Equifax Told to Pay Up Over Breach. Make them Do It.

By: Jann Swanson

Remember the Equifax data breach?  Maybe not, because it came hard on the heels of the Target data breach, and the one at Home Depot, and so on and on.  In this case you might get something more out of it than aggravation, but only if you take about two minutes to submit a claim under the settlement Equifax just agreed to. However, David Lazarus, writing in the Los Angeles Times, says the company is probably hoping you won't.

The intrusion into Equifax's massive base of personal credit data occurred in September 2017.  An estimated of 147 million people had some or all of their information, which might have included names, Social Security numbers, birth dates, addresses and some driver's license numbers, stolen by hackers through a flaw in a software program flaw in a tool designed to build web applications.  Consumers rushed to check credit reports, freeze credit files, change passwords and an unknown number suffered financial loss.

What made the inconvenience, stress, and loss more galling to many was that Equifax was aware of the intrusion into their database for at lease two months before announcing it.  Many consumers also noted that such information is acquired, held, and sold by Equifax and other consumer credit reporting companies without their permission.  They are, in effect, an unwilling product those companies are marketing.

The settlement reached between the company and Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories includes, according to the FTC, up to $425 million to help people affected by the breach.  Other sources report the settlement amount could reach as high as $700 million.

Lazarus says if you do the math, that comes down to $4.25 per person affected. He points out that's about enough to pick up an order of Chicken McNuggets for lunch.  Equifax puts the number much higher and we will get to the settlement numbers in a second, but Lazarus points out that the company is betting not many people will submit a claim.  

However, those who do, and as we said, it only takes a couple of minutes, are entitled to up to 10 years of free credit monitoring,  four years at Equifax and its two competitors, Experian and TransUnion along with $1 million in identity theft insurance, and six additional years of monitoring by Equifax along.  Consumers who are already paying for credit monitoring and agree to continue to do so for six additional months can receive $125 in cash instead.  

Additional compensation is available to those who can attest to spending time to protect their accounts from damage due to the breach and those who can document actual expenditures to do so or can provide identity theft losses.  All cash claims are capped at $20,000.

Equifax officials say such breaches are inevitable.  Chief Executive Mark Begor told CNBC that "companies are attacked every day. It's a war that, from our perspective, isn't going to end."

But Lazarus points out that companies don't have a lot of incentive to take action.  He points to the settlement also reached last week that will cost Facebook $5 billion for allowing Cambridge Analytica access to the data of 87 million users, saying that is about one month's revenue for the social media giant. He also notes that Richard Smith, Begor's predecessor who was in charge of Equifax when that breach occurred and was forced to resign because of it, has been given $20 million in stock bonuses, a $24 million pension, and health coverage for life.

But, there is some movement to reign in at least the credit reporting agencies.  The House Financial Services Committee reported out eight bills regarding their operation in July. Among them are bills that will ban the use of credit information in employment decisions, speed up the removal of adverse information, especially after a history of on-time payments; improve the process for consumers to resolve inaccuracies on their reports, and directing CFPB to set standards for federal oversight of credit scoring models. There is also a new law in California that permits consumers to request that a company delete any personal information it holds and opt out of the sale of that information.  Lazarus says corporations are lobbying Congress to pass a weaker federal law that would preempt such state regulations.

While we are waiting for someone to step up and protect us, we might as well make the effort to penalize the companies that don't.  If you were impacted by the Equifax misstep (and you can check that at the link below in about 10 seconds) you can submit a claim that will, at a minimum help protect you from the next corporate lapse.  You can initiate the claim at EquifaxBreachSettlement.com