> 5. I thought I could choose $125 instead of free credit monitoring. What happened?
> The public response to the settlement has been overwhelming. Millions of people have visited this site in just the first week. Because the total amount available for these alternative payments is $31 million, each person who takes the money option is going to get a very small amount. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.
> The free credit monitoring provides a much better value, and everyone whose information was exposed can take advantage of it. If your information was exposed in the data breach, and you file a valid claim before the deadline, you are guaranteed at least four years of free monitoring at all three credit bureaus (Equifax, Experian, and TransUnion) and $1,000,000 of identity theft insurance, among other benefits. The market value of this product is hundreds of dollars per year.
> You can still choose the cash option on the claim form, but you will be disappointed with the amount you receive and you won’t get the free credit monitoring.
For a little math, $31 million only makes it to 248,000 claims of the 150,000,000 people affected before it starts diluting.
> That’s an utterly irrelevant question unless you have evidence of the equifax data being abused.
No, because time spent putting safeguards in place to prevent its usage should it be abused is worth something.
You don't lock your doors after someone has broken into your house; you take measures to keep them out. In the same vein, you don't protect your credit after someone has abused it; you take measures to keep it from having serious consequences.
And taking measures costs time, and time is money.
I say they extract it from the corporate officers by declaring any bonus payments they've returned over the last several years to be invalid and requiring them to be returned.
Then if there's any leftover money owed, forbid the company from paying out bonuses in the future until the debt is cleared.
Most of the rest of it isn't actually money that will be changing hands. They're going to be providing ~ $330 million worth of their services for free and there are a couple highly specialized pools of money that need documented proof to tap into.
Aka the settlement was actually for $31 million and bull shit.
> For a little math, $31 million only makes it to 248,000 claims of the 150,000,000 people affected before it starts diluting.
It's even more fun if you look at it as a percentage. They leaked data on 147,000,000 people, and only have enough cash to pay out for 248,000. That's 0.0017% of those affected.
Who in their right mind thought that so few would want reimbursement?
I trust Equifax even less to monitor my credit safely than to pay out the money they owe to consumers for their years of deception in business practices.
So this is some bullshit, if FB can get hit with a $5 Billion dollar fine then I think we can scape up a little more than $31 Million from a company with even less scruples than Facebook...
Also I already signed up for the $125 (when there was ZERO mention it might not be paid out) so what am I supposed to do?
God I really wish they had just put down Equifax (as in killed the whole company) as a statement to other companies: PROTECT YOUR DATA or we are coming for you.
And NO I don't want their monitoring, if they couldn't keep my info safe to start with why would I trust them with monitoring.
The settlement should have required them to provide free credit monitoring to every US citizen in perpetuity, AND a cash payout to all the people they screwed over.
We need The Corporate Death Penalty and we need to be able to enforce it in such a way that intangible assets can't be copied over to another entity which is left to continue operations. Hard assets can be auctioned and used to pay unemployment claims and restitution.
Jail time for senior leadership would be nice too.
How can we get a politician to vote for a corporate death penalty when faced with tens, or hundreds, of thousands of now jobless constituents after its first sentencing is upheld?
First nationalise the legal entity so that the board cannot block the actions. Maybe pay a fair share of paid-for capital to employees, proportional to their pays they earned for the last full payment period, as a severance (this might result in lower-than-minimum severance, but better than nothing that you would get in a regular bankruptcy). However, shareholders which would get more dividends than this payout should only be allowed to be paid up to a week of minimum wage in this severance payout, to avoid exit bonuses. Assets should be auctioned off in a quick increment auction, to pay for debts to outsiders, and IP rights to be available to public domain immediately before severance payout starts. If any surplus money remains in the final account, it should be transferred to the legislative to be used for anti-corruption investigations. The legal entity can be vanished after all these finishes.
