Lily Hay Newman
Last week, Equifax agreed to a $575 million—up to $700 million—settlement over its major 2017 data breach. It entitles affected consumers to free credit-monitoring offerings or an $125 payout, plus the potential for more cash back if you can document losses as a result of the incident. That’s not a ton of money compared to the value of your personal data, but there’s a more pressing problem: Are you actually going to get it at all?
The answer’s not as clear-cut as it should be, largely because those $125 disbursements are initially capped at $31 million. And though it’s still unclear exactly how many people filed so far, the FTC published a blog post on Wednesday noting that the settlement administrator has received an “unexpected number of claims.” The materials associated with the settlement have always very carefully said that the payout would be “up to” $125, because with $31 million to go around, the number starts going down after 248,000 claims.
“The public response to the settlement has been overwhelming,” the FTC wrote. “Because the total amount available for these alternative payments is $31 million, each person who takes the money option is going to get a very small amount. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.”
The FTC’s post set off an understandable furor. If you knew up front that you’ll likely get less than that promised $125, you might have opted for the alternate offering of free credit monitoring for 10 years. Or you may not have joined the settlement at all.
“Don’t miss an opportunity to inflict a little pain on Equifax.”
Marc Rotenberg, EPIC
But not all is lost, and there’s still a decent chance that Equifax will pay you all $125. As Slate points out, the $31 million cap will lift, assuming Equifax hasn’t spent all of the $425 million in its “Consumer Fund”—money it has committed to cover people who can specifically document losses stemming from the breach—in four and a half years. At that point, whatever’s left of that $425 million will be applied to the $125 payouts, presenting much better, if belated, odds.
The FTC argues that victims should opt for the credit-monitoring offer anyway, because it is a “better value” and will provide longer-term protection. But while that suggestion has some merits, particularly given that the credit monitoring comes with $1,000,000 of identity theft insurance, it’s not an obvious choice. Claiming the money puts cold, hard cash—not a lot of cash, but a gesture in the general direction of cash—back in the hands of consumers. You’re likely already eligible for at least a year of free credit monitoring through previous data breaches like Marriott. And taking the credit monitoring means that Equifax pays its rival Experian to offer you the service—further fueling the credit data industry.
When the FTC says that “you will be disappointed with the amount you receive,” it minimizes this distinction, and excludes the possibility that years from now the payout cap may actually be lifted. The FTC told WIRED in a statement, “The settlement was designed with the 10-year credit monitoring product as the primary source of relief for affected consumers because it was viewed as the best source of future protection from identity theft.” If you filed for the cash and want to switch to the credit monitoring, you can email info@EquifaxBreachSettlement.com and let them know.
The larger issue, says Marc Rotenberg, president and executive director of the Electronic Privacy Information Center, is that without strong policies from Congress—like free credit monitoring and credit reports for everyone, stringent federal data breach laws, and even a dedicated federal privacy agency—there is no perfect way to negotiate adequate settlements or other consumer redress in the case of incidents like the Equifax breach.
“People should exercise their right and ask for the $125. It’s possible the final number is less, but I really do think that people should take advantage of this,” Rotenberg says. He also encourages consumers to apply for larger payouts if they can show that they suffered losses as a result of the breach.
There’s also the frustrating reality that the FTC itself did not actually fine Equifax as part of the arrangement, because the agency currently lacks the legal authority to fine first-time data offenders. Last week, the agency asked Congress to pass new legislation that would grant this power. But Rotenberg notes that without a comprehensive data breach response plan within the federal government, a settlement like Equifax’s may not have been much more effective even with an FTC fine.
“Should there be more money? Yes. But agencies like the FTC simply don’t have the authority, resources, or expertise to act as a privacy agency,” he says. “That’s a structural thing that Congress needs to get involved with. In the meantime, don’t miss an opportunity to inflict a little pain on Equifax, because they certainly inflicted a lot of pain on us.”
Whenever you get a check from the settlement in the next decade, don’t forget the most important part. Even if it’s just a dollar—cash it.
More Great WIRED Stories