Con Watch: Why You Need to File Your Equifax Claim Now
Steve Weisman is a lawyer, college professor, author, and one of the country’s leading experts in cybersecurity, identity theft, and scams. See Steve’s other Con Watch articles.
It was two years ago that Equifax, one of the three large credit reporting agencies, suffered a major data breach in which personal data of more than 147 million people was stolen. The personal information included the names, dates of birth, and Social Security numbers
The sad truth is that the data breach was avoidable, having been caused by hackers who exploited a vulnerability in an Apache software program used by Equifax. Apache had issued a security update months earlier, which Equifax failed to install in a timely manner. As a result of the negligence of Equifax, charges were brought by various state and federal agencies. The Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB) and all but two of the states’ Attorneys General have settled their claims against Equifax.
Individual claims under the settlement are now being accepted, although the settlement still is awaiting court approval, which is expected to occur on December 19, 2019. The first step for everyone is to find out if your personal information was affected by the data breach.
If you find that you were one of the 147 million people affected, here is a list of what you may receive under the terms of the settlement.
- Free credit monitoring for four years at all three credit bureaus — Equifax, Experian and TransUnion — and six more years of free credit monitoring at just Equifax. If you already have credit monitoring, you can choose to receive $125.
- Additional cash payments of as much as $20,000 for expenses you paid out of pocket in response to the Equifax data breach. These reimbursement payments are intended to cover data breach related payments made by you such as the costs of freezing and unfreezing your accounts (which until last September cost between $3 and $12 each time you froze and unfroze your credit reports), credit monitoring, and fees paid to accountants or lawyers related to the data breach.
- Payments related to the time you spent dealing with the data breach at a rate of $25 per hour. If your claim is for ten hours or less, you are required to describe the actions you took, such as freezing your credit reports at each of the three credit reporting agencies and the time that you spent on these activities. If your claim is for more than ten hours, in addition to describing what you did, you must also provide copies of documents showing that you were a victim of identity theft or other problems related to misuse of your information.
- Seven years of free access to assistance through identity theft restoration services in the event that you do become a victim of identity theft.
- Beginning next year, you can get seven free credit reports each year for the next seven years from Equifax, upon request. (Federal law already provides that you can get one free credit report annually from each of the three major credit reporting agencies.)
While many news reports of the settlement indicate that Equifax will be paying $700 million to settle the claims against it brought by the various federal agencies and states’ Attorneys General, that number is extremely misleading. Only $425 million of that amount is earmarked for the benefit of consumers, and only $31 million of that amount is allocated toward the $125 cash payments. The remaining $394 million allocated toward consumers goes toward paying for the cost of the credit monitoring provided for in the settlement and the reimbursement payments. In addition, once the $31 million dollars earmarked for individual $125 payments is exhausted, the payments will be reduced. Therefore, it is important for you to file a claim as soon as possible in order to receive the full $125. All claims must be filed no later than January 22, 2020. Note that no payments will be sent until after the settlement receives judicial approval, which is expected in December.
If you choose to receive free credit monitoring, once the settlement has been approved by the court and your claim has been approved, you will receive an activation code and instructions by your choice of email or regular mail. Cash payments will be made by check or debit card sent by mail once the settlement and your claim have been approved.
If you wish to opt out of the settlement and sue Equifax on your own, you must do so by filing a request for exclusion by mail no later than November 19, 2019. However, I cannot imagine any situations where it would be worth your while to do so.
Another aspect of this data breach that has been hardly reported on is that in the two years since the data breach occurred, none of the data stolen in the data breach has been put up for sale on the Dark Web, that part of the Internet where criminals buy and sell goods and services. Generally, following data breaches, the information is promptly marketed on the Dark Web as soon as possible to maximize profits. To date, there have been no reports of identity theft attributable to the stolen information. This has led many experts, myself included, to conclude that similar to the 2015 massive data breach at the federal Office of Personnel Management, this data breach may well be the work of the Chinese government, which undertakes such activities as a part of intelligence gathering and not for profit making.
Featured image: Shutterstock.com
Con Watch: Protecting Yourself from Data Breaches
Steve Weisman is a lawyer, college professor, author, and one of the country’s leading experts in cybersecurity, identity theft, and scams. See Steve’s other Con Watch articles.
Recently, the Marriott hotel chain announced that it had suffered a major data breach involving its Starwood guest reservation database. Starwood is a group of hotels bought by Marriott in 2016 and includes such well known hotel chains as the St. Regis, Westin, Sheraton and W Hotels. The data breach was discovered in early September 2018 by Marriott, but had been ongoing since 2014. The total number of people affected by the breach is estimated to be an astounding 500 million. 327 million had personal information stolen, including names, phone numbers, email addresses, and birth dates. Millions more also had credit card information compromised. Marriott and law enforcement authorities are investigating the matter, which appears to be the work of Chinese state hackers.
Marriott has set up a website with updated information about the data breach. If you stayed at a Starwood hotel between 2014 and now you should check out the website for more information.
It is an unfortunate fact of life that regardless of how careful you are about protecting the security and privacy of your personal information, you are only as safe as the companies and government agencies with the weakest security. You may have not stayed at a Starwood hotel in the last four years, but chances are you are among the millions of people whose personal information was compromised by data breaches at Equifax, Orbitz, eBay, Premera Blue Cross, Anthem, Lord & Taylor, Saks Fifth Avenue, T-Mobile, Hyatt, Brooks Brothers, Chipotle, Neiman Marcus, Arby’s, Staples, Kmart, Dairy Queen, Home Depot or Target, to name just a few.
With many companies and governmental agencies failing to take proper security measures to protect your data, it is truly more a question of when, not if, will your personal information be stolen by hackers. The threat of identity theft posed by a data breach is very much dependent on which personal information was stolen. At its most benign, email addresses or other similar information may be used by hackers to formulate spear phishing emails and text messages to lure you into clicking on malware-infected links. At its worst, such as in the Equifax data breach, sensitive personal information such as your Social Security number can be used directly to make you a victim of identity theft.
Protect Yourself Against Data Breaches
Taking the security precautions listed below can help prevent you from becoming a victim of identity theft.
- As much as possible, limit the amount of personal information that you provide to companies and institutions with which you do business. Your doctor’s office may ask for your Social Security number as a means of identification, but they have no legal need for it.
- Protect your own personal electronic devices, such as your computer and cell phone, by always promptly updating all of the programs you use when new updates or security patches become available.
- Don’t use your debit card for purchases because the liability protections for fraudulent use of your debit card are not as strong as those for credit cards. Limit your debit card use to your ATM.
- Use strong, unique passwords for all of your accounts so that if your password is compromised at one company, all of your accounts are not in jeopardy.
- Use dual factor authentication whenever you can for added security. With dual factor authentication, your online account cannot be accessed without a special code that is sent to your cell phone. This prevents someone accessing your account from a different device than you usually use.
- Regularly monitor your credit reports for indications of identity theft. Some companies charge for this service, but there are a number of good, free credit monitoring services available as well.
- Be skeptical of any email asking for personal information or prompting you to click on a link. Never provide such information or click on links until you have confirmed that the email is legitimate.
- Freeze your credit reports if you have not already done so. Freezing your reports is still the best single act you can do to protect yourself from becoming an identity theft victim and since federal legislation went into effect in September, you can freeze and unfreeze your credit reports for free.
- Visit Have I Been Pwned, a helpful website that tracks data breaches and whether you have been affected by them.