Steve Weisman is a lawyer, college professor, author, and one of the country’s leading experts in cybersecurity, identity theft, and scams. See Steve’s other Con Watch articles.
It was two years ago that Equifax, one of the three large credit reporting agencies, suffered a major data breach in which personal data of more than 147 million people was stolen. The personal information included the names, dates of birth, and Social Security numbers
The sad truth is that the data breach was avoidable, having been caused by hackers who exploited a vulnerability in an Apache software program used by Equifax. Apache had issued a security update months earlier, which Equifax failed to install in a timely manner. As a result of the negligence of Equifax, charges were brought by various state and federal agencies. The Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB) and all but two of the states’ Attorneys General have settled their claims against Equifax.
Individual claims under the settlement are now being accepted, although the settlement still is awaiting court approval, which is expected to occur on December 19, 2019. The first step for everyone is to find out if your personal information was affected by the data breach.
If you find that you were one of the 147 million people affected, here is a list of what you may receive under the terms of the settlement.
- Free credit monitoring for four years at all three credit bureaus — Equifax, Experian and TransUnion — and six more years of free credit monitoring at just Equifax. If you already have credit monitoring, you can choose to receive $125.
- Additional cash payments of as much as $20,000 for expenses you paid out of pocket in response to the Equifax data breach. These reimbursement payments are intended to cover data breach related payments made by you such as the costs of freezing and unfreezing your accounts (which until last September cost between $3 and $12 each time you froze and unfroze your credit reports), credit monitoring, and fees paid to accountants or lawyers related to the data breach.
- Payments related to the time you spent dealing with the data breach at a rate of $25 per hour. If your claim is for ten hours or less, you are required to describe the actions you took, such as freezing your credit reports at each of the three credit reporting agencies and the time that you spent on these activities. If your claim is for more than ten hours, in addition to describing what you did, you must also provide copies of documents showing that you were a victim of identity theft or other problems related to misuse of your information.
- Seven years of free access to assistance through identity theft restoration services in the event that you do become a victim of identity theft.
- Beginning next year, you can get seven free credit reports each year for the next seven years from Equifax, upon request. (Federal law already provides that you can get one free credit report annually from each of the three major credit reporting agencies.)
While many news reports of the settlement indicate that Equifax will be paying $700 million to settle the claims against it brought by the various federal agencies and states’ Attorneys General, that number is extremely misleading. Only $425 million of that amount is earmarked for the benefit of consumers, and only $31 million of that amount is allocated toward the $125 cash payments. The remaining $394 million allocated toward consumers goes toward paying for the cost of the credit monitoring provided for in the settlement and the reimbursement payments. In addition, once the $31 million dollars earmarked for individual $125 payments is exhausted, the payments will be reduced. Therefore, it is important for you to file a claim as soon as possible in order to receive the full $125. All claims must be filed no later than January 22, 2020. Note that no payments will be sent until after the settlement receives judicial approval, which is expected in December.
If you choose to receive free credit monitoring, once the settlement has been approved by the court and your claim has been approved, you will receive an activation code and instructions by your choice of email or regular mail. Cash payments will be made by check or debit card sent by mail once the settlement and your claim have been approved.
If you wish to opt out of the settlement and sue Equifax on your own, you must do so by filing a request for exclusion by mail no later than November 19, 2019. However, I cannot imagine any situations where it would be worth your while to do so.
Another aspect of this data breach that has been hardly reported on is that in the two years since the data breach occurred, none of the data stolen in the data breach has been put up for sale on the Dark Web, that part of the Internet where criminals buy and sell goods and services. Generally, following data breaches, the information is promptly marketed on the Dark Web as soon as possible to maximize profits. To date, there have been no reports of identity theft attributable to the stolen information. This has led many experts, myself included, to conclude that similar to the 2015 massive data breach at the federal Office of Personnel Management, this data breach may well be the work of the Chinese government, which undertakes such activities as a part of intelligence gathering and not for profit making.
Featured image: Shutterstock.com