Why should shareholders get a dime? They backed a shitty company, they should also feel that pain. If they don't want to get hurt like that, they should utilize their rights to keep dangerous and toxic people out of executive level positions
Shareholders may also have wage-related earnings due to managerial/executive roles. Not all people are stock investors. A week of minimum wage is way less than their initial investment in average.
This is a problem in general with "creative destruction" vs. "too big to fail": we generally want unsound businesses of 50 employees to fail, but at 50k employees, it's such a blow to the local (or national/global) economy that politicians and citizens are incentivized to prop them up artificially. (Allegedly, one reason Obama didn't take on private insurance directly is the potentially huge unemployment problem.)
Anyway, I can imagine a scenario for "corporate death penalty" similar to Chapter 11, where the company keeps its doors open, while restructuring and perhaps selling shares at public auction.
I don't have a strong opinion either way on your corporate death penalty proposal, but I do strongly support jailing top-level executives for very long terms. We need to set examples. Everyone on this page[1] should be behind bars for I dunno, five years? Ten? If you don't want to risk that kind of sentence, then don't horde that kind of data.
> Equifax just has a bunch of essentially public financial data, addresses and such. None of that is actually private.
I agree that the information IS public. However, employers do not. Employers share employee compensation with Equifax but they refuse to share it with their employees. So which one is it? Is employee compensation public or is it not? If it is, please disclose compensation to all your employees to all employees. If it is not, then stop disclosing it to Equifax.
$31 million is a laughably small amount of money to set aside for direct settlements in the biggest hack in all of history. Add three zeroes to that, probably still not enough.
I spent three days figuring out this nightmarish credit reporting system and helping friends and family place freezes, as well as educating them to avoid all the horrible dark patterns on Equifax's site. What I want is about $2000 and the ability to opt out of them owning and reselling my personal data completely. I don't need credit monitoring, I don't need credit period anymore, why am I forced into accepting the unlimited risk of them owning all my data so that this private company can keep operating?
Comes out of the same $31 million. I'm unsure how distribution will work once more than $31 million is requested, but you're likely not going to see the full amount.
My reading of the settlement is that of the $310 million, up to $31 million (10%) is allocated to hourly time claims (section 6.2.6) and a separate $31 million is allocated to "Alternative Reimbursement Compensation", i.e. the $125 cheques (section 7.5).
So it's still capped at the same amount, but comes from a different pool.
Either way, it's still a laughably small amount to set aside. They leaked data on 147 million people, are they really only expecting 248k people to want to be reimbursed? That's 0.0017% of the affected population.
>I spent three days figuring out this nightmarish credit reporting system and helping friends and family place freezes, as well as educating them to avoid all the horrible dark patterns on Equifax's site.
That’s all on you. There was no reason for you to do this. Certainly not because of Equifax.
Your information was almost certainly already compromised, so reacting to the Equifax breach news like that was downright silly.
>why am I forced into accepting the unlimited risk of them owning all my data so that this private company can keep operating?
Nonsense. The risk isn’t unlimited, just about everything you do in your life presents a bigger risk.
The real risk here is that someone might waste a few hours of your time, but looks like you’ve already been working on that yourself.
It seems absurd that they only need to allocate $31 million for "alternative payments" while the old CEO leaves with close to $20 million in bonuses [0], while the rest of the money in the settlement is basically reserved for them to pay themselves for their "free" credit monitoring.
This whole situation was a good opportunity to set a precedent for companies not taking data security seriously. But they've instead shown everyone that you can really just ignore all of that and hope it's never discovered - even if it is, it's really just a light slap on the wrist. Combining this with the recent Facebook fine [1], it really makes me think that the FTC has become a complete joke.
> It seems absurd that they only need to allocate $31 million for "alternative payments" while the old CEO leaves with close to $20 million in bonuses.
Not to mention the $77.5 million that goes to the lawyers who negotiated this settlement on our behalf (per the settlement).
> It was also revealed that three Equifax executives sold almost $1.8 million of their personal holdings of company shares days after Equifax discovered the breach but more than a month before the breach was made public.[0]
Nobody was prosecuted as a result.
