Do it anyway, but worth mentioning that the maximum penalty is _not_ $700M, but $31M. If more than 250k(ish) people sign up, the payout per-person goes down. [1]
A lot of the $700M settlement is being used for Equifax to pay itself money for monitoring.
They will be giving away their "ID Patrol" product ($16.95/month) for four years, and charging the fund $813/each. Essentially the left hand is going to pay the right hand and it is considered a "fine."
Imagine a defective physical product went out. Then the company sent out repair kits. Those kits have a real cost to produce/ship/etc
It would still seem kind of silly that a company is sending me repair kits instead of money I can choose whether to invest in repairs or not, but so it goes
I would presume the law is a bit better in the physical world as making repair kits directly impacts your balance that you can’t use for anything else, at the least.
I think your analogy misses the key point, that is in your analogy the company that sent out the defective physical product is now "fined" by the US government and forced to send out repair kits to those that request them; when a user requests this repair kit the company charges the fund created by the "fine" $813 to send out the repair kit even though the repair kit cost is pennies.
Because not enough voters have the time/resources/inclination to make it an issue that can vote in the amount of politicians needed to make it right.
All the higher ups get plausible deniability and the headlines in the news, and nine out of ten people’s eyes will glaze over by the time you say conflict of interest.
The difficulty in being able to assign a numerical value to damages is a big problem, as it allows the defense to contest the claims of the plaintiff very easily. At that point, it just becomes a situation of the plaintiff (and their lawyers) figuring out the likelihood of winning the case multiplied by the winnings, and it wouldn't make sense for the plaintiffs to keep arguing for the maximum (or real value) of damages since it's not "provable" and then you're stuck in appeals and whatnot.
I wouldn't think the judge in the case can actually do anything in cases where the plaintiffs and defendants reach an accord, or at least the corruption needs to rise to a level higher than what is seen in this case.
I’ve said this before, but assigning monetary damages is easy: poll Equifax’s attorneys (and maybe their execs) about how much it would take for them to be willing to release their entire Equifax file into the public record. Then, actually do it — introduce their entire credit files into the case record. Take the average amount from the poll, multiply by the number of people affected, and there’s your number.
yes chances of getting more than a few bucks are slim. $125 is the max payout. if everyone affected signs up the payout is a few cents. so its somewhere in the middle.
Question that doesn't seem to be answered: If I take this payout now and I find out later that my data has been used and I have to spend time later to fix it, can I come back for the second part of the payout?
Edit: Question 12 on their FAQ says I can come back for more if there's damages in the future:
Is there a way to absolutely verify that this website is, in fact, the correct one and not a scam to collect personal info? Ironically, if they had used the Equifax domain instead of equifaxbreachsettlement.com I would have felt more comfortable filling out that form.
Basically all class action lawsuit websites have sketchy URL's and appearances. This seems to be par for the course and might deter people from signing up which just puts more money back in Equifax's pocket.
I'd imagine you'd only have a chance to win by default judgment unless you can someht prove Equifax caused you monetary loss, which would be extremely difficult.
Can you share the docket numbers of people getting $8k default judgements?
You can't claim the $125 unless you assert you currently have credit monitoring and will for >= 6 months. You can't just go and claim $125 without lying or giving your info to some additional org to enroll in credit monitoring.
If you have a credit card (I can say for sure, any Amex card and any Capital One Card), and you plan to keep those cards for 6 months, then you satisfy the requirement
Despite their business model, I'd still recommend signing up as a fraud prevention measure. If you don't sign up, someone with a trivial amount of your info can sign up for an account and get more of your info, with the ultimate goal of identify theft.
> If you read their privacy policy and ToS you'll learn they are able to sell your data as part of all the free services they provide you.
So my choices are let a 3rd party pay the credit agency for that info and I get nothing, or let CK pay the credit agency for that info and I get something for free.
most credit cards give you credit reports for free
different cards (banks) have relationships with different credit unions, if you have a diverse portfolio of cards, you can get more reliable data than CK direct from the Credit Union for free (or for the annual fee of your card)
Why would Credit Karma need to sell your data to other companies? Other companies already have the same high level access to your credit without you giving them permission to it.
