138 comments

[ 3.5 ms ] story [ 24.5 ms ] thread
> It’s also one more reason why the consumers who sought a cash settlement from Equifax won’t be getting the full $125 as initially expected.

> In fact, consumers were never going to get $125, ... “That’s down to $6 or $7 [per consumer] now. Maybe even less than that,”

That's what all your personal information and your identity is worth. $6.

> That's what all your personal information and your identity is worth. $6.

That's not how much it's worth, that's just how much Equifax was able to corruptly negotiate to pay for losing it.

If you really want to know how much it's worth, you could probably compute a reasonable estimate by taking all the money the credit bureaus from your credit file, and divide that by the number of credit files.

Let me rephrase. $6 is what your personal information and identity is valued at by corporations.
It would be $0 and probably covered up if the corporation had the choice.
If they had a choice, it'd be considered a burden and a tax write-off :-)
No. It’s much worth more than 6 to them but they are trying to tell you it’s less
Equifax followed all laws on the settlement.

Also, when that statement is ever made, it really highlights flaws in our system when the rich/corporations/layers write the laws in their favor... So much for "for the people" right?

Also, let us not forget, Equifax execs sold stock before hack was disclosed

https://money.cnn.com/2017/09/08/investing/equifax-stock-ins...

> Three Equifax executives sold shares of the credit-reporting company worth nearly $2 million shortly after a massive data breach was discovered.

I understand that this looks unfair, but why is this actually bad?
Insider Trading [0] is a crime in the US.

[0]: https://en.wikipedia.org/wiki/Insider_trading

It might or might not have been insider trading.

However, I think a journalist is seriously delinquent if they don't acknowledge that insiders normally schedule their stock trades ahead of time to insulate from insider trading accusations. A reader needs to know whether this was the case or not in order to be appropriately outraged.

It was. I posted the SEC PR filing in reply to another comment on this article.

> I think a journalist is seriously delinquent if they don't acknowledge ...

I'm not sure I agree. If you consider how many topics journalists write about and how much necessary context that they would have to background-boilerplate, a 2 sentence update could easily become the length and readability of a ToS contract.

If there is one single thing that you could put in a sentence or two, but it makes your article irrelevant, then the maximum word count is not the reason it was left out.

This isn't like, one article with a unique context. There have been lots of similar ones and will continue to be.

So what? The question would be "Why is insider trading actually bad in this specific instance?" not "Is insider trading actually a crime?"

"Insider trading creates perverse incentives" would not inherently mean that the purported insider trading by equifax executives was a bad thing.

Unless they can prove they intended to sell that stock anyway before they had knowledge of the hack, that seems criminal.
Isn't that guilty until proven innocent? Rather, I would think that whoever does the prosecution would need to prove the execs knew of the hack prior to selling the stock. The execs don't have to prove anything.
A subpoena of exec email accounts could sort out who knew what very quickly.
When you are exposed to information that it would be improper to act on, you generally have to demonstrate affirmatively that your decisions aren't based on it to stay out of hot water. It's the same deal as clean-room reverse engineering, where you need separate teams with a lawyer as a firewall to prove you're only replicating certain aspects of the source. It's not that presumption of innocence isn't applicable; it's just, when your defense is that you tracked provenance in your head and were careful to ignore the tainted information when thinking about certain things, it probably won't be hard to prove you guilty.
If they're high level execs, presumably they know about major company news. I don't think that's hard for the prosecution to establish.
Executives do normally schedule selling stock ahead of time. If no investigation is happening, that might be one obvious explanation.
Yup. It’s rare for senior executive to not preschedule stock sales.

Otherwise it’s too hard to prove you didn’t act on insider info since they see such info every day.

...insider trading? If there’s not an investigation into these “executives” already underway, there should be.
How do we turn ‘should be’ into reality?

From a tech perspective I feel like issues like this should have a public canonical ID. That would help regulators and reporters alike deliver information in a more clear, cost effective and accountable manner, disambiguation by default. Interested and affected parties could subscribe to updates on that key across the web.

I think guillotines would help motivate more meaningful regulation. They're why we have this whole rule of law thing in the first place. If the plutocrats get too far out of line, they maybe need to be reminded of the alternative.
Do you remember when France brought the guillotines out? It didn't end very well for the people...
Hey y'all let's bring it down. We're all on the same team. The rule of law and liberty team. The 'we're better than divide and conquer' team.
Already done.[1] Literally took me 10x longer to log into HN to comment than it took me to verify my vague memory of this event.

