A couple of years ago, Equifax—one of the three major US credit rating agencies—acknowledged that it had suffered a security breach that exposed the private information of 147 million Americans, including Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. See our coverage in “You Can’t Protect Yourself from the Equifax Breach” (13 September 2017).
Equifax has now agreed to a $425 million settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and all 50 US states. (That’s just the amount directed to consumers—Equifax will separately pay another $175 million to the states and $100 million to the Consumer Financial Protection Bureau.) If you were affected by this breach—and chances are that you were—you’re entitled to either up to 10 years of credit monitoring or a $125 cash payment.
Most coverage has focused on the $125 amount, but as the FTC page clearly says and Jessamyn West emphasized on Twitter, you can claim up to 10 hours of compensation for dealing with the breach, at $25 per hour, without submitting any additional documentation, for a total payment of $375. You just have to describe what you did and the approximate dates you took those actions. If you have supporting documentation for things you had to do to deal with identity theft, fraud, or other misuse of your information, you can claim up to 20 hours, for a total of $625. And if you have unreimbursed losses or expenses due to the breach—such as fees paid to an attorney or accountant—you can apply to get up to $20,000 back.
If you choose a cash payment instead of credit monitoring, you’ll be asked to affirm that you already have credit monitoring. Credit Karma already offers this service for free, so you should take the cash.
We strongly recommend asking for every bit of compensation you’re owed. As Rich Mogull pointed out in his article, there’s no real way to protect yourself from the breach, and you could spend the rest of your life defending yourself from the fallout. $125 is a paltry settlement for that, and for that matter, so is $375.
Think about it: would you take $375 in cash in exchange for letting a stranger publish your name, address, and Social Security number in a list that would be acquired by criminals? Chances are, you never intended to do business with Equifax itself anyway—it compiled your information starting from the first time you applied for credit.
So as you fill out the form on Equifax’s breach settlement site, think carefully about how this breach might have wasted your time. Did you spend time:
- Worrying about the breach?
- Reading articles about the breach?
- Contacting credit bureaus to freeze your credit?
- Checking your credit report?
- Changing passwords?
- Monitoring bank statements?
Claim it all! And if you have supporting documentation for any other crap you had to do to mitigate Equifax’s negligence, claim that too—up to the 20-hour maximum. You have until 22 January 2020 to file a claim, so you have plenty of time to round up all the documents you need. And if Equifax denies your claim, at least you cost Equifax the time and money to process it.
I actually did experience some minor bank fraud earlier this year, which led to an extended project of getting a refund from the bank, tracking down the perpetrators, compiling dossiers on them, and reporting everything to the FBI. Needless to say, I claimed the entire 20 hours. I included my FBI report and documents from my bank, showing that it approved the reimbursement.
Also note that, by the terms of the settlement, you’re entitled to at least 7 years of identity restoration services. If your identity is stolen, call the settlement administrator at 833-759-2982 for instructions. Also, starting in 2020, everyone in the United States will be eligible for six free credit reports for 7 years from Equifax. You can sign up for email updates from the FTC to be notified of when that service is available.
Although Equifax had revenues of $3.41 billion in 2018, the company’s net income was just $299.8 million, so the $700 million settlement looks like it could hurt the company, unlike Facebook, whose $5 billion FTC fine was less than the company’s Q1 2019 profit.
Still, Equifax is on the hook for just $4.76 per person affected overall, which is ludicrously little, and worse, only $31 million of the $425 million for consumers is allocated to cash payments. If the claims exceed that amount, everyone’s payments will be reduced proportionally. In other words, most of the $425 million won’t cost Equifax hardly anything, since it will be in the form of free credit monitoring. Regardless, let’s make sure Equifax has to pay out that full $31 million by applying for cash payments whenever possible.