Last month, the Federal Trade Commission, in conjunction with the Consumer Financial Protection Board and all 50 US states, announced a settlement of up to $700 million with Equifax over that company’s 2017 data breach exposing personal information on 147 million Americans. This settlement was different from some previous ones, where the main benefit to victims—if there was any at all—was free credit monitoring. In this case, victims could opt for a cash payment of up to $125 instead of credit monitoring and could apply for additional financial restitution for time wasted dealing with Equifax’s negligence. The FTC said the settlement included up to $425 million to help those affected by the breach.
Unsurprisingly, this was big news, and we in the media responded by publicizing the heck out of it (see “You May Be Entitled to $125 or More in the Equifax Breach Settlement,” 26 July 2019). People responded, with millions signing up for their cash payments: $125 if you already had credit monitoring and $25 per hour for up to 20 hours that you spent dealing with the breach, plus coverage of your out-of-pocket losses up to $20,000. Sounds good, right? Finally, the people who are actually harmed in a data breach are recompensed for their trouble!
That was when the fine print got big. It turns out that the actual settlement caps the $125 alternative reimbursement payments at $31 million, and it caps the claims for lost time at another $31 million. In both cases, if the claims exceed the cap, all payments will be reduced on a prorated basis. So much for that $425 million number.
Within a few days, Robert Schoshinski, Assistant Director in the Division of Privacy and Identity Protection at the FTC, was bluntly encouraging everyone to take the free credit monitoring instead of the payments because millions of people had already signed up for the cash. The FTC also updated the FAQ in its informational page about the settlement to clarify the payment caps and the likelihood that you’d get much less than was promised.
That may be the reality of the situation, but it leaves a bad taste in the mouth for a variety of reasons.
Denial Isn’t Just a River in Egypt
Back in 2017, Equifax’s then-CEO, Richard Smith, apologized in an op-ed in USA Today. But apparently, once such an apology has been published (and the CEO who made it has been sent packing along with the chief information officer and chief information security officer), the company can negotiate a different reality.
The breach settlement site now says:
Equifax denies any wrongdoing, and no judgment or finding of wrongdoing has been made.
It grates to have Equifax—whose negligence resulted in information about 147 million Americans being exposed to criminals—pretending that it did nothing wrong. If it had done everything right, the breach never would have happened in the first place. Hackers are not an “act of god” equivalent to an earthquake or tornado. Equifax should be saying:
We messed up. We manage a vast amount of confidential, potentially damaging information about nearly all Americans, and we failed to protect it. For that, and for any inconvenience, emotional distress, or financial hardship that our negligence caused, we are truly sorry. Here’s how we’re going to make it up to you.
Making the bad taste worse is the fact that those Equifax executives got to “retire” (rather than being fired), which means that they’ll keep their unvested stock compensation. For ex-CEO Richard Smith, that was worth over $90 million.
Fines and Restitution
In the law, there is a difference between a fine and restitution. Fines go to the government prosecuting the crime, whereas restitution goes to the victims of the crime. Since we’re talking about a settlement in which Equifax gets to deny all wrongdoing, there’s apparently no crime in play. Regardless, the settlement includes both. The fines include $175 million to the states and $100 million to the Consumer Financial Protection Bureau, and the restitution is the $425 million directed to repay consumers.
Many of us are angry with the FTC’s settlement because the $31 million caps mean that the initial promise that consumers could get significant cash damages has proven to be false. The FTC should have known that the mere existence of firms like Credit Karma shows the monetary value of credit monitoring to consumers to be $0. Plus, although the credit monitoring also provides identity theft insurance and identity restoration services, Credit Karma suggests that those are not generally worth purchasing on your own. (Happily, Equifax will have to pay other companies to provide these services and can’t benefit in any way from them. So at least the fox’s failure to guard the henhouse isn’t being punished with a chicken dinner.)
The massive interest in those payments shows that the FTC utterly underestimated what consumers actually want in compensation. Perhaps the FTC will adjust its formula the next time this happens, but for now, we just have to swallow our bitter medicine.
We Are the Sausage
The final sour aspect of this situation is the fact that most people never asked to do business with Equifax. We’ve all become concerned about the spread of our personal information and how it can be used against us, but collecting and sharing data about us is Equifax’s core business (as it is for competitors Experian and TransUnion too).
At least the likes of Google and Facebook provide us with services we choose to use in exchange for our data. In comparison, the credit reporting agencies sell our data to other companies with whom we want to do business. They couldn’t care less about us because we’re just raw materials to them. It’s easy to find examples (Equifax, Experian, TransUnion) of them being sued for failing to remove incorrect information, concealing charges, and other violations of the Fair Credit Reporting Act. Dealing with pesky consumers is just a cost of doing business.
As the saying goes, if you’re not paying for it, you’re not the customer; you’re the product being sold. And if we’re not customers, there’s certainly no need for customer service.
Of course, the final reason the Equifax breach settlement leaves a bad taste in the mouth is that there’s nothing we can do about any of this other than letting the FTC know that we’re unhappy with how things worked out. Perhaps leave a comment on the agency’s blog post. I can’t see it making any difference, but it might make you feel a little better.