In addition to the SEC litigation into the executives, Equifax did a company-wide investigation and found that one of the developers for that breach notification website (the one that provided tons of false positive and false negatives and was spoofed by a security researcher) traded using his SO's equities trading account before the breach was revealed. The company found him and he has also been prosecuted[2].

[1] https://www.sec.gov/news/press-release/2018-115

[2] https://www.zdnet.com/article/equifax-engineer-who-designed-...

To be fair, one guy sold his stock because it seemed like people were acting really fishy and not telling him anything, and he put 2 and 2 together. So no one explicitly told him insider information, but he is still being charged.

If I worked at Amazon and saw Jeff Bezos in a meeting room going ballistic on the lead security engineer, would I be insider trading if I shorted amazon stock?

Yes actually. That's literally insider information.
> If I worked at Amazon and saw Jeff Bezos in a meeting room going ballistic on the lead security engineer, would I be insider trading if I shorted amazon stock?

Yes, for sure. You'd still be acting on non-public information (the fact that he went ballistic on the head of security).

If you leaked that meeting to the press first, then maybe you'd be in the clear on insider trading (but you'd be in deep water for the leak!).

Would seeing an angry Bezos count as "material information"? There are all sorts of secenarios where Jeff could be angry with a person - when did it become material?
If it moved the stock price afterwards it was material. Point is you won't necessarily know at the time.
This headline is dishonest. I’m not getting my $125 because the settlement fund is dramatically too small. It looks like I’ll get about $6. If the attorneys got absolutely nothing, that number would be maybe $8. So attorney fees are <2% of the shortfall.

I’m not pumped that Equifax is getting off for less than a half billion or that the attorneys are getting a big chunk of that. (It’s hard to say how much they should get, to be honest) But when I see a bullshit headline I have to call it out.

By the way, they based the $125 on the assumption that almost everyone would take the worthless credit monitoring option.

Where are you getting 2% from?

The 77.5 is roughly 20% of the settlement fund

Or if you want to include the crap credit monitoring it is 11% of the total 700

In either case no one will be getting near 125 but still 80 million is quite a lot for them...

> 80 million is quite a lot for them

Against $3.5bln in 2019 revenues? That's not really a lot at all.

Why are you comparing how much the lawyers get to Equifax revenue?
Because the point of the settlement, in theory, is A) for Equifax to be sufficiently disincentivized from being careless again B) restitution for victims. In my opinion as a victim, amount of the settlement (paid to lawyers or otherwise) is too small to accomplish A, and the amount paid to lawyers, if redirected to victims, is still too small to accomplish B. These are the only things that feel relevant to compare the amount to.

If the two sides negotiated a settlement that involved a serious change of business practices at Equifax, a significant payout to meaningfully compensate victims, and a chocolate cake for every retired librarian in Tallahassee, I'd be slightly confused but I would be unequivocally happier with that settlement than the current one. While you could probably save a bit of money on the chocolate cakes, it would be much smaller than any of the other amounts in the case, and saving that money wouldn't have any real impact on the settlement actually doing what it needed to do.

Spending nearly $80,000,000.00 on lawyers didn't seem to explain to the court or FTC that the settlement should have been higher than mere dollars per person so I'm not sure how spending e.g. $800,000,000.00 on lawyers is supposed to result in anything beyond even less making it out to actual compensation.

It's not like there was some busy public defender that didn't have time to think "gee, these people deserve more than a couple bucks and the company is probably going to make money off this 'fine' once the yearly renewal kicks in for those that opted for the coverage how can we argue a stronger deal" there was a high end team that made bank on a deal they knew they were the only ones making real money on regardless of what the deal was.

I don't disagree about the part that lawyers enriched ourselves, but like the librarians eating cake in Tallahassee, I don't really care about that, personally. I do disagree with the part about spending $800M on lawyers - if that came out of Equifax's own pocket, that would be ten times more effective at B than spending $80M. If you made them spend $8B on lawyers, Equifax might well shut down, and scare the other credit reporting agencies into behaving. That is valuable to me.

I'll be honest, as a victim, I'm not sure what I'm supposed to do with $125, either. I expect most people will spend it on themselves, but even spending it on credit monitoring doesn't actually fix the problem, it just makes the problem a little less bad, maybe, at the cost of enriching other companies that depend on this ecosystem of profiting off other people's data. I would genuinely prefer a settlement that cost Equifax $800M and got me nothing to one that cost $80M and got me $125.

