Skip to content
Thoughtful, detailed coverage of everything Apple for 29 years
and the TidBITS Content Network for Apple professionals
US currency, crossed out

Image by PublicDomainPictures from Pixabay

20 comments

Equifax Cash Settlement Backtracking Leaves a Bad Taste

Last month, the Federal Trade Commission, in conjunction with the Consumer Financial Protection Board and all 50 US states, announced a settlement of up to $700 million with Equifax over that company’s 2017 data breach exposing personal information on 147 million Americans. This settlement was different from some previous ones, where the main benefit to victims—if there was any at all—was free credit monitoring. In this case, victims could opt for a cash payment of up to $125 instead of credit monitoring and could apply for additional financial restitution for time wasted dealing with Equifax’s negligence. The FTC said the settlement included up to $425 million to help those affected by the breach.

Unsurprisingly, this was big news, and we in the media responded by publicizing the heck out of it (see “You May Be Entitled to $125 or More in the Equifax Breach Settlement,” 26 July 2019). People responded, with millions signing up for their cash payments: $125 if you already had credit monitoring and $25 per hour for up to 20 hours that you spent dealing with the breach, plus coverage of your out-of-pocket losses up to $20,000. Sounds good, right? Finally, the people who are actually harmed in a data breach are recompensed for their trouble!

That was when the fine print got big. It turns out that the actual settlement caps the $125 alternative reimbursement payments at $31 million, and it caps the claims for lost time at another $31 million. In both cases, if the claims exceed the cap, all payments will be reduced on a prorated basis. So much for that $425 million number.

Within a few days, Robert Schoshinski, Assistant Director in the Division of Privacy and Identity Protection at the FTC, was bluntly encouraging everyone to take the free credit monitoring instead of the payments because millions of people had already signed up for the cash. The FTC also updated the FAQ in its informational page about the settlement to clarify the payment caps and the likelihood that you’d get much less than was promised.

That may be the reality of the situation, but it leaves a bad taste in the mouth for a variety of reasons.

Denial Isn’t Just a River in Egypt

Back in 2017, Equifax’s then-CEO, Richard Smith, apologized in an op-ed in USA Today. But apparently, once such an apology has been published (and the CEO who made it has been sent packing along with the chief information officer and chief information security officer), the company can negotiate a different reality.

The breach settlement site now says:

Equifax denies any wrongdoing, and no judgment or finding of wrongdoing has been made.

It grates to have Equifax—whose negligence resulted in information about 147 million Americans being exposed to criminals—pretending that it did nothing wrong. If it had done everything right, the breach never would have happened in the first place. Hackers are not an “act of god” equivalent to an earthquake or tornado. Equifax should be saying:

We messed up. We manage a vast amount of confidential, potentially damaging information about nearly all Americans, and we failed to protect it. For that, and for any inconvenience, emotional distress, or financial hardship that our negligence caused, we are truly sorry. Here’s how we’re going to make it up to you.

Making the bad taste worse is the fact that those Equifax executives got to “retire” (rather than being fired), which means that they’ll keep their unvested stock compensation. For ex-CEO Richard Smith, that was worth over $90 million.

Fines and Restitution

In the law, there is a difference between a fine and restitution. Fines go to the government prosecuting the crime, whereas restitution goes to the victims of the crime. Since we’re talking about a settlement in which Equifax gets to deny all wrongdoing, there’s apparently no crime in play. Regardless, the settlement includes both. The fines include $175 million to the states and $100 million to the Consumer Financial Protection Bureau, and the restitution is the $425 million directed to repay consumers.

Many of us are angry with the FTC’s settlement because the $31 million caps mean that the initial promise that consumers could get significant cash damages has proven to be false. The FTC should have known that the mere existence of firms like Credit Karma shows the monetary value of credit monitoring to consumers to be $0. Plus, although the credit monitoring also provides identity theft insurance and identity restoration services, Credit Karma suggests that those are not generally worth purchasing on your own. (Happily, Equifax will have to pay other companies to provide these services and can’t benefit in any way from them. So at least the fox’s failure to guard the henhouse isn’t being punished with a chicken dinner.)

The massive interest in those payments shows that the FTC utterly underestimated what consumers actually want in compensation. Perhaps the FTC will adjust its formula the next time this happens, but for now, we just have to swallow our bitter medicine.

We Are the Sausage

The final sour aspect of this situation is the fact that most people never asked to do business with Equifax. We’ve all become concerned about the spread of our personal information and how it can be used against us, but collecting and sharing data about us is Equifax’s core business (as it is for competitors Experian and TransUnion too).

At least the likes of Google and Facebook provide us with services we choose to use in exchange for our data. In comparison, the credit reporting agencies sell our data to other companies with whom we want to do business. They couldn’t care less about us because we’re just raw materials to them. It’s easy to find examples (Equifax, Experian, TransUnion) of them being sued for failing to remove incorrect information, concealing charges, and other violations of the Fair Credit Reporting Act. Dealing with pesky consumers is just a cost of doing business.

