Last week, the FTC said the 147 million consumers impacted by the Equifax hack and leak would be eligible for a $125 cash payout as part of a settlement with the credit reporting giant. This week, the FTC abruptly backtracked, insisting that because the public’s interest in the money was somehow “unexpected,” most victims would never actually see these funds.
Experts say the sudden about face illustrates the flimsy nature of the settlement, and an agency that’s failing to take consumer outrage over repeated privacy violations seriously. As part of the $575 million settlement, up to $425 million was set aside to compensate those who could clearly prove they were victims of identity theft as a result of the breach. For those unable to prove clear financial harm (most of us), the settlement offered users either free credit reporting for ten years, or a $125 one time cash payout. But because the FTC only set aside $31 million to pay for these payouts, it quickly ran out of cash and is now falsely telling consumers the free credit reporting is a “much better value.” But because free credit reporting is routinely doled out as compensation for a steady parade of privacy breaches, it’s effectively worthless to most consumers. Many of these services also include terms of service restrictions that erode your legal rights. “The Equifax settlement is laughable,” Senator Ron Wyden said in a statement to Motherboard. “With just $31 million to be divided up by all the Americans who filed to receive their $125 check, Americans have the choice of receiving pennies for having their credit details spilled out online, or receiving virtually worthless credit monitoring,” he said. “Another clear failure by the FTC.” Tim Wu, a Professor at Columbia Law, told Motherboard the FTC’s assumption that just 240,000 of 147 million victims would put in a claim shows the agency really didn’t think things through.
“It is true that when it comes to remedies like this, the claims rates are low. Not everyone hears about it, or fills out the paperwork,” Wu said. “But the rate of no-shows assumed seems facially absurd, especially for $125.” James Grimmelmann, a professor of law at Cornell Tech and Cornell Law School told Motherboard the FTC’s failure to predict the public’s interest teeters toward negligence.
“Even a single-digit percentage claim rate for this one would have exhausted the $31 million 50 times over,” he says. “It was negligent on the part of the FTC not to expect that more victims would choose the cash payment in a case this prominent and this egregious, instead of the worthless credit monitoring.” Skipping the “credit monitoring song and dance” and offering smaller, straightforward guaranteed payout to every affected victim might have been underwhelming, but would have avoided the FTC making empty promises, Grimmelmann said.
“Say $10 for each victim, plus more for anyone could document their time, or had out-of-pocket costs,” he suggested. “Cap the first fund at $1.4 billion based on the known size of the breach, and set aside another billion for the second,” he suggested. In a statement to Motherboard, the FTC claimed that the $31 million set aside was intended to help pay for alternative credit monitoring services, not as a direct cash payout to all impacted consumers. The agency did not indicate why it found the public interest in this reimbursement “unexpected,” or why it capped the payment pool at just $31 million. “Our main focus was the credit monitoring product, largely provided by a third party vendor, as the primary source of relief for affected consumers because it was viewed as the best source of future protection from identity theft,” the FTC said. But Justin Brookman, Director of Consumer Privacy and Technology Policy at Consumer Reports, told Motherboard that the FTC is dramatically overstating the value of such services.
“The FTC's reliance on credit monitoring to punish Equifax also had the unfortunate side effect of messaging to people that credit monitoring is the most effective way to protect yourself from identity theft,” he said. “A credit freeze is far more effective (and free), but the FTC underplayed that with their settlement announcement, instead trumpeting all the money they're making Equifax spend.” And yet security and privacy experts say the $575 million settlement is a tiny fraction of the money companies like Equifax routinely make from your personal data, and that these penalties need to be raised dramatically if they’re ever going to be a genuine deterrent. “It’s pretty clear to me that the amount companies are earmarking for compensation has to significantly increase given the trend in the size and scope of data breaches we’ve been seeing,” former FTC CTO Ashkan Soltani told Motherboard. Chris Lewis, CEO of consumer group Public Knowledge agreed that an automatic credit freeze would have done a lot more to help consumers than free credit reporting. Lewis also noted that massive fines alone can only go so far. Put Equifax out of business without addressing the underlying oversight issues that make its security and privacy apathy commonplace, and you just wind up with another company doing the same thing, he said.
“I mean, that wouldn't have been the worst result—some companies need to go out of business in response to catastrophic failures of trust—but the credit bureau function would still be filled by someone else,” he said. “But a freeze-by-default regime makes it harder for attackers to abuse that system.” Lewis said the failure in the FTC’s privacy enforcement highlights one thing clearly: the need for the United States to finally pass a meaningful privacy law with serious corporate penalties for lax security and privacy practices. That includes a recent proposal by Wyden that would hold CEOs personally liable for their failure to protect private consumer data. “Unfortunately, past FTC announcements, including the recent $5 billion Facebook settlement comments by the FTC, have shown that the length of investigations and the risk of losing in court have chilled the Commission's will to push for more,” Lewis said. “Congress should take note and renew its urgency to include data breach protections in its effort to craft comprehensive privacy legislation,” he added.