Equifax could pay up to $700 million as part of a settlement related to the 2017 hack that exposed the personal information of roughly 147 million consumers. Despite the settlement’s size, it may be insufficient in addressing the issues consumers affected by the hack may face.
The settlement specifies that a consumer must provide the settlement administrator with the timing of any losses and proof that the loss involved misuse of consumer information accessed through the breach.
On the surface level, the settlement does provide some financial relief to these consumers. Every person can get up to $500 as reimbursement for the time spent “taking preventative measures or dealing with identity theft,” the court papers outlining the settlement said. Up to 10 hours can be self-certified, meaning no documentation is required, for $250 in relief.
Additionally, affected consumers can get four years of credit monitoring and identity protection from the three credit bureaus: Equifax EFX, +0.39% Experian EXPN, +0.25% and TransUnion TRU, -0.29% After that, Equifax is offering another six years of credit monitoring. Consumers who already have credit monitoring can instead be paid $125, per the settlement.
Finally, the fund handling the settlement will pay up to $20,000 “for documented losses fairly traceable to the breach,” the court filing said. This includes everything from credit-monitoring services to attorney’s or accountant’s fees.
For the average identity-theft victim, this restitution would be significant. In 2018, 14.4 million adults in the U.S. were victims of identity fraud, according to a recent study by Javelin Strategy & Research. On average, the perpetrator stole $1,016 per victim. Meanwhile, the average cost to consumers was $117, and the average time spent resolving the fraud was 9 hours.
However, some forms of identity fraud were more costly — both in terms of the money lost and time spent. New-account fraud, in which criminals use a consumer’s personal information to open a fraudulent account in their name, costs consumers $318 on average. And it takes these victims twice as long on average to resolve the situation
For consumers, getting full relief may be ‘virtually impossible’
While some of the consumer relief on tap is made available to consumers with no questions asked, getting reimbursed for documented losses tied to the breach could prove difficult.
The settlement specifies, per the court filing, that a consumer must provide the settlement administrator with the timing of any losses and proof that the loss involved misuse of consumer information accessed through the breach (such as birth dates and Social Security numbers) and that the loss was “reasonably incurred as a result of the Data Breach.”
A spokesperson for the New York attorney general’s office contended that consumers will not be required to prove specifically that an instance of identity theft was tied to the Equifax breach, but simply that the situation occurred after the hack and resulted in financial losses. (Equifax declined to comment.)
‘The settlement provides some compensation right now, but the risk of identity theft is forever because our stolen Social Security numbers can be traded by hackers in perpetuity.’
The spokesperson also argued that the money being given for time lost was meant to reimburse even those consumers who may have already recouped lost funds from their bank or another financial institution.
But if the settlement administrator does choose to be more stringent in what proof consumers must provide, that could make matters difficult for those looking for restitution.
For consumers who experience identity theft, “it’s virtually impossible to prove that it’s the result of any particular breach,” said Justin Brookman, director of privacy and technology policy at Consumer Reports.
The perpetrators of the 2017 hack have yet to be identified. Consequently, it’s impossible to know what their motivations were and how consumer information may be used.
To make matters more complicated, criminals may now be able to piece together information they obtained from multiple breaches to more effective steal people’s identity.
Plus, with so many other data breaches occurring in recent years, it can be hard to know which one led to a criminal getting a person’s information. To make matters even worse, criminals may now be able to piece together information they obtained from multiple breaches to more effective steal people’s identity.
Another issue that could arise is timing. “The settlement provides some compensation right now, but the risk of identity theft is forever because our stolen Social Security numbers can be traded by hackers in perpetuity,” Chi Chi Wu, staff attorney at National Consumer Law Center, said in a statement. “The time period to file a claim, at most, is four years. What happens if a consumer is the victim of ID theft in the fifth year resulting from the breach, which costs the consumer tens of thousands of dollars?”
As for the time constraint of the breach, the New York Attorney General’s office spokesperson pointed to the availability of up to 10 years of free credit monitoring as the settlement’s acknowledgment of how long after a breach consumers can remain vulnerable.
In cases of identity theft, consumers lose more than time and money
The jury is out on whether or not the Equifax breach resulted in any cases of identity theft. The credit bureau maintains it didn’t, but regulators suggested otherwise in announcing the settlement.
For anyone who might have experienced this, the true cost can be difficult to quantify. “Resolving identity theft can take months and is a mentally draining slog through bureaucracy,” said Paul Bischoff, privacy advocate with cybersecurity-advice firm Comparitech.
‘Resolving identity theft can take months and is a mentally draining slog through bureaucracy.’
“Victims are required to dispute errors in their credit report with each individual business involved. Bill collectors can be ruthless and persistent, even if you don’t actually owe anything. After all is said and done, previous victims of identity theft are at a much higher risk of it happening to them again compared to someone who has never been a victim.”
A 2016 study from the Identity Theft Resource Center suggested that 60% of identity-theft victims experienced anxiety as a result, while 74% said it caused stress. All told, two in five identity-theft victims reported losing sleep over their situation. Not only can this have a profound effect on people’s physical health, but research also shows it can harm people’s productivity and lead to lower earnings.
As more of our life is conducted online, fraudsters have an easier time targeting customers’ accounts and identities, said Kyle Marchini, a senior analyst in fraud management at Javelin. “Not only are these types of fraud more challenging for victims to resolve, they also have a heavier emotional impact on victims since they strike directly against the victim’s belief in the security of their accounts or identity,” Marchini said.
The spokesperson for the New York Attorney General’s office argued that the size of the settlement is reflective of the enormous impact it had on consumers’ lives.
Mark Begor, Equifax’s CEO, expressed this same sentiment, noting at a Monday press conference that the total payout was “by far, the largest ever” for a data breach case. “It reflects, from our perspective, the seriousness in which we took this matter.”
Equifax denied any wrongdoing in the breach as part of the settlement.
Ultimately, any financial settlement may be incapable of making up for this erosion in trust, experts say. Instead, consumers might need to take it upon themselves to protect against future instances of identity theft by monitoring or freezing their credit.
(Andrew Keshner contributed to this story.)
This post was originally posted at http://www.marketwatch.com/news/story.asp?guid=%7B3F1B9A12-ACCA-11E9-AAD1-6816FA4736EF%7D&siteid=rss&rss=1.