In theory, organizations like the FTC exist to safeguard United States citizens. In practice, all too often, these organizations are far more beholden to the companies they supposedly regulate than the citizens whose rights they protect. Last week, the FTC announced a settlement with Equifax, in which individuals whose data was stolen — that’s basically everyone in the United States — were eligible for $125 in compensation. Given the breadth and importance of the data Equifax allowed to be stolen, one might think that kind of minimal compensation would be the least the company could offer, given that it leaked social security numbers, addresses, phone numbers, dates of birth, and names.
Now, however, the FTC has changed its tune. Far too many people have registered for the $125 settlement. Under the proposed settlement structure, only $31M has been set aside to provide these refunds. That translates to $125 for 248,000 people. The Equifax hack affected 147 million people. In other words, according to the FTC, only 0.16 percent of Americans were estimated to request $125. Now our government is begging its own citizens to accept near-worthless free credit monitoring (which costs Equifax literally nothing to provide) rather than asking for a tiny cash settlement in exchange for one of the most egregious database thefts of all time.
Just Buy It Pick Free Credit Report Monitoring
The FTC’s new blog post is headlined “Equifax data breach: Pick free credit report monitoring.” Robert Schoshinski, the Assistant Director, Division of Privacy and Identity Protection, writes:
The free credit monitoring is worth a lot more – the market value would be hundreds of dollars a year. And this monitoring service is probably stronger and more helpful than any you may have already, because it monitors your credit report at all three nationwide credit reporting agencies, and it comes with up to $1 million in identity theft insurance and individualized identity restoration services.
The FTC blog post does not note that the only reason the pool of cash for refunds is so small is the FTC deal with Equifax only allocates $31M to the relevant fund. While the agreement with Equifax included up to $425M to help victims of the breach, the overwhelming majority of the money is earmarked for other purposes. That’s dealt with in a separate press release. The government also doesn’t note that under the terms of the deal, it will be extremely difficult for anyone to prove an incidence of identity theft was tied to the Equifax database theft because that database has never been detected for sale on any hacking website. This implies it was stolen by a state actor rather than a conventional hacker.
Hurrah. R0ckH4rd69Lvr doesn’t have your data; Russia or China probably does. That’s vastly better.
Most financial websites do not agree with the FTC’s claim that free credit monitoring is worth “a lot more.” To quote Levar Burton, “You don’t have to take my word for it.” Here’s a sampling of quotes and links on the topic:
NerdWallet: “NerdWallet recommends avoiding such offerings from credit bureaus.”
US News & World Report: “It’s of some value if you are a victim of identity theft, but its value is rather narrow.”
CNBC: “Credit monitoring services may not be worth the cost”
CNN Money: “Most of what these products provide you can easily do yourself, and for free.”
LendingTree: “The paid credit monitoring services won’t necessarily monitor your reports any better than a free service.”
Maryland Attorney General Brian Frosh captured the spirit of the issue far better in his comments about the settlement last week. Speaking about the ~147M victims of the Equifax hack, he noted: “Most of them—most of us—did not sign up… We did not choose Equifax,” Frosh said. “It chose us. It collected our personal information, it compiled it, analyzed that information, and sold the product and some of the raw data to other people. Their carelessness with our personal data will cause harm perhaps for millions of Americans.”
Slate’s argument, made last week, was that customers had a moral obligation to claim this funding, to send a message to Equifax and other companies about the critical importance of data security and to hold them accountable for failing to do so. Nobody chooses to do business with Equifax, TransUnion, or Experian. These institutions compile financial records and credit reports on Americans without consent, to provide global information about one’s credit history. There is no way to voluntarily withdraw from the system and credit checks are so important for so many life events, there would be little practical way for any but the richest Americans to do so.
Facebook got hit with a $5B fine for Cambridge Analytica, but Equifax is skating by with a $671M fine. According to the FTC, this was a deliberate decision to protect Equifax. “We want to make sure we don’t bankrupt the company or have them go out of business,” Maneesha Mithal, a data and privacy subject matter expert with the FTC, told Ars Technica. “We want to make sure they have the funds and resources to protect consumers going forward.”
Yes. Because nothing speaks to the importance of protecting consumers like a slap on the wrist when a company loses the data of 147 million Americans. Nothing promotes trust like the FTC publishing a shameful, toadying blog post declaring the value of worthless monitoring services that the company being fined can provide at no cost to itself.
Details on how to object to the settlement, should you wish to do so, are on the FAQ linked at the EquifaxBreachSettlement page. You cannot ask the Court to change the settlement, but you can advocate for it to be approved or denied. A $125 payment for a few million Americans was bad enough, but the government’s behavior in this case, not to mention the terms of the settlement itself, are both insulting.