They were literally promoting their own $16.95/month credit monitoring product (ID Patrol) on the original website about the breach before they were shamed into taking it down.
Executives profited. The CEO profited. The lawyers profited. And the shareholders lost little. The public is the only one paying the cost, and their information was largely shared with Equifax without express consent.
What I want to know is how they established part of the settlement for damages caused by the breach, yet there is 0 evidence that any of the data has ever become public. How would someone prove they were affected, if nobody was affected?
You had me until you mentioned the Facebook fine. $5 billion, assuming it stands, is a lot of money and a good deterrent against the kind of behavior FB was engaged in. No shareholder would be happy that their company lost that much money. And before someone retorts with the fact that the stock went up the day the fine was announced: shareholders could be happy that the uncertainty is over, but still not happy with the fine.
If you’re not talking about a sizable portion of their gross annual revenue or their total market capital, you’re going to have little or no effect on any corporation.
If you really want to have an effect on a corporation, the only way to do that is to pierce the corporate veil, and hold the senior executives and the board members personally liable. That will get them to change big time, and in a hurry.
When you endanger the mega yachts and the private islands, you’ll get them to sit up and take notice.
You had _me_ until you claimed this was a "good deterrent."
$5 billion is a bit over ten percent of 2018 revenue. It's not enough to keep anyone up at night or, more importantly, convince them to do anything substantive _at all_ to improve privacy - because their revenue is _growing_ much more than $5bn a year.
While I agree that this factor is stupid -- either it wasn't well-thought or it was intended to be a way to avoid fairly compensating victims, whatever.
That said, they are paying a total of about $700M, in fees and compensation and so. The actual amount is probably going to be less -- if every single person took the $125, then the $31M for credit monitoring wouldn't be used at all. But for comparison, in Q2 2019, Equifax report about $900M in revenue. So they lost a full quarter of profit out of this.
Is that fair? Does that actually give sufficient incentive to keep this from happening again, by Equifax, or by TransUnion/Experian? I don't know.
I can say I'm not happy about this, the golden parachutes are bullshit, how they sat on the hack and then tried to scapegoat an engineer over it is infuriating, but I'm sure they are scrambling to lock down their security now, if not before, and I can't realistically see the current CEO letting something like this happen again.
Although, as they say, lightning never strikes the same place twice -- they'll lock down these avenues, but what are they going to miss? Can we actually trust them not to leave other vulnerabilities? We don't really have a choice, do we? I can't opt out of their "service."
Nothing like being forced to use a company, who leaks your very important information, who gets set a tiny amount of money to pay out for damages, only to be told not to take it because that money might not be enough to pay everyone who was affected.
It won’t work like that, though. It’ll just mean that the 125 the vast majority of people expected will probably end up at 25 bucks each, depending on how many people requested the cash payout.
Supposedly the settlement encourages me to trust Equifax to monitor my tradelines through "free credit monitoring"... but I can't trust the same company to monitor the safety of that very same data.
"The FTC said Wednesday that consumers rushing to get a $125 check from Equifax as restitution for its 2017 cybersecurity breach should consider the credit monitoring option because the company could run out of money before satisfying all the claims."
As someone that constantly watches credit brokers abuse a broken system, I'm okay with this. Let their CEOs get their parachute pay. while their reputations are publicly and privately castrated.
Honestly, as consumers, we can go after that too, if we really want.
The most insane thing is that they are asking you to take the bet that Equifax and companies like them will screw this up again by calling it a better deal.
This settlement itself is a scam. It looks like a cunningly smart settlement announcement.
Offer something that looks like a worthy settlement, drive millions of people to get the cash option, then claim that too many are going for the cash option, so they'll all get peanuts now (if 10 million chose cash option and only 31 million is available, then it's $3 per head?).
That's a cheap way to get rid of any liability in the future.