Credit Karma tries to sell you services based on your credit.
Companies like Credit Karma or even companies like Facebook and Google don’t sell your data. They sell access to you based on the data they have.
The distinction makes a big difference. If a law is passed saying that a company is not allowed to give out your data, it doesn’t really hurt companies.
I'm not talking about just the credit angle, which is not as big of a threat as their recent schemes to "file your tax filings for free" -- this gets them access to very sensitive information that no one else can get access to, outside the IRS themselves. This is very valuable data to sell (esp with your credit information and other data).
They did a MASSIVE campaign around the Tax Filings and many people simply 'opted in' because they had CreditKarma and it was Free, without realizing what they were trading away for 'Free'.
Does anyone know of any uber cheap monitoring services that last at least 6 months?
Also, I suggest billing Equihax for time spent changing emails, phone numbers, etc to make your identity less susceptible ("the time you spent remedying fraud, identity theft, or other misuse of your personal information caused by the data breach, or purchasing credit monitoring or freezing credit reports, up to 20 total hours at $25 per hour.")
Ive been enjoying Credit Karmas service. Great tracking and some cool tools. Their tax service is also very easy to use, much easier that when Ive used TurboTax's online service.
"Credit monitoring" is not limited to merely paying the surveillance companies themselves to give you a heads up if they're working on a new conspiracy against you. It is only within their own paradigm that the general concept of credit is subservient to their own databases.
My credit is self monitored. Any credit/contract taken out claiming association with my public identifiers (eg name, SSN, etc) but without legal notice to my longstanding address of record is prima facie invalid. So I review all of the junk mail that comes into my mailbox, which does cost actual time, primarily due to the negligent operations of these ambient-authority-demanding surveillance shitheads.
There are so many things wrong with this I don't know where to begin.
While I agree with the premise that we should make security breaches as painful and expensive as possible for negligent parties such as Equifax, the manner of this claim feels completely off.
For starters, I have to submit information to a 3rd party, and that in fact will start a process that I, as a victim (potentially, at least) of Equifax's negligence, must complete. Moreover, even the actual damages I will be entitled to is quite unknown. I realize a lot of this is due to class action law, but it's still woefully insufficient.
Furthermore, reading through the fine print, at least according to other analysis I've read about it, you also have to enroll or already be enrolled in some kind of identity protection program (such as what Equifax offers themselves). So, I would to have to opt-in to a system I am trying to stay out of in the first place.
And why do I even have to confirm my info? If Equifax has it already, then they should reach out to me, as a victim of their negligence.
There is more, but these are the most glaring issues. I realize there's not a lot that can be done, but these factors give me a strong distaste for this and I think we are deluded in thinking this will actually amount to anything more than a slap on this wrist or even cost them much of anything. It's going to cost them up to $31 million based on people's claims. It likely won't cost them more by me filling out the claims, but it will cost me as I'll have to become further entrenched in a monitoring system that got us into this mess in the first place.
But were you an adult when the breach happened? The paper form says this: "If you were over the age of 18 on May 13, 2017, and wish to file a claim form, visit www.EquifaxBreachSettlement.com. Do not use this claim form."
There are links to two different forms on the File A Claim page [1]: A PDF for adults as of 5/13/2017 [2], and one for minors as of 5/13/2017 [3].
It looks like, if your goals are a balance between receiving the settlement, privacy, and effort, the PDF (probably [2] if no minors were involved) is the way to go.
Actually looks like everyone should claim 20 hours of your time wasted at $25 an hour and get $500 (Option 2 listed).
I certainly had a lot of time wasted trying to figure out what to do and then taking more actions to protect from possible consequences of their screw up.
You won’t get it because the fund for $125 and $250 penalties are $31M each, so it will be prorated down if number of claims exceed the maximum number allowed for a $125/$250 claim.
I am on the opposite end of the time spectrum, but I claimed one hour for research and monitoring, and $1 for printing and mailing the form, just as a matter of principle.