The lawyer pool isn't "in addition to" it comes "out of" the settlement amount that was already decided previously. I.e. the difference between 80 million and 800 million in lawyer fees is exactly 720 million that was supposed to have gone to compensation going to the lawyers instead.
OK, but the settlement was $380 million. There was no $720 million that was supposed to go to the lawyers (or to anyone else).

If the lawyers had instead negotiated a settlement that got them fees of $800 million, then, because as you say the fees come out of the settlement amount, the settlement would have to be at least $800 million. That would be good for me, as a victim, because it would have meant a larger penalty to Equifax.

Revenue isn't the same as profit.

" Net income attributable to Equifax of $299.8 million was down 49 percent compared to the full year 2017. " https://www.prnewswire.com/news-releases/equifax-releases-fo...

"2% of the shortfall", which would mean "2% of the 119$ less than the 125$ I could've been getting".
>80 million is quite a lot for them...

Equifax should pay damages related to the severity of the breach not to the size of their bank account.

"Them", in this case, would be the lawyers.
Credit monitoring, * offered by Equifax *, should not be legitimate restitution.

It’s like Apple’s MacBooks blowing up and a judge ruling Apple can give iCloud storage as compensation.

You mean like the Zappos settlement where the restitution for the victims of the data breach was a 10% off coupon to Zappos?

Which also lets them spam all their old customers who do not otherwise receive promotional emails from them.

I got like 3 of these emails from zappos. At some level you just have to laugh that they're advertising a court enforced penalty.
A 10% off coupon that I not only received a few days ago, but has to be used before Jan 1, 2020. Just a middle finger to the people who's data they were irresponsible with.
This will continue until data protection legislation passes in the US. That’s the only way consumers will have any recourse.

Here’s EPIC’s summary of the legislation options: https://www.epic.org/GradingOnACurve/

This is the correct answer. The problem isn't how the class action suit was orchestrated; the problem is that class action is the only plausible and scalable form of justice currently available. Severe automatic penalties of X dollars per account lost and / or criminal liability for executives similar to SOX is what we need to deter these mistakes.
(comment deleted)
It is exactly like that. What makes you think that wouldn't happen?
When they lied about their monitor size I got a coupon for a few bucks off my next purchase of an Apple monitor. Never used it.
No this is worse, this is some fucking mafia shit.

Equifax: YOU NEED THIS PROTECTION. PAY US... or else maybe there will be an ACCIDENT with your data

Me: No, I don't, think so. Shit, sounds illegal to me

Equifax: WHOOPS. We had an accident.

Me: WTF? [calls authorities]

Equifax: Well, let us make this right, how about we now give you some _free_ protection as a sign of our goodwill... you know to try it out... just in case that WHOOPS ends up being a problem for you.

Me: [looks at response from authorities] This is okay? This is fucked.

This is state-sanctioned organized crime at its finest.

"And when you sign up, we'll ask for a credit card. And if you don't cancel the free protection, we'll start billing you for it soon enough."
We should have all collaborated to sign up for the monitoring and let them charge the cards, then all simultaneously issue chargebacks when the first charge hit to wreck their ability to accept credit cards and destroy their business.
What I find especially bothersome is that their resolution has, in practice, only cost their victims more.

Because the time needed to fill out that form and provide the documents will have been worth more than the payout, if one ever comes, for just about anyone who bothered to do it.

Not at all satisfactory.

It's expensive to make big companies pay for their misdeeds.
There would be no settlement at all without lawyers taking the case on contingency and fronting the costs.
No settlement would be better since filling out the forms costs more than $6 in time.
The settlement is meant to be punitive, not necessarily amount to a windfall for you. It's not terribly easy in a case like this to even prove damages.

And no, it wouldn't be better to let them off the hook completely. I'm not saying this settlement is _at all_ satisfying, but c'mon.

The settlement is also political cover to avoid dealing with this problem. Without that some more meaningful change could have happened.
I do disagree with you.
Edit: I seen 3 versions of that post so NM.
"I do not disagree with you at all."
Edited my response to be less haughty :D
I apparently screwed up on the edit, but only two versions. I do not disagree with you. I can no longer edit. I blame my phone and fat fingers.