As the saying goes, if you’re not paying for it, you’re not the customer; you’re the product being sold. And if we’re not customers, there’s certainly no need for customer service.

Of course, the final reason the Equifax breach settlement leaves a bad taste in the mouth is that there’s nothing we can do about any of this other than letting the FTC know that we’re unhappy with how things worked out. Perhaps leave a comment on the agency’s blog post. I can’t see it making any difference, but it might make you feel a little better.

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For 29 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

Comments About Equifax Cash Settlement Backtracking Leaves a Bad Taste

Notable Replies

  1. Excellent article. I’m in the process of composing a comment for the FTC’s page, and I’m also going to write to my US Senator and US Representative. While they likely can’t do anything about this settlement, they need to be pushed to work on laws to safeguard, and compensate, all of us in the future.

  2. This might be totally loopy, I am no doubt clueless when it comes to legal matters. But maybe somebody more versed in the law could comment if consumers could get anywhere suing the FTC. Could a case be made that the FTC negotiated in bad faith and put Equifax’s business interests before those of affected citizens thus neglecting their oversight mandate?

  3. According to FAQ 24, you can exclude yourself from the settlement and presumably then sue Equifax directly.

    And FAQ 25 explains how to tell the court that you don’t like the settlement. Looks complicated.

    https://www.equifaxbreachsettlement.com/faq

  4. I don’t know how these credit bureaus get paid but I’d like to think it is based on companies using them to check people’s credit report. If so, they lose. I’ve frozen my credit report with all three credit bureaus and have chosen to live with whatever credit I already have.

    If I absolutely MUST go through a credit check (mortgage, car purchase), I can temporarily unfreeze my credit report. But I will avoid this as much as possible.

    Maybe we all should do this—at least for a time. And screw the credit bureaus in the process. As if… I doubt Americans can break themselves of the credit habit. But it’s a nice thought. Imagine what would happen if, all in one fell swoop, 150 million consumers froze their credit reports over the course of a few weeks.

  5. blm

    Objecting isn’t that complicated. First, steps 8-14 are if you’re represented by an attorney, which most people won’t be (and if you are, have the attorney do it :slight_smile: ). Steps 1-3 are trivial. For step 4 you should be able to follow FAQ 5. Step 5 is why you’re objecting, which presumably you know if you’ve decided to object. Step 6 is probably “None” (and an interesting question, weeding out serial objectors?). Step 7 is probably “No”, but if it’s “Yes”, it seems fairly straightforward what you have to tell them.

    Note that I’m not an attorney, and I may be completely misinterpreting the FAQ, so if you’d like to object, make sure you read FAQ 25 carefully and understand what it’s asking for. Also remember that if you object you’re going on record in an actual court case.

  6. Thank you for this article. Is there any reason to believe that credit monitoring provided as a result of this settlement is superior to that provided by Credit Karma?

    I’m having some trouble with the numbers.
    $700M total settlement
    $175M to states
    $100M to CFPB
    $425M to consumers
    so far, so good, but
    $ 31M reimbursement payments
    $ 31M lost time payments
    $363M unaccounted for

    “The FTC said the settlement included up to $425 million to help those affected by the breach.” If the remaining $363M is to help those affected by the breach, how? Is it to pay lawyers’ fees? If so, the lawyers are getting paid more than 10 times the amount identified for reimbursement payments.

    (As an aside, apparently this forum’s software does not like white space. That table looked a lot prettier in the composition pane than in the preview pane.)

    I have seen a suggestion for a class-action lawsuit against the lawyers who nominally worked for the affected citizens in this class-action lawsuit. If that $363M is for the lawyers, such a suit makes even more sense.

    As I understand it, your assumption about the income of the credit bureaus is correct. While I applaud your sentiment, I question your apparent explanation. If you are living with whatever credit you have, how does freezing your credit reports hurt the credit reporting agencies? Freezing your credit reports is almost certainly a good thing, but it’s your decision to refrain from applying for new credit (also a good thing) that deprives them of business. In any case, it sounds like you have made two good decisions.

  7. The credit monitoring is provided by Experian, for what that’s worth. And as I said in the article, you do get free identity theft insurance, which could have some value, although that Credit Karma article I linked to suggested that it’s generally not worth purchasing on your own. So, up to you.

    The $31 million numbers come out of the $425. And the numbers don’t quite add up with what you see in some places because the $425 million is a maximum and the minimum is, I believe, $380,500. It has to do with how many claimants there are and when the claims come in. I thought about saying something, but it seems largely irrelevant to the topic at hand.