10 hours and under they don't require any proof, as per the directions on the form. The $125 is available to anyone who was in the breach. Since my husband and I signed up for LifeLock shortly after the breach, and (to our recollection) spent at least 10 hours going through our bank accounts and financial records to check for fraudulent charges, we should be getting around $800 each. You only need documentation for time spent if you go over that 10 hour mark. For LifeLock documentation, we just submitted our LifeLock billing history page as a PDF.
I've seen a couple of people check to see if they're eligible and get back an answer of "no".
This is a pure curiosity question, but I didn't think Equifax knew which numbers had and hadn't been leaked -- my impression was just that hackers got access to the full database. When the original announcement came out, wasn't there a big thing about how they were basically flipping a coin and returning a random result every time you checked if you were affected?
Are they really able to determine which social security numbers were stolen?
>diverted to anti-identity-theft measures and charities [...] identity protection[...]
This is not to rag on boingboing in particular at all, this sort of language has become ubiquitous, but it's still incredibly frustrating. I have to wonder if "identity theft" represents one of the most effective bits of propaganda/doublespeak ever coined. The very wording flips around cause and effect and in turn responsibility. In reality people don't generally get their identities stolen, institutions/organizations fail to properly verify it. If someone claiming to be me applies for some financial service and the bank goes ahead and grants it, it's not that my "identity was stolen" it's that the bank/industry did a piss poor job of verifying it. It should be between them and the party that committed fraud, and if they go after me instead then they too should be punished for it as literal accessories to the fraud.
Instead we've ended up with this madness where parties A & B can do a transaction, and then party C can end up being pinned with it without ever having so much as a single interaction with A or B. There has been an internalized sense of helplessness and blame shifting that has allowed the industry to skate by something that we absolutely have the technology and economics to solve to a high degree. The article is not wrong that we should expend some effort to try to make sure that at least this minimal fine sticks a bit, but I resent having to be involved at all and having to give my info yet again to the guilty and having to buy into their root cursed fraud scheme and jump through their hoops.
What's really needed is a blanket law stating something along the lines that no unconnected 3rd party is ever liable for transactions between others, and that anyone who then goes after them for it is not only strictly liable for all expenses and damages but also minimum 3x punitive damages as well and some minimum flat level per incident too.
What's the problem with that? We have cameras, passwords, tokens, witnesses. Tell credit issuers to demand photo of person holding up ID and a thumbs up instead of just typing in a social security number. If that still results in too much fraud, then the lender is incentivized to do more research and verify in person that the person is who they say they are.
Right now, in the interest of increasing commerce, we're forcing everyone in society to bear the burden of this specific fraud and the benefits go to the lenders. If person A is being defrauded by person B pretending to be person C, then person C has no reason to be involved unless they aided person B.
So, every consumer needs a computer with a web camera that can actually focus on their ID (not all do), plus we have to share pictures of ourselves holding our ID with anyone who asks for it. And then it will inevitably leak.
This is placing the burden on consumers in a different way.
I don’t see why anyone is entitled to credit via a couple form fields on a website. The burden is placed on the lender and the borrower. If the lender wants to come up with their own way that doesn’t need ID and a camera, they can.
The burden is lifted from the rest of us who somehow got tasked with making sure lenders aren’t making errors with the risk of losing hours of our lives fixing someone else’s problem.
It’s ridiculous that after your child is born, you’re supposed to spend your time to place a credit freeze at the 3 credit bureaus. Transfer the liability of identity fraud to the lenders, and they will figure out the solutions in no time.
Not the consumer as I read it but the credit issuer would have to collect this evidence, so they would have the burden. Also this would help build a reputation that is auditable of the credit issuers.
This feels like an idea that would benefit consumers and be a business opportunity targeted at creditors if we could only convince them this is their responsibility.
That would be the value add that companies like Equifax should offer as a B2B or B2C service. Instead of blindly attributing debit to profiles without verification, they could act as an intermediary to establish and verify credit relationships.