It's a mess now. The gist of my original comment was "I agree with you".

That’s fine, I must have miss read it the first time. Because I re read it noted the double negative and was editing it when I then saw the final version...

¯\_(ツ)_/¯

Windfall? People are hoping at best for a tiny fraction of the cost of actual damages. That's not a windfall. The only people getting a windfall are the class action attorneys. The actual victims get basically nothing.
I think you interpreted what I said in the worst way possible, and again, it's incredibly difficult to prove damages. We all know they exist, but if you can prove them you don't need a class action.
If it's meant to be punitive, shouldn't the full penalty amount get divided evenly among everyone who applies for the compensation, rather than being a fixed $6 per person who applies? Or does Equifax somehow end up losing the full penalty amount regardless (e.g. is the unclaimed amount paid to the government etc.)?
It depends on the settlement agreement, but they don't typically go back to the defendant. In this case, I found one source without looking up the actual agreement

https://www.baynews9.com/fl/tampa/news/2019/07/26/what-happe...

>Any funds unclaimed after 4-year extension will be distributed in services

>Services offered are for identity restoration, credit monitoring

And those services are from... Equifax, which I feel is pretty shitty. Like I said, I don't like the settlement itself, but lawyers get a lot of hate for class actions from people who seemingly don't appreciate the risk they take in taking in the case.

I’m so so glad they took all that risk on so that I can get $6 while they get 80 million. Poor lawyers, so charitable of them.

And who gave them the right to profit massively off the violation of my privacy. I should be able to sue them. This is not justice, this is profiteering off others misfortune.

Design a better system then, I don't know what to tell you. The lawyers didn't engineer this debacle.
They essentially stole my info and did nothing to protect can it. A corporate death penalty should exist and all assets seized including every paperclip

This company should be "old yellered"

It isn't supposed to punish the claimants though. Filling out the form was worth less than the payoff. Better to just burn the settlement than to waste everyone's time trying to distribute it. Or give out $600 to every 1 out of 100 claimants based on a lottery instead of $6 to all.
I opted out, hoping that another case would be pursued.
> their resolution has, in practice, only cost their victims more

All class actions are this way.

The only correct move is to exclude yourself from the class and reserve your right to sue individually, after the class action, citing that as precedent.

Class members never get more than a useless coupon or comparable.

Have you sued and had that work well? I'm interested in doing this but I am curious to know how well it works.
I honestly, no bullshit, wish the hackers had simply released the entire dataset. Just drop kicked it into the the public domain.

It would have been the greatest thing ever. This dumb ass bullshit system of credit reporting would have dissolved overnight. Instead we're stuck with the worst of all worlds. Our information is completely fucked, and we're the ones expected to protect it. And we're not even permitted to have proper tools to protect ourselves.

> I honestly, no bullshit, wish the hackers had simply released the entire dataset. Just drop kicked it into the the public domain.

A lot of systems that leverage data behind walled gardens, collected from the masses and for the benefit of the few could also have the same approach. A couple of high profile "leaks" come to mind…

I totally get your sentiment about it forcing reform. What would replace it though?

Risk assessment is a valid concern for lenders. Diligent payers should be rewarded.

I don't think the lending industry would go away with a leak, though I do think that more players with the ability to analyze the data could have come along and used the data set to lower the costs of lending and/or incentivized other systems of data collection/risk analysis and underwriting.

Though I do think it would have hurt the bottom line of the giants that have few incentives to innovate, and many incentives to maintain the way things are.

> This headline is dishonest.

All part of the push to make class-action lawsuits economically unviable. When it's not worth it for any lawyer, the corporations will be free to defraud everyone for small amounts.

If the lawyers think the credit monitoring is so great they should take their fees in transferable credit monitoring coupons.
Your numbers are incorrect. A handful of attorneys are taking 20% of the resolution.
The claim is "2% of the shortfall" (the amount of money that would be needed to get $125 instead of $6 to everyone in the settlement), not "2% of the settlement amount."

Yes, the attorneys are taking 20% of the resolution. The resolution is so tiny that 20% of tiny is also tiny. The article title is highly misleading.

Class actions are broken and rarely actually directly benefit the consumers. At best you can say it is a large club that can be wielded on behalf of consumers to force large corporations to behave responsibly. At worst it's a total racket where attorneys can get very very rich by "representing" consumers and shaking down large corporations, which will eventually end up being paid for by the consumers who were meant to be protected in the first place.

