It’s been a year since hapless credit-monitoring company Equifax admitted hackers gained access to the personal details of some 175 million people on its servers – and it has marked the anniversary with an extra legal hurdle for those seeking compensation.
The credit-history collectors lost control of details, included the names, social security numbers, birth dates, addresses and, in some instances, driver's license numbers, of about half the US population. Despite America's trade watchdog, the FTC, strong-arming the biz into coughing up at least $575m for bungling its database security, it's looking more and more likely that those affected will get little or no compensation.
Not only are those folks unlikely to get the $125 they were publicly promised – thanks to the FTC agreeing to a fixed cash fund for all victims – Equifax is now forcing those who applied for the dosh to jump through additional hoops. And if you don’t do what the company wants, within its deadline, you can kiss that money goodbye.
“Validate or amend your claim,” is the heading of an email that millions of claimants received on Friday and over the weekend. In it, Equifax explains that even though you found out about its settlement, and found the online address where you had to apply, and even though you inputted in all the details you were asked for, and even though you selected to take the cash option, you now need to provide it with more information.
“Your claim will not be received by the Settlement Administrator until you click the submit button after your electronic signature. For security reasons, once you hit submit, you will not be able to make any changes to your claim form,” the email notes.
How much red tape does $125 buy?
You’ve got until October 15 to (re)confirm that you already have a credit monitoring service. If you don’t, you don’t get the money. And you have to provide the details of that service to Equifax. If you don’t, you don’t get the money.
If you do both those things before the deadline, you should still expect to get another email at some point in future asking you to provide evidence of that credit monitoring service or, you guessed it, you don’t get the money.
“I understand that I may be asked to provide more information by the Settlement Administrator before my claim is complete,” is one of the “options” that you are obliged to agree to.
Yep, you are really going to have to work for that $125. And the truth is that even if you do jump through all the hoops Equifax has put in the way, you are still unlikely to get the $125 promised.
What is going on? Put simply, Equifax and the FTC are embarrassed that their smoke-and-mirrors approach to settling a massive data breach has been exposed as such.
In July, the FTC proudly announced its $575m settlement as a way to bring an end to a slew of lawsuits and promised $125 to those affected. But behind those headline figures was a different reality: the FTC had agreed to just $31m in a fixed-sum punishment; a pot of money that would be split equally between applicants.
The FTC had assumed that only 250,000 of the 175 million people affected would go to the trouble of applying, based on previous take-up rates for such agreements – giving a $125 per person figure.
But thanks to widespread coverage of the super-hack and subsequent punishment, the sheer number of people affected, and the fact that $125 seemed worth people’s while, the FTC was inundated with applications. It won’t say how many, but it was forced to put out an official announcement just one week after the deal asking people not to take the money but to go for the free credit monitoring service instead.
Money, money, imaginary money
Now Equifax has joined the FTC in doing its utmost to force people to take the credit monitoring service over the cash. But rather than simply ask people to do so, Equifax has decided that red tape and easily missed emails is the best to reduce the number of active applicants.
The hope, presumably, is that through bureaucracy Equifax can get the number of claimants down to, say, one million – at which point it and the FTC can pay out $31 a head and claim that all is well. Incidentally, if everyone eligible applies for the cash, they will receive just 21 cents apiece.
How did the FTC arrive at a $575m figure when Equifax only promised to pay out $31m? Two ways: first, it decided to count the paper value of a 10-year credit monitoring service as part of the deal.
The deal is four years of monitoring through Experian (one of the three main credit agencies) and then a further six through Equifax. But there are two big problems with that: first, Equifax will only be paying a fraction of that claimed cost of a monitoring service – if, indeed, it has to pay anything at all; and second, huge numbers of people already have credit monitoring services given to them for free in previous data breaches.
Credit monitoring is a bit like car sales: no one ever pays full price. And in many cases financial organizations provide credit monitoring to their customers for free, or at very low cost, because of a deal struck with the credit agencies. As such the bulk of that $575m FTC settlement doesn’t exist in any real sense.
The rest of the money is made up of citizens being allowed to claim “up to $20,000” in reimbursement for the costs of fixing or protecting their credit. There are going to be very few people who actively spent thousands of dollars protecting their financial welfare in response to the breach and even fewer of them will have documented it and sent it in an additional request for reimbursement to Equifax. Everyone knows this, but the FTC pretended otherwise and inflated the value of its settlement in response.
Some good out of it?
The whole sorry affair has highlighted several useful things however. For one, the FTC is clearly not equipped to deal with the realities of the internet era where hundreds of millions of people are affected at once.
Equifax to world+dog: If we give you this $700m, can you pleeeeease stop suing us about that mega-hack thing?READ MORE
The situation has also created greater public awareness of just how toothless the FTC is. For years, the watchdog has relied on large headline fines and settlements to maintain the illusion that it is a hard-hitting regulator when the truth is companies persistently ride roughshod over the federal regulator, which is itself tightly constrained by weak consumer protection laws.
The FTC’s weak powers and willingness to pretend otherwise in public is going to be of significant interest now that it is expected to carry out a much-anticipated investigation into tech giants’ market abuse.
That fact is likely behind the news that 50 states announced on Monday that they would carry out their own antitrust investigation of Google. The federal government just can’t be relied upon to resist corporate America’s worst excesses and so states have stepped in.
Ideally, the Equifax saga will also put a spotlight on the enormous power that credit agencies have over American citizens. But don’t hold your breath. Take the free credit monitoring America – you know you want to. Here, it’s free! Just don’t ask for cash. Or accountability. ®