Each party is verified and the relationship is verified to ensure non-repudiation.
Isn't that what they already do? You apply for a credit card, get a few multiple choice identity questions, and if you answer them right, they assume you're the right person.
They're assuming, not verifying and the information they use is specious at best. It's sourced from 3rd parties and not verified by the individual. A perfect example of lack of verification and the weakness of their data is your history of addresses. Divorcees often find their ex's new residence will show up on their credit profile as their residence for years after being divorced.
An identity verification system would require the individual establishing their identity with the credit agency and provide as much or as little credit establishing information.
When a B2C transaction is established, the customer would provide the business with a token identifying the credit profile they want to use and the business would request a credit chect with it to the agency, and if the business accepts the credit score they can both acknowledge to the credit agency they wish to do business.
Innocent until proven guilty isn't it? If companies want to easily proof that someone did the transaction in question, all they have to do is verify the identity properly.
>however then the burden shifts to proving that person C was not really person A
First: No. The burden is on B to prove that C is A, the default should be that if they cannot quite definitively identify the counter party then tough cookies. And they need to do this while covering all expenses and time value with interest in the event they're mistaken.
Second: if only! Most identity theft is not even remotely subtle. It's people walking in with mediocre quality forged documents or minimal info literally hundreds or thousands of miles from any location C has ever visited in their lives. Or someone randomly claiming to be C via some simple 10 digit government number and an email address C has never used. Etc etc. It's not exactly mission impossible hacking-a-passport-and-wearing-full-3D-facial-prosthetics-and-voice-changer stuff we're talking about here. Standard "ID theft" is just from a financial party with all the incentives to push through acceptance as frictionlessly as possible and then simply hound whomever they can try to pin it on and feed them into "debt collection" systems until most people cave.
What the law needs to recognize is that everything about this should be literally criminal. The original criminal is the one who committed the original fraud. But everyone who goes along with it from then on out, every single 3rd party directly trying to steal money or time or whatever from the innocent victim, is an accessory to that fraud. All of them are involved, though as always they can seek (after paying their penalty) to shift expense/liability back up the chain if they can prove it. It's their fault for insufficiently verifying the original counter party, and then they've compounded it by seeking to defraud someone unrelated.
Having worked in the financial industry for a few years, this is definitely necessary. Financial companies over the last few decades have shifted from a culture of responsibility to a culture of sales. There is constant pressure to "streamline" the underwriting process, i.e. cut out safeguards and checks and throw money at people as quickly as possible. When there are no effective incentives to do a good job, they aren't going to do it, and the burden will be shifted off to the public.
The larger issue with identity theft than the inconvenience of proving that the transactions aren’t yours, is that it can lead to the victim being charged criminally and arrested.
I knew someone who had her identity stolen, she took all of the proper steps - going to the places to prove it wasn’t her, filed police reports, etc. and she still got arrested for various fraudulent activities like check kiting and theft by conversion. She ended up in jail for a weekend while relatives brought various forms of proof that there was already an ongoing investigation. She had a warrant out for her in another county that she didn’t know about.
I mostly agree with you here, but I think your rhetoric lets (those currently viewed as) the perpetrators off too easy. The companies are failing in their duty, but the fraudsters are actively malicious. Beyond the rhetoric, I don't think you've actually proposed reducing our punishment/pursuit of those people. Your proposed solution is very interesting.
With the proposed solution, banks and other companies would have more incentive to prevent themselves from being duped by a criminal claiming to be me because they know there is less of a chance of getting the real me to pay up in order to clear my credit. This should have the effect of reducing fraud because it will be less lucrative.
Agreed. My criticism wasn't of the solution but (as I tried to make clear) solely of the rhetoric - if "banks are blameless, it's only the fraudsters" flips responsibility, then that should mean that actually fraudsters are blameless. In fact there's blame to be shared by both banks and the fraudsters, and possibly the victim (depending on the details).
I have a proposal, and I am certainly not the right person to implement it, but I hope that someone reads this and will.