I think the USA needs stronger regulators who can actually enforce the laws using fines and lawsuits rather than the legal system which does not work.

From what I have read stuff like this is also high risk for the lawyers who may be working on this for years without getting paid. I agree that regulators should go after these companies and also prosecutors instead of putting people in jail for years for possession of marijuana.
What about the Equifax case or the Zappos case is high risk? Or even low risk?
1) regulators don't lock people up for marijuana use. 2) We would save Lawyers the risk of not getting paid if they didn't have the chance of getting paid. Expressed with less sarcasm, there is no shortage of lawyers coming out of the woodwork to start class action suits when something happens. Every time anything big happens there is a half dozen class actions that get filed straight away, then there is lots of overhead figuring out who's class action is the correct one and combining lawsuits, and all this "work" is only to the benefit of the attorneys filing the lawsuits not to the actual people they are claiming to represent. Anyway, it's rotten to the core.
But why a preset percentage? Why not costs + a 10% profit? Once you do a certain amount of work, why does the amount of profit rise when you can extract more from the defendant?
Under this scheme, the only way to make more money as a law firm would be to increase your costs, so this creates an incentive to prosecute the case as expensively as possible.

The eventual endgame of this system would be that law firms’ costs should rise to eat as much of the settlement as possible, which leaves as little as possible for the actual victims.

A fixed percentage system creates an incentive to maximize the settlement (on behalf of the victims) and leaves the law firm to pay its own costs.

FBI Director Wray, AG Barr, SoD Shanahan, & SoS Pompeo all raped boys and paid billions in bribes for Soros & Koch funded child rape org. So did Trump & his "impeachment" team Nadler, Schiff, & Mueller. So did media moguls Redstone, Murdoch, Moonves. What are they trying set up? Who can arrest them?

\\*Download the video/audio file, put on headphones and turn up the volume. You will hear these people committing these crimes. Audio was broadcast into my apartment by outdated surveillance equipment illegally embedded within my walls. This very same technology was being used to broadcast me to the internet for five years without my consent. I own this footage. Please use this to prosecute all found within. Note:: I am obliviously speaking throughout the video, and it can be quite loud at times relative to the desired content. The are dozens more links, including these, that can be found in this 139 page PDF doc, last updated 12/18:

https://drive.google.com/file/d/1Sj9EN_pHmicKS6rFQlmk67knMdJ...

All members of the "Illuminati"; "....an underground organization of homosexuals and child rapists..." (from page 26: Barack Obama & Jack Dorsey).

    President Donald Trump:
Accepting a $4 billion dollar bribe here at 10:18 am on 4th Jan2019:

3JanCh3_900-1100.avi

https://drive.google.com/file/d/1Grdr8xF2psKNsuYlEnl9dIRV-77...

3JanCh2_900-1100.avi

https://drive.google.com/file/d/1LUmVygl_q0XVs8h2cWr8jZl-24f...

3JanCh4_1000-1100.mp3

https://drive.google.com/file/d/1ZpP1pJbJakBgg-y-MWNozTxp3wJ...

    President Donald Trump rapes and kills a dozen boys, including five boys in a who can rape five boys to death the fastest' game:
14JanCh3_600.mp3

https://drive.google.com/file/d/1ufPmglde9Mep0m6xYMJ9c4TWTjj...

14JanCh2_600-700.mp3

https://drive.google.com/file/d/136qLJdEn8eCs9tI4QtIxl4opW_L...

    Speaker of the House Nancy Pelosi:
Accepts a $3 billion dollar bribe at 10:33 am on17Jan2019 to ensure Asian boys can get through the border at "Monterrey" undocumented to be raped:

17JanCh3_949-1100.avi

https://drive.google.com/file/d/1eodHu4o5Cm3xEWhDqipSuTj-M1C...

17JanCh4_1017-1100.avi

https://drive.google.com/file/d/1y-nWEQbempkVZSz230j9wTyduZN...

    Speaker Nancy Pelosi also "preps" boys with First Lady Melania Trump, defined as in she performs oral sex on the boys’ penis and anus, as a child rapist like Henry Porter would, while trying to remove fecal matter from the boy prior to handing them over to be raped and subsequently murdered, for Supreme Court Justice Samuel Alito, who apparently decides he would rather jus...
That's fine, I'm more interested in punishing companies for poor behavior than getting a couple bucks in my pocket.
Correct me if I'm wrong, but my understanding about class action suits rarely benefit anyone but the lawyers; isn't the whole point to hurt the corporations where it hurts?
In theory, yes.

