Last month, in conjunction with the Consumer Financial Protection Board and all 50 US states, the Federal Trade Commission announced a settlement of up to $ 700 million with Equifax over the company's 2017 data breach that exposed personal data of 147 million Americans. This settlement was different from the previous one, where the only benefit to the victims – if any at all – was free credit monitoring. In this case, the victims may opt for a cash payment of up to $ 125 instead of credit monitoring and could apply for extra financial refund for wasted time dealing with Equifax's negligence. The FTC said the settlement included up to $ 425 million to help those affected by the breach.
It was surprising that this was big news, and we in the media responded by publishing the heck out of it (see "You May Be Entitled to $ 1
That's when the fine print got big. It turns out that the actual settlement charges $ 125 million of alternative reimbursement payments to $ 31 million, claiming lost time for another $ 31 million. In both cases, if the requirements exceed the ceiling, all payments will be reduced in advance. So much for that figure of $ 425 million.
Within a few days, Robert Schoshinski, the assistant director, FTC's Privacy and Identity Protection Division, openly urged everyone to take free credit monitoring instead of payments because millions of people had already signed up for the cash. The FTC also updated frequently asked questions on its settlement information page to clarify the charge cards and the likelihood that you will receive much less than promised.
It may be the reality of the situation, but it leaves a bad taste in the mouth for various reasons.
Denial Isn't Just a River in Egypt
Back in 2017, Equifax's then CEO Richard Smith apologized in an op-ed in USA Today. But apparently, when such an apology is published and the CEO who did it has been sent packing along with the Chief Information Officer and the Director of Information Security, the company can negotiate a different reality.
The settlement settlement website now says:
Equifax denies any wrongdoing, and no verdict or finding of wrongdoing has been made.
It is gratifying to have Equifax – whose negligence resulted in the information of 147 million Americans being exposed to criminals – which pretended it did nothing wrong. If it had done everything right, the breach would never have happened in the first place – hackers are not an "act of god" that corresponds to an earthquake or tornado. Equifax should say:
We messed up. We manage a tremendous amount of confidential, potentially harmful information about almost all Americans, and we failed to protect it. For that, and for all the inconvenience, emotional distress or financial hardship caused by our negligence, we truly apologize. This is how we will make up for you.
Aggravating the bad taste is the fact that the Equifax executives had to "retire" (rather than get fired), which means they keep the unoccupied inventory compensation. For ex-CEO Richard Smith, it was worth over $ 90 million.
Fines and restitution
In the law, there is a difference between a fine and a restitution. Fines go to the government that pursues the crime, while restitution goes to the victims of the crime. Since we are talking about a settlement where Equifax can deny all wrongdoing, there is apparently no crime in play. Either way, the settlement includes both. The fines include $ 175 million to states and $ 100 million to the Consumer Financial Protection Bureau, and the $ 425 million restitution is aimed at reimbursing consumers.
Many of us are angry with the FTC's settlement because the $ 31 million dollars for both alternative reimbursement and time compensation means that the original promise that consumers could get actual cash damages has proved to be untrue. The FTC should have known that only the existence of companies like Credit Karma shows that the monetary value of credit monitoring to consumers is $ 0. Plus, although credit monitoring also provides assurance of identity theft and identity restoration, Credit Karma suggests that they are not generally worth Buy on your own. (Equifax will at least have to pay other companies to provide these services and cannot benefit from them in any way. So at least the fox is not reflected with the chicken house with a chicken dinner.)
massive interest in these payments shows that the FTC completely underestimated what consumers actually want in compensation. Maybe the FTC will adjust the formula the next time this happens, but for now we just have to swallow our bitter medicine.
We Are the Pølsa
The last sour aspect of this situation is the fact that most people never asked to do business with Equifax. We have all become concerned about the dissemination of our personal information and how it may be used against us, but collecting and sharing data about us is Equifax's core business (as it is for its competitors Experian and TransUnion as well.)
At least as Google and Facebook gives us services we choose to use in exchange for our data. In comparison, the credit reporting agencies sell our data to other companies we want to do business with. They couldn't care less about us because we are just raw materials for them. It is easy to find examples (Equifax, Experian, TransUnion) of those being sued for failing to remove false information, conceal charges and other violations of the Fair Credit Reporting Act. Dealing with annoying consumers only costs to do business.
As the saying goes: If you don't pay for it, you're not the customer; you are the product being sold. And if we are not customers, then there is absolutely no need for customer service.
Of course, the final reason why the Equifax breach has a bad taste in the mouth is that there is nothing we can do about anything other than let the FTC know that we are not happy with how things worked. Maybe leave a comment on the agency's blog post. I can't see that it makes any difference, but it can make you feel a little better.