I would love to dedicate my $125 (assuming I am part of the breach, which is almost certain) to the pursuit of damage, and possibly incarceration, for the Equifax CEO and top executives at the company.
Give me a reputable law firm willing to take my donation, with clear use of proceedings. I bet thousands of people would love to spend that $125 this way.
Why do boingboing articles make their way to this forum? Its an opinion based kinda joke website that just posts content sourced from other websites, then adds their own opinions on that.
Yes its articles are somewhat fun to read, but when posting to HN, just post the real article, which is always linked in the website.
I believe we need to move away from fines and force corporations to give up voting shares. A special class of shares with little to no financial benefit held by public trusts.
1) If the public trust doesn't reach 50% of voting shares then what difference will it make?
2) If the public trust does reach 50%, then it's no longer a for-profit company, but rather full socialist government/public control of the economy
Fines are fine -- they reduce the value of shares and therefore the bottom line. They just need to consistently outweigh the potential profits from bad behavior.
If fines are too low, the solution isn't to find another fix -- it's just to raise fines more.
You don't need to have 50% of voting shares to have significant power over a company, if no one organization has 50% of voting shares.
If you have 10% of shares and two other organizations have 45% each, and those two organizations have a conflict, you get to choose which of those two organizations has control over the company. Those organizations are both incentivized to make your needs a priority in order to secure your votes. In this situation no single group can choose the destiny of the company without the assistance of one of the other groups.
Wow... it really is easy and takes only about 60 seconds to do, and doesn't require signing up for any new services or anything. I'm kind of amazed. Just go to:
You put in your last name and the last 6 digits of your SSN (not full SSN), it tells you if you were impacted, you give your full contact info, select the option for $125, it gives you an option for check or gift card, and done.
Legally it requires that you already have some form of credit monitoring, which from other comments here seems that many credit cards already include (mine do, e.g. Capital One).
But... I'm kind of amazed it's so easy. This really ought to be done by everyone who already has a credit card that provides free credit monitoring. I never thought I'd get to have a little feeling of personally holding Equifax accountable in a small way, but here we are. :)
You're right... if you click "File a claim today" at the top it doesn't ask for your SSN.
If you scroll down and click "Find out if your information is impacted" that's where you put in the last 6 digits of your SSN and it tells you, and then brings you straight to the form if you're eligible.
I'm not sure what will happen if you file your claim but you weren't affected... it might just be ignored then?
I don't think it's hard for anyone to claim 10hrs on this. Just reading the news/basic research over the last 1.5 years can quickly reach 10hrs.
For me, I also signed up for credit monitoring a month after the breach announcement and have since been getting spammed every week with various credit alerts. If I spent 10 min on each mail and got 1 email/week over the last 1.5 years that would be 13 hours of pondering credit spam.
It is idiotic to fill out the form. They want my name plus the last six digits of my SSN! That leaves only a puny 3 digits unknown. This is why there is identity theft in the first place.
You must be looking at the wrong form. To claim the $125 they ask for your name, mailing address, phone number, email address and birth year. That's it.
I think the best course is actually to opt-out and reserve the right to a lawsuit when your identity gets stolen eventually. Wish there was a simple point-and-click letter generator to opt-out. The govt makes opt-out hard.
Note: you only get $125 if you previously paid for credit monitoring. If not, your "payout" from this settlement will simply be a few years of free monitoring. Not terrible, but not quite as exciting as the free money you'd expect from the headline.
Last night when I went and took a look at the claims site, I noticed they were loading Facebook and twitter scripts.[1] These scripts were even on the pages that ask for PII. I can no longer get back to the form page to get a screenshot as it's 403, for me, now. I would definitely suggest not using the online claim form, as they've polluted that with tracking.
Here’s what I don’t understand: my payout with credit monitoring is worth $125, and without credit monitoring its “worth” over $800. If you multiply $125 by the number of people affected, that value exceeds Equifax’s market cap. Why does Equfax deserve to survive if they literally caused more damage than the market thinks they’re worth?
[1] https://twitter.com/rufo/status/1154872589241802753
reply