    I’m not quite sure what you tried to do, but you can always make something preformatted text with the </> button in the composer’s toolbar (or just surround the text with backticks). That’s for a single line; for multiple lines, use the Markdown approach of prefixing each line with four spaces. In general, Discourse provides a LOT of formatting options compared to most online discussion forums.

    I don’t think the lawyers’ fees are ever spelled out. The Findings say:

    Defendant waives any claim that it may have under the Equal Access to Justice Act, 28 U.S.C. § 2412, concerning the prosecution of this action through the date of this Order, and agrees to bear its own costs and attorneys’ fees.

  8. The two are inter-related, at least in my experience. When one freezes one’s credit, one tends to think twice about the hassle involved in applying for credit thereafter. Not only do you need to fill out the credit application but you also have to unfreeze your credit report. In my case, that has reduced the number of gratuitous credit offers I have responded to down to zero, has made me decide that I probably don’t need an Apple Card, etc.

    My point is that if 150 million people did the same, I would imagine there would be a lot fewer people applying for a lot fewer credit cards, if not fewer car loans and mortgage loans—because there would now be an aversive stimulus attached to applying for credit (namely the hassle of temporarily unfreezing your credit). Or maybe they’d just got the easy route and throw in the towel the first time they had to temporarily unfreeze their credit and simply unfreeze it in perpetuity.

  9. I composed my response in BBEdit, including tabs. The tabs were apparently replaced by a space if in a line and deleted completely if at the start of a line.

    It’s good to know the tools are there. Thanks for letting me know that looking for them might be profitable. (Now if I can just remember that the next time I need them…)

    But those are Equifax’s attorneys’ fees. The lawyers who brought the class-action suit are surely getting some money, and I wonder if that is some or all of the missing $363M.

    Excellent point. And a keen insight into human nature.

  10. Yeah, don’t do that. :slight_smile: Tabs seldom work in Web-based forms—spaces are the way to go. Discourse’s composer even autosaves and remembers what you’ve typed if you accidentally close and reopen the page. So there’s no real win in writing outside of Discourse and pasting in.

    This article (which I didn’t read in full because of the need to register) suggests that there are $77.5 million in attorneys’ fees.

  11. AAA does, too. How many of these should I sign up for? (It’s a serious question.)

  12. Quoted for emphasis.

  13. I don’t know how these credit bureaus get paid but I’d like to think it is based on companies using them to check people’s credit report.

    Selling historical data about the whether or not individuals pay their bills on time, how and what they borrowed, and how or how not they tend to pay them, is just one revenue stream. From all the records they accumulate, credit bureaus also analyze information on how people spend money, and they compile trend reports for big bucks. They also get paid from financial services that provide them as a free benefit to customers.

    so, they lose. I’ve frozen my credit report with all three credit bureaus and have chosen to live with whatever credit I already have.

    Freezing your credit means the credit bureau can’t let other people than the companies you have credit with see what’s just on that particular report. For example, if Goldman Sachs wants to target people that own silver, gold or black credit cards to send them information about the new Apple credit card, they can do so because they are not divulging specific financial information, social security information, just a name and address that’s in the public domain.

    A really good examples of how financial bureaus’ information was used for nefarious purposes is Ryan Gosling’s explanation of tranches in “The Big Short,” which is an excellent, multi-award winning movie (warning - x-rated language):

    https://www.youtube.com/watch?v=xbiDrzTd8fE

    Regarding security, check out how incredibly simple and easy it was for two brilliant but dorky bros to access critical financial info gleaned from credit bureau reports that they literally found in a lobby in an office building (just some bad language):

    https://www.youtube.com/watch?v=Qo1OSqBQYmk

    And Steve Carrell grilling Morgan Stanley’s rating agency on how and why they interpreted and presented data supplied by credit bureaus (lots and lots of x-rated words):

    https://www.youtube.com/watch?v=mwdo17GT6sg

    Margo Robbie on subprime mortages (more bad words):

    https://www.youtube.com/watch?v=anSPG0TPf84
  14. I don’t see why you shouldn’t sign up for all of them!

  15. Because the monitoring services themselves could experience a data breach?

  16. Did you mean Steve Carell?

  17. Yes, it is Steve, and IMHO, he should have gotten the Best Supporting Actor Oscar for the part. And Christian Bale for Best Actor.

  18. I just heard from another service offering free credit reporting: WalletHub.

    https://wallethub.com/

    Like CreditKarma, it looks like their business model is to present users with a variety of credit cards and other financial services, but regardless of whether you want or need such things, the credit reporting is free.

  19. One ray of hope is that this settlement isn’t a done deal yet. It’s only a proposed settlement. The judge still has to approve the details at a Fairness Hearing scheduled for December 19, 2019. Perhaps if enough people complain, the judge will instruct the FTC and Equifax to hammer out a better settlement.

Join the discussion in the TidBITS Discourse forum

Participants