In practice, as usual, they're getting fined $5 for stealing $100, so not really.

This is actually a good thing. The more lawyers get to suckle at the teat of class actions, the more class actions they will file, which will have a deterrent effect on corporate malfeasance even if there is no restitution to the victims.
The proliferation of binding arbitration provisions in contracts of adhesion puts a dent in that, sadly.
The point wasn't for me to get a lot of money. The point was for Equifax to lose money.

Look, I'll badmouth lawyers as much as the next person, but anyone who wants to claim class actions are a mistake needs to come up with a better system before they trash this one. There are so few avenues for consumers to hold companies accountable right now. They just don't exist. And thanks to arbitration and class action bans in EULAs, even the few avenues we do have are getting gradually eroded.

So first make regulatory penalties stricter, first set up real consequences for CEOs and boards. Then we can talk about revising class actions. I'm not satisfied with someone saying, "theoretically this could be better." Make the alternative systems better first, and then we'll talk about throwing away what we currently have. Like, holy crap, how short sighted can CNBC be? There are no working alternatives in the US to class actions right now.

The tragedy isn't that the lawyers took 20% of 380 million dollars. The tragedy is that it was only 380 million dollars. I'd happily trade another 25-50% on top of the current lawyer take if they had gotten that total up to 750 million, or even a billion.

Laywers get 20% of the restitution costs, on top of the restitution costs.

If the courts deem that the resulting costs to the defendant are too low, additional amounts may be levied and given to relevant charities, or the ACLU (or things like it).

If the company would collapse due to the costs, or otherwise would be unable to pay the full costs, executive bonuses (and potentially some pay, with limits) may be reclaimed, both towards allowing payment, and preventing failure in "too big to fail" situations.

I miss anything?

People get restitution. Lawyers get rewarded for quality work. Companies both pay damages, and a penalty on top of damages. Executives bear responsibility as people, not just the corporate entity.

Off the top of my head, I'd have no issue with this. Sounds great, particularly in how it would expand the ways we could hold executives personally responsible.

The request I would make is, "can we build a real, working version of the system you propose before we get rid of the existing one?" I'm not eager to throw away what we have on the promise that we could build something great afterwards.

The annoyance I feel when I read articles like this is that it's a bunch of reporters saying, "we need to do something about lawyers", and I just feel like -- if I'm in a leaky lifeboat, don't tell me to jump out of it until you have another boat next to me that I can climb into. We all know the lifeboat has leaks, but this lifeboat is real, and yours is (at least for now) imaginary.

I don't think anyone here is proposing we get rid of class action lawsuits. People are annoyed because they think the class action isn't enough.
> It turned out that the money set aside in the roughly $380 million restitution fund specifically for cash compensation was capped at $31 million

I can't parse this, how can a $380m fund be capped at $31m, isn't that a $31m fund?

I think they're including the value of the credit monitoring they offered people in that
Which is utterly insane considering it’s a near 100% margin business for them. The breach was basically a funnel into their free trial of credit monitoring.
The majority of the money is set aside for victims who can show specific damages. A relatively small portion was set aside for the vast majority of the victims who's information was leaked but not actually used to cause them any specific harm.
The money set aside ... specifically for cash compensation was capped at $31 M. It would have been somewhat more clear with something like It turned out there was a cap of $31 M specifically for cash compensation of the $380M restitution fund.
Equifax has made more money after the hack now that they are selling their credit monitoring as a service.

I went to their website trying to figure out how to lock my credit report (which US govt mandated be a free thing to do) only to learn that in order to use the "free" option you have to go through hours of phone trees, or write in snail mail.

If you want the ability to lock the report online or via an app, you have to pay ~$20/mo to Equifax. Total BS, and of course I wouldn't put it past this company to make money off their own data leak.

Equifax muddies the water here with “lock” vs “freeze” terminology on their web site. One costs money and one is free. The free is the mandated government version, which is a lock but I think they call it a freeze and can be done online. I’ve done it recently. It’s a really deceptive and dark pattern as they try and steer you Towards their paid version.
Andrew Yang should campaign on making Equifax pay for data pollution. In fact, every one of these "data breaches" should be treated like the BP Oil spill. If these companies can't be held accountable for protecting our data then they shouldn't be allowed to collect it in the first place.

