Last month, the Federal Trade Commission, in conjunction with the Consumer Financial Protection Board and the 50 U.S. states, announced a settlement of up to $ 700 million with Equifax over that company’s 2017 data breach exposing information out of 147 million Americans. This regulation was different from some previous ones, where the main benefit for victims – if there was one – was free credit monitoring. In this case, victims could opt for a cash payment of up to $ 125 instead of credit monitoring and could seek additional financial compensation for time lost in dealing with Equifax’s negligence. The FTC said the settlement provided up to $ 425 million to help those affected by the violation.
Unsurprisingly, this was big news, and we, the media, responded with the devil’s ad (see “You may be entitled to $ 125 or more as part of Equifax Breach Settlement», July 26, 2019). People responded, with millions signing up for their cash payments: $ 125 if you already had credit monitoring and $ 25 an hour for up to 20 hours that you spent on the breach, plus coverage for your direct losses up to $ 20,000. Sounds good, doesn’t it? Finally, the people who are genuinely harmed in a data breach are rewarded for their pain!
This is when the small print got big. Actually the actual settlement caps alternative payments of $ 125 to $ 31 million and time-loss claims at an additional $ 31 million. In either case, if the claims exceed the cap, all payments will be prorated. So much for that figure of $ 425 million.
Within days, Robert Schoshinski, deputy director of the privacy and identity protection division at the FTC, was downright encourage everyone to follow free credit monitoring instead of payments because millions of people had already signed up for the money. The FTC also updated the FAQ in its information page on the rules to clarify the payment limits and the likelihood that you will get much less than what was promised.
This might be the reality of the situation, but it leaves a bad taste in your mouth for a variety of reasons.
Denial is not just a river in Egypt
In 2017, Equifax CEO Richard Smith, apologized in a USA Today op-ed. But apparently once such an apology was released (and the CEO who made it was sent packing in the same way the information officer and the information security officer), the company can negotiate a different reality.
The violation resolution site now says:
Equifax denies any wrongdoing, and no judgment or finding of wrongdoing has been rendered.
It is annoying that Equifax, whose negligence obtained information about 147 million Americans exposed to criminals, claims they have done nothing wrong. If he had done everything right, the breach would never have happened in the first place. Pirates are not an “act of God” equivalent to an earthquake or a tornado. Equifax should say:
We messed up. We manage a large amount of confidential and potentially damaging information about almost all Americans, and we have failed to protect it. For this, and for any inconvenience, emotional distress or financial hardship caused by our negligence, we are truly sorry. Here’s how we’re going to make up for it.
The bad taste is compounded by the fact that these Equifax executives have to “retire” (rather than being fired), which means they will keep their unvested stock compensation. For ex-CEO Richard Smith, it was over $ 90 million.
Fines and restitution
In the law, there is a difference between a fine and a restitution. The fines go to the government that prosecutes the crime, while the restitution goes to the victims of the crime. Since we are talking about a settlement in which Equifax can deny any wrongdoing, there is apparently no crime involved. Either way, the settlement includes both. The fines include $ 175 million to states and $ 100 million to the Office of Consumer Financial Protection, and restitution matches the $ 425 million intended to reimburse consumers.
Many of us are angry with the FTC settlement because the $ 31 million caps mean the original promise that consumers could get significant damages has been proven wrong. The FTC should have known that the mere existence of companies like Credit Karma indicates that the monetary value of consumer credit monitoring is $ 0. Additionally, while credit monitoring also provides identity theft insurance and identity restoration services, Credit Karma suggests that these are usually not worth buying on your own. (Fortunately, Equifax will have to pay other companies to provide these services and will not be able to benefit from them under any circumstances. So, at least, the fox’s failure to keep the chicken coop isn’t punished by a chicken dinner.)
The massive interest in these payments shows that the FTC has totally underestimated what consumers actually want in compensation. Maybe the FTC will adjust their formula the next time this happens, but for now, we just have to swallow our bitter medicine.
We are the sausage
The last sour aspect of this situation is the fact that most people have never applied to do business with Equifax. We’ve all become concerned with the dissemination of our personal information and how it may be used against us, but collecting and sharing data about us is Equifax’s core business (as is also the case with competitors Experian and TransUnion).
At least Google and Facebook provide us with services that we choose to use in exchange for our data. In comparison, credit bureaus sell our data to other companies we want to do business with. They laugh at us because we are just raw materials for them. It is easy to find examples (Equifax, Experiential, TransUnion) of them being prosecuted for failing to remove incorrect information, cover up charges and other violations of the Fair Credit Reporting Act. Dealing with pesky consumers is just a cost of doing business.
As the saying okay, if you don’t pay for it, you’re not the customer; you are the product being sold. And if we are not customers, there is certainly no need for customer service.
Of course, the last reason the Equifax violation rule leaves a bad taste in our mouths is that there is nothing we can do about it other than letting the FTC know we’re upset. of the way things turned out. Perhaps leave a comment on the agency’s blog. I don’t see it making a difference, but it might make you feel a little better.