost $1.00.
Later, the judge did modify the amount the attorneys were paid, so at least the class members didn’t owe money.
I think the only worse settlement was a settlement on GMC trucks that were ruled to be dangerous and GM didn’t earn their customers or recall the vehicles. Class members got $500 off their next GMC truck.
That is why when I filled out the claims on the FTC website for my wife & myself, we went with the 10 years monitoring. At our ages, we may not have to worry after 10 years!
Oh, boy, oh, boy! Yes, I spent time dealing with Equifax and the other three credit reporting bureaus to freeze my credit reporting, I can… oh, wait, my freezes (with a couple of unfreezes and re-ups for brief periods) date from two years before the Equifax breach, when the US Official of Personnel Managerment shared my PII (and a lot more) with… someone. Guess I can’t ask for the $25 an hour after all.
I’ve been mulling over what would have been better penalties for Equifax:
The $31 million is for Time Spent and Out of Pocket losses, not the $125 in lieu of credit monitoring. The $125 payments come out of the bigger pot of $385 million. Still, that would only cover a small fraction of the 147 million people affected by the breach.
Sadly, that’s not accurate - question 10 of the FAQ specifically states that the $125 as an alternative to credit monitoring has a $31 million pool:
Chances are excellent most folks here who qualify and apply will get no money whatsoever:
“I would caution folks it’s not $125 free money,” said Charity Lacey, vice president of communications at the Identity Theft Resource Center. “You have to prove you have credit monitoring in place and it will be active for the next 6 months.”
From Josh’s original article:
Ah, you’re right. I didn’t see that there are the two $31-million pools.
Yup. Interestingly, I think this does have the likely effect that people that opt into Time Spent money are going to get closer to what the site states they’re owed - but how close it’ll actually wind up being, I have no idea
I figure that it’s worth going for the cash because the mere existence of Credit Karma shows that the value of credit monitoring is basically $0. I’ll be fascinated to see how much people really get next year when it’s all paid out, but it feels like Equifax isn’t paying very much in the end, at least per person affected.
USA Today: “Equifax data breach settlement: Why you won’t get $125”
The FTC is now telling Equifax’s victims to pick the free credit monitoring instead of the $125 because there isn’t enough money in the pool to pay the full $125 to all the claimants.
Frankly, I find this absolutely infuriating. There are 147 million victims and the FTC is letting Equifax get away with only paying $31 million—not even a dollar per person. It feels as though the FTC is acting as Equifax’s protector instead of its regulator.
Do what you think is best, but I still advise claiming as much money from Equifax as you can. It’s not about lining your own pockets but holding Equifax as accountable as possible for its negligence. The credit monitoring is worthless—it’s already provided for free by many institutions and it clearly doesn’t cost that much to implement on Equifax’s part given how little they’ve been allowed to set aside to fulfill it.
So do they expect us to re-file if we’ve already filled out the online form?
Remember, too, that between the time they discovered the breach and then disclosed it, Equifax purchased a credit monitoring company, apparently anticipating that they could recover some of the expense of any likely settlement by paying themselves for the cost of any monitoring they were forced to provide to their victims:
It must have been a busy few weeks for the poor Equifax executives, who were also busy defrauding yet more of the public by dumping their stock before their disclosures.
The FTC says you’ll be contacted and ask to prove that you have credit monitoring. Apparently, you can switch then. My guess, based on the tone of their blog post, is that the FTC will pressure victims to take the monitoring.
I’d forgotten that! Even more infuriating.
There’s a new (or maybe expanded) FAQ that covers this. Go to https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement and scroll down to FAQS. Items 5 and 6 are particularly pertinent.
In one of the FAQs, it’s stated that the three-bureau credit monitoring services for up to 4 years will be provided by Experian, not Equifax, so at least there’s that. It also includes insurance coverage for identity theft and fraud.
I was thinking that, too, until I read that FTC FAQ and saw that it also includes $1,000,000 of identity theft protection.
I don’t know the details of what that covers, but if it’s like other services it should help you cover expenses if your identity is stolen, which is significant, and that service isn’t free.
I hope, Dennis, that, eventually, we’ll get to the point where major ignorance will mean jail time for those in charge. Just like a doctor may go to jail if they’re fond responsible for major malpractice, a C-level IT pro should get jail time if their company experiences a massive data breach like Equifax or CapOne did.
Then again, as @jcenters mentioned, the FTC seemed more obliged to “save” Equifax than define a fine that actually benefits the victims of this breach. I don’t consider that surprising at all, what with our current government’s affinity to “business” in general, but it’s infuriating nonetheless.
As for claiming the monetary reimbursement, I wonder if it’s actually worth one’s time.
Although I originally started thinking about this when trying to decide whether to risk a parking ticket or driving around some more to find an empty spot, I’ve put a monetary value on my time.
In other words, an hour of my time is worth $X to me. If whatever value I get in return for an hour’s time, is not at least in the range of those $X, I’d rather go read a book, listen to some music — or write a post on TidBITS Talk.
Considering that, as @rufo mentioned, the payout could be just a handful of Dollars, I’m quite sure that I’d get more value out of signing up for identity theft protection. Even if that means less work for Equifax to handle my request.
When I told my husband about this, he said the only ones who make any money are the lawyers. Apparently, he is right.
Well, the only individuals to make any money will be the lawyers, although just in terms of how much money they’d make for working in general. I wonder how the states and the CFPB will use their combined $275 million. Oh, and Experian will make money on providing the credit reporting. Equifax pays the attorneys’ fees separately from the rest of the settlement:
If you requested money in lieu of credit monitoring, you likely have an email from Equifax demanding that you verify your existing credit monitoring or forfeit your cash settlement. FYI.
I got it on Sat. Responded yesterday. They mentioned about three times that the settlement reward could be substantially less than $125 depending on how many people file claims. It’s almost as if they’re trying to tell people “don’t even bother”.
True, but you also get a chance to ”amend your claim to request free credit monitoring instead of alternative compensation.”
Join the discussion in the TidBITS Discourse forum