If it cost them as much to clean up each spill as it cost BP, you better believe they would take better care not to let it happen again.

> If these companies can't be held accountable for protecting our data then they shouldn't be allowed to collect it in the first place.

It's so sad that this is even remotely controversial. Equifax should have gotten the same treatment as Arthur Andersen.

From my reactive, emotional side, I would argue yes.

From my rational, informed side, I would argue no. Here's my rationale.

The data stolen from Equifax has not shown up on the black market and hasn't been actively used, which suggests this was a nation-state using the data for something other than profiting from fraud. This also suggests that the hack could easily be considered an "act of war", so given enough time+effort+resources, no company would likely be able to resist that breach (although I know Equifax could have done FAR better than they did).

Technically I don't "own" the data that Equifax has about me. Equifax owns the collection of it, their reporters (ex retailers, landlords, bank/mortgage companies) each own a shard, and other data aggregators who contract with any one of these actors can own part/all of it.

I am not Equifax's customer. They are required to deal with me based on a few rules defined in the Fair Credit Reporting Act, but the FCRA also provides some protections for credit reporting agencies who don't violate those rules. I'm sure they minimize the effort/resources they devote to helping credit consumers because that is the profit motive of every company.

I'm sure Equifax has a ridiculous EULA/ToS that I probably implicitly agreed to when I used the AnnualCreditReport website, and probably additionally when I deal with any retailer that pulled credit reports from Equifax (including the IRS after the breach was revealed). It likely involved me signing away my rights to a class action litigation or my rights to a trial by jury, because that is par for large contemporary corporations.

The standard for "protecting consumer data" is remarkably low except in a few sectors (ex. healthcare, retailers storing credit card data), and even in those it's still disheartening. The problem here is that companies can easily argue to {regulators, judges/juries, their BoD, cybersecurity vendors} that they can't be expected to spend more than the industry average because that hurts them more than the competitors. This just becomes a Prisoner's Dilemma where our data's security becomes the victim to corporate (in this case credit reporting bureau) self-interested decision making.

> The data stolen from Equifax has not shown up on the black market

Yet - and also the absence of evidence doesn't mean the evidence of absence. Not all criminals are stupid, a smart one would wait till vigilance dies down.

Or it's already been distributed/used/sold, albeit not as a single large leak of data.
I dispute that the data doesn't belong to you, even if it was collected by someone else. That's the crux of the matter, isn't it? If the information shares entropy with me or my various states, because it physically came from my body or my actions, then there's a strong argument to say it belongs to me, its origin, no matter how far it has been transmitted.
I'm skeptical of the claim that only a nation-state could have done this. Too lazy to look it up now, but I could swear that it was publicized that they were pwned using vulnerabilities that had been publicly known and patched for months? That would be extreme negligence no matter how you slice it.

> Technically I don't "own" the data that Equifax has about me.

This itself is a big part of the problem. It should absolutely be illegal for companies to hold sensitive info like my SS# without my permission.

What do you think a Warren or Sanders position would look like on this issue because that sounds it would be exactly their stance.
Their donors might balk, however.
Lawyers are the scum of the earth.
I made sure to give as little information as possible when trying to apply for this settlement. I have no faith that that information will be secured, so we'll be doing this again in a year or two.
Cool, I just won a $200 bet with a friend of mine that these capricious bastards and the corrupt courts weren't going to do right AS ALWAYS.
American judges are "in on the take".

They claim they are often forced to accept the deal, because plantiff and defendant agree on a deal (that benefits them to the exclusion of the class).

This is American Justice, pure garbage . . .

now I'm "happy" I chose the credit monitoring option...
I feel weirdly vindicated that I didn't bother making a claim.
I just got a settlement check in Lovelace v Global Payments Inc (http://lovelacesettlement.com/). The grand total? 20 cents. Read the FAQ, it's fascinating: $540,000 total from the company -$135,000 lawyers fees -$2,500 settlement representative (whatever that is) -$164,224 to distribute the payment ----- $233,276 for clients.

I have no idea how much the company made by charging transaction fees on credit card payments for student loans (that's what they're accused of) but they got off with a slap on the wrist. They should have been required to give back ALL the money they made. Fucking scammers.

Settlement representative is the plantiff representing the class?
that's why i went with the credit monitoring in the end