Facebook didn't get hacked, and was fined $5 billion (do affected facebook users get anything from that amount? not sure)
Equifax leaked extremely important details of persons, and was fined peanuts. How does this make sense?
65 comments
[ 3.3 ms ] story [ 83.1 ms ] threadhttps://www.ftc.gov/enforcement/cases-proceedings/refunds/eq...
> 5. I thought I could choose $125 instead of free credit monitoring. What happened?
> The public response to the settlement has been overwhelming. Millions of people have visited this site in just the first week. Because the total amount available for these alternative payments is $31 million, each person who takes the money option is going to get a very small amount. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.
> The free credit monitoring provides a much better value, and everyone whose information was exposed can take advantage of it. If your information was exposed in the data breach, and you file a valid claim before the deadline, you are guaranteed at least four years of free monitoring at all three credit bureaus (Equifax, Experian, and TransUnion) and $1,000,000 of identity theft insurance, among other benefits. The market value of this product is hundreds of dollars per year.
> You can still choose the cash option on the claim form, but you will be disappointed with the amount you receive and you won’t get the free credit monitoring.
For a little math, $31 million only makes it to 248,000 claims of the 150,000,000 people affected before it starts diluting.
No, because time spent putting safeguards in place to prevent its usage should it be abused is worth something.
You don't lock your doors after someone has broken into your house; you take measures to keep them out. In the same vein, you don't protect your credit after someone has abused it; you take measures to keep it from having serious consequences.
And taking measures costs time, and time is money.
If you choose to waste your time that is on you, not Equifax.
If you can’t name any, how can there be costs?
Then if there's any leftover money owed, forbid the company from paying out bonuses in the future until the debt is cleared.
Though honestly, it's not enough.
How much damage can someone do with my name and social security number? I bet you it's more than 125 dollars can fix.
This data could end up circulating the web or dark web for years and years.
It's designed to almost never pay out.
Aka the settlement was actually for $31 million and bull shit.
It's even more fun if you look at it as a percentage. They leaked data on 147,000,000 people, and only have enough cash to pay out for 248,000. That's 0.0017% of those affected.
Who in their right mind thought that so few would want reimbursement?
Also I already signed up for the $125 (when there was ZERO mention it might not be paid out) so what am I supposed to do?
God I really wish they had just put down Equifax (as in killed the whole company) as a statement to other companies: PROTECT YOUR DATA or we are coming for you.
And NO I don't want their monitoring, if they couldn't keep my info safe to start with why would I trust them with monitoring.
From the FAQ, they'll send out an email to everyone who already filed allowing people to switch to credit monitoring.
I agree, this is ridiculous. Even credit monitoring for life (from the other agencies) would have been better than this.
Jail time for senior leadership would be nice too.
Anyway, I can imagine a scenario for "corporate death penalty" similar to Chapter 11, where the company keeps its doors open, while restructuring and perhaps selling shares at public auction.
[1] https://www.equifax.com/about-equifax/corporate-leadership/
Equifax just has a bunch of essentially public financial data, addresses and such. None of that is actually private.
I agree that the information IS public. However, employers do not. Employers share employee compensation with Equifax but they refuse to share it with their employees. So which one is it? Is employee compensation public or is it not? If it is, please disclose compensation to all your employees to all employees. If it is not, then stop disclosing it to Equifax.
'If you can't do the time don't do the crime' doesn't seem to apply except in very extreme cases like Enron
I spent three days figuring out this nightmarish credit reporting system and helping friends and family place freezes, as well as educating them to avoid all the horrible dark patterns on Equifax's site. What I want is about $2000 and the ability to opt out of them owning and reselling my personal data completely. I don't need credit monitoring, I don't need credit period anymore, why am I forced into accepting the unlimited risk of them owning all my data so that this private company can keep operating?
So it's still capped at the same amount, but comes from a different pool.
That’s all on you. There was no reason for you to do this. Certainly not because of Equifax.
Your information was almost certainly already compromised, so reacting to the Equifax breach news like that was downright silly.
