Equifax doesn’t want you to get paid. And it’s likely you can’t get much at all. But you really, really oughta try.
Let’s go back. Almost two years ago to the day, Equifax, one of the three major consumer credit reporting companies in the U.S., announced a mistake of astounding proportions: A security breach had revealed the sensitive personal information of about 143 million Americans.
Social Security numbers, names, birthdates, addresses — through the middle of 2017, reams upon reams of data were simply available for outside actors to access. The cause of the breach? Equifax’s IT and security staff forgot to install a patch for its web portal architecture. Thousands of kids around the country patch Fortnite every week, but apparently, it’s much trickier for credit bureaus — more than four months went by before the company noticed “suspicious network traffic” and then realized it hadn’t applied the critical update.
The reaction from observers was fast and fierce. Ars Technica surmised it was the worst breach in history. Equifax’s response in light of the security breach was bungled, with one respected security expert calling their consumer outreach a “dumpster fire.” Senator Chuck Schumer deemed the incident “one of the most egregious examples of corporate malfeasance since Enron.” Over the course of a year, a huge class-action lawsuit began to build. Then came word that every consumer affected by the Equifax breach would be able to collect $125 or 10 years of free credit monitoring as a consolation. All you had to do was fill in a claim online after checking if your data was breached.
A $125 payout ain’t much, but I figured it was better than nothing.
Yet Equifax announced this week that everyone who filed a claim now must jump through additional hoops if they ever want to see that $125. You have to show proof that you already have some kind of credit monitoring in order to take the cash. Oh, also? Even if you do, it’s extremely likely that your payout will be much less than $125 because Equifax never planned for so many claimants. No wonder the Federal Trade Commission was urging people to give up on the cash.
Welcome to the darkest timeline, where you can’t even recoup dinner for two over the loss of personal information that could be used to victimize you in identity theft.
It may be tempting to throw up your hands, curse major agencies and corporations for having so many stupid digital vulnerabilities and stop caring — especially if you don’t know whether you have the credit monitoring necessary to qualify for the mythical $125. (Ironically enough, the sheer number of consumer data breaches in the last 10 years means that it’s likely that you got signed up for free credit monitoring somewhere along the line — check out these two databases, to be sure; you also may have credit monitoring through a bank or credit card.)
But if you bail, you’ll be missing out on even more cash (up to $250 more). That is, there’s a separate provision of the settlement that repays victims for “time spent” — e.g., freezing credit cards, researching what to do, talking to your bank on the phone, whatever. You can claim up to 20 hours, at $25 per hour, and the trick is that the first 10 hours only require “self-certification.” In other words, you have to sign that your testimony is truthful, but not provide documentation up front.
Will there be more hoops to jump through in the future? Probably. Yet there’s a strong argument for us, as consumers, to punish Equifax as much as possible. And simply agreeing to take free credit monitoring (from fellow credit bureau agency Experian, hilariously) isn’t much of a conclusion for victims, as Chi Chi Wu, an attorney at the National Consumer Law Center, told Wired. “I will repeat myself until I’m blue in the face: Credit monitoring isn’t worth it. It doesn’t prevent identity theft,” Wu explained. “And all of this money is going to Experian!”
Really, the whole fiasco shines a light on the broader, endless, quietly terrifying world of consumer data breaches. Earlier this year, Capital One was hacked, revealing 100 million users’ info to dark web predators. So was Facebook, with a security flaw exposing up to 540 million users’ info. Real estate giant First American Corporation let the info for a staggering 885 million users hang out, unsecured on the web, to be seen by anyone with basic digital infrastructure training. Last year, Marriott fell in deep, hot waters for putting up to 500 million customers at risk of identity theft. And Experian, tasked with giving all of us free monitoring in the Equifax case? Yeah, it accidently exposed 15 million users, too.
Lest you believe that these breaches were overblown, let me point you to “Collection #1,” a trove of 773 million emails and 22 million passwords, collected from 2,000 previous data breaches along with newly extracted info, that popped up on the dark web, ostensibly for sale. Not good!
Hence, again, the darkest timeline: We have 20 years of information on how and why consumer data is hacked or left vulnerable. Often, it’s the sloppiest, most uninformed type of mistake at the root — like, say, simply screwing up a system scan and forgetting to update via patch. And there appears to be little recourse, given that these firms are technically victims, too. Plus, the challenge of determining whether a company was negligent and calculating the actual monetary value of stolen info (and the damage it did for people) are still more art than science.
That makes it harder to create consistent checks and punishments, argues Josephine Wolff, a professor at the Rochester Institute of Technology, in a New York Times op-ed. “We do not know how to put a price on these types of losses of privacy, and that makes it harder to use legal or regulatory remedies to punish the companies that are responsible,” she wrote. “That, in turn, reduces the financial incentives for all companies to invest in securing user data.”
Given that, there’s a philosophical argument for trying to game the system and get some cash. Consider it your consumer duty, if you will, in the face of overwhelming apathy to your needs and your private information. There’s no guarantee any of it will work, or that we’ll get more than a shiny nickel each. But it’s a stand against a company making us do more work, unnecessarily, to try and recoup what we lost. It’s a stand against the government failing to address this existential threat to the online economy in two decades of digital innovation.
Meanwhile, Equifax appears to be doing great. Two execs “retired” in the aftermath of the 2017 breach, sure. But investor reports from 2018 show record profits and a sunny outlook for the company.
Of course they do!