Most of us remember the news about the Equifax data breach. There was unauthorized access to Equifax customer data files between May and July 2017. Equifax discovered the breach on July 29 but did not announce it until September 7.
At the time of the breach Equifax made a form available for customers to check whether their data was among the more than 145 million customer records stolen. It offered free credit monitoring and credit freeze service to customers whose data had been compromised.
The Equifax breach is by no means the largest ever; that dubious honor goes to Yahoo! with over 3 billion records leaked. It is, however, especially egregious for at least three reasons. First it was slow to react to and to report the breach; sadly that is the norm for corporations all over the world. Second, it represents one of the few instances in which customers have no choice about their patronage; consumers who have credit are automatically included by the three credit-reporting agencies. Third, it attempted to monetize its own failure by pushing its own paid products like credit monitoring and deep scans of the dark web.
On July 22 the Federal Trade Commission announced a settlement with Equifax which could amount to as much as $700 million. That’s admittedly a large sum but it pales in comparison with Equifax 2018 revenues of $3.4 billion. The settlement is complex, but one portion of it sets aside up to $425 million to compensate individuals for losses. The basics are:
Don’t know if your data was stolen? Here’s the eligibility look-up tool from the settlement web page and their excellent FAQs page. I used the original look-up on the Equifax page when it happened and repeated it on the settlement page, which is run by a settlement firm not by Equifax. I got the same results in both cases.
People who are among the unfortunates to have had their identity stolen as a result of the breach are hopefully already getting help from the FTC. Those who had data stolen in the Equifax breach or the many others since should be sure they have followed all the FTC-recommended fixes.
There is no doubt that anyone harmed by the breach should apply for as much of the $20,000 possible reimbursement as possible. One form is used, whichever settlement is being requested. This article walks a user though the process.
Before you get too excited know that, in the unlikely event that all 145 million eligible users apply, the actual amount received will be much less than $125. Even applying for the credit monitoring imposes some cost on Equifax. Slate magazine suggests all eligible consumers should consider it a moral duty to apply. I like the argument that companies should have to pay a meaningful penalty, not just consider data breaches a normal cost of doing business.
If you don’t like taking the money, which won’t be received until sometime in 2020, you can donate it to a favorite charity. Do keep in mind the January 22, 2020 deadline for the reimbursement application.