>why am I forced into accepting the unlimited risk of them owning all my data so that this private company can keep operating?
Nonsense. The risk isn’t unlimited, just about everything you do in your life presents a bigger risk.
The real risk here is that someone might waste a few hours of your time, but looks like you’ve already been working on that yourself.
This whole situation was a good opportunity to set a precedent for companies not taking data security seriously. But they've instead shown everyone that you can really just ignore all of that and hope it's never discovered - even if it is, it's really just a light slap on the wrist. Combining this with the recent Facebook fine [1], it really makes me think that the FTC has become a complete joke.
[0]: https://www.cbsnews.com/news/equifax-data-breach-settlement-...
[1]: https://www.theverge.com/2019/7/12/20692524/facebook-five-bi...
Not to mention the $77.5 million that goes to the lawyers who negotiated this settlement on our behalf (per the settlement).
> It was also revealed that three Equifax executives sold almost $1.8 million of their personal holdings of company shares days after Equifax discovered the breach but more than a month before the breach was made public.[0]
Nobody was prosecuted as a result.
They were literally promoting their own $16.95/month credit monitoring product (ID Patrol) on the original website about the breach before they were shamed into taking it down.
Executives profited. The CEO profited. The lawyers profited. And the shareholders lost little. The public is the only one paying the cost, and their information was largely shared with Equifax without express consent.
[0] https://www.bloomberg.com/news/articles/2017-09-07/three-equ...
If you’re not talking about a sizable portion of their gross annual revenue or their total market capital, you’re going to have little or no effect on any corporation.
If you really want to have an effect on a corporation, the only way to do that is to pierce the corporate veil, and hold the senior executives and the board members personally liable. That will get them to change big time, and in a hurry.
When you endanger the mega yachts and the private islands, you’ll get them to sit up and take notice.
$5 billion is a bit over ten percent of 2018 revenue. It's not enough to keep anyone up at night or, more importantly, convince them to do anything substantive _at all_ to improve privacy - because their revenue is _growing_ much more than $5bn a year.
That said, they are paying a total of about $700M, in fees and compensation and so. The actual amount is probably going to be less -- if every single person took the $125, then the $31M for credit monitoring wouldn't be used at all. But for comparison, in Q2 2019, Equifax report about $900M in revenue. So they lost a full quarter of profit out of this.
Is that fair? Does that actually give sufficient incentive to keep this from happening again, by Equifax, or by TransUnion/Experian? I don't know.
I can say I'm not happy about this, the golden parachutes are bullshit, how they sat on the hack and then tried to scapegoat an engineer over it is infuriating, but I'm sure they are scrambling to lock down their security now, if not before, and I can't realistically see the current CEO letting something like this happen again.
Although, as they say, lightning never strikes the same place twice -- they'll lock down these avenues, but what are they going to miss? Can we actually trust them not to leave other vulnerabilities? We don't really have a choice, do we? I can't opt out of their "service."
It's all a sham. And they are still compiling all of our information so make the next breach even better.
Yeah, this makes a lot of sense...
[0]https://twitter.com/hoofnagle/status/1156662788221050881
As someone that constantly watches credit brokers abuse a broken system, I'm okay with this. Let their CEOs get their parachute pay. while their reputations are publicly and privately castrated.
Honestly, as consumers, we can go after that too, if we really want.
Duly noted that poor planing may lead to the exhaustion of the paltry reserves Equifax set up for the actual victims of its crimes.
How about some real justice then?
Offer something that looks like a worthy settlement, drive millions of people to get the cash option, then claim that too many are going for the cash option, so they'll all get peanuts now (if 10 million chose cash option and only 31 million is available, then it's $3 per head?).
That's a cheap way to get rid of any liability in the future.
Facebook didn't get hacked, and was fined $5 billion (do affected facebook users get anything from that amount? not sure)
Equifax leaked extremely important details of persons, and was fined peanuts. How does this make sense?