Breach Notification , Incident & Breach Response , Legislation & Litigation
Is the Equifax Settlement Good Enough?Lifetime Risk of Identity Theft Not Cured by Prepaid Monitoring Services
Who's happy with the proposed Equifax data breach settlement?
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
In 2017, the credit reporting agency lost personally identifiable information for 56 percent of all U.S. adults in part due to its substandard information security practices, including poor patch management.
Identity theft monitoring services so often appear to be little more than a post-breach placebo proffered to powerless victims as evidence of a business belatedly "doing something."
This week, the Federal Trade Commission announced a proposed settlement in which Equifax would pay a $100 million fine to the Consumer Financial Protection Bureau, $175 million to 48 states and create a $300 million fund to compensate victims, which would rise to $425 million if required. The fund would be used to offer victims prepaid credit-monitoring services, as well as up to $20,000 in compensation for unreimbursed losses, provided they can be documented.
Some consumer advocates are already railing against the proposal. "It's a parking ticket, not a penalty," Ed Mierzwinski of the U.S. Public Interest Research Group in Washington tells Reuters (see: Consumer Advocates Criticize Equifax Settlement Plan).
It's also unclear if accessing the fund will require victims to jump through hoops to document unreimbursed losses. The proposed settlement would also allow victims to be reimbursed for up to 20 hours of work - at $25 per hour - for any efforts they undertook when dealing with "fraud, identity theft or other misuse of an affected consumer's personal information that is fairly traceable to the breach."
Victims will also receive 10 years of prepaid credit monitoring and seven years of prepaid identity-restoration services that Equifax has agreed to provide via third parties. Arguably, however, that diverts resources to the wrong place - namely, back to the credit bureaus and other businesses that sell identity theft and credit-monitoring (see: Congratulations: You Get 'Free' Identity Theft Monitoring).
Experts say there's no harm in signing up for such services when they're offered for free. But many recommend never bothering to pay for them. And some offer more pointed criticism. For example, Ashkan Soltani, who served as a senior adviser to President Barack Obama as well as CTO of the FTC, likens credit monitoring services to "snake oil."
Indeed, identity theft monitoring services often appear to be little more than a post-breach placebo proffered to powerless victims as evidence of a business "doing something" as an afterthought. Of course, what they should have been doing - but in so many data breach cases were not - was implementing the right technologies and procedures to prevent breaches, rapidly detect breaches as well as rapidly execute incident response processes.
The irony of #databreach settlements is that much of the money often just *goes back* to snake-oil 'credit monitoring' services like @equifax and @LifeLock #EquifaxDataBreach #fullcircle pic.twitter.com/y9yXD8CJ8u— ashkan soltani (@ashk4n) July 22, 2019
But Equifax data breach victims have another option. Instead of signing up for identity monitoring services, they can take a $125 payout.
Who's at Risk?
Who's at risk from the Equifax breach? All victims, of course. Information exposed in the Equifax breach included combinations of some of the following consumer information:
- First and last name;
- Home or other physical address;
- Email address;
- Telephone number;
- Date of birth;
- Social Security number;
- Other government-issued identification numbers, such as a driver's license number, military identification number or passport number;
- Other personal identification number;
- Financial institution account number;
- Credit or debit card information; and/or
- Authentication credentials, such as a username and password.
For anyone who was a victim and wants to file a claim, head over to the FTC's Equifax Data Breach Settlement page. For anyone whose unsure if they were a victim, that page links to a site run by the settlement administrator that will tell you if your information was exposed, after you enter your last name and the last six digits of your Social Security number.
Who Hacked Equifax?
There's a wrinkle with this breach settlement. As with the breach of the U.S. Office of Personnel Management discovered in 2015, none of the stolen information has ever surfaced on the cybercrime underground - at least that we know about so far. Perhaps the hack of Equifax was the work of an intelligence agency (see: Chinese Man Allegedly Tied to OPM Breach Malware Arrested).
The potential espionage appeal is obvious: Stealing millions of government workers' background-check records from OPM and half of all American adults' credit reporting records from Equifax would be a great way for foreign intelligence agencies to build "big data" dossiers on individuals who they might want to recruit or blackmail.
As with the credit monitoring services offered to OPM breach victims, if Equifax was hacked by a foreign intelligence agency and the stolen data never surfaces on the cybercrime underground or gets put to use by fraudsters, then many aspects of the victim compensation begin to look like farce (see: OPM ID Theft Monitoring: Waste of Money?).
On the flip side, however, the proposed Equifax settlement could become a model that the FTC applies to other organizations that failed to put in place strong security controls and then got breached.
The $300 million that Equifax will pay into a victim fund - rising to $425 million if the initial outlay is insufficient - was negotiated by the FTC as part of its effort enforce the FTC Act, "which prohibits unfair or deceptive acts or practices in or affecting commerce."
Equifax claimed to consumers that it was protecting their data and prohibiting unauthorized access, the FTC says. "In truth and in fact, in numerous instances, defendant failed to limit access to personal information to employees having a reasonable need to access this information and lacked reasonable physical, technical or procedural safeguards to protect this information," the FTC says in its complaint against Equifax.
Bringing the FTC Act to bear, however, is a regulatory kludge. What would be better is for Congress to pass a law that treated the handling of Americans' personal data as a right that could be granted to organizations and individuals, as well as rescinded. So far, however, any such legislation has yet to advance in Congress (see: Cynic's Guide to the Equifax Breach: Nothing Will Change).
Compare to GDPR
In the meantime, the proposed Equifax settlement begs this question: Are the sanctions commensurate with the damage that has been caused?
Under the proposal, Equifax will pay $100 million in fines to the Consumer Financial Protection Bureau, and a total of $175 million to state attorneys general.
For comparison's sake, the EU's General Data Protection Regulation, which went into full effect in May 2018, allows European privacy watchdogs to levy fines of up to 4 percent of an organization's annual global revenue or €20 million ($22.5 million) - whichever is greater - if they violate Europeans' privacy rights, for example, by failing to secure their personal data (see: Dear BA and Marriott: Your GDPR Fines Are Important to Us).
For 2017 - the year in which Equifax's breach occurred and was discovered - the credit reporting giant posted annual revenue of $3.36 billion, of which 4 percent would be $134 million.
That's about one-third more than the $100 million in fines that Equifax would pay to the Consumer Financial Protection Bureau, without counting the $175 million payout to states. Put those together, and it equals 8 percent of Equifax's 2017 revenue.
In Europe, GDPR allows breach victims to sue not only on the basis of material damages - such as lost money as the result of fraud - but also for non-material damages, such as inconvenience and stress. No such lawsuits, however, have been heard in court, meaning there's as yet no case law (see: British Airways Faces Class-Action Lawsuit Over Data Breach).
'Other Consumer Relief'
Back to the Equifax breach: Any of the $300 million that remains unclaimed by consumers can be used by the FTC for "other consumer relief - including consumer information remedies" - that are "reasonably related" to Equifax's poor security practices. Finally, "any money not used for such consumer relief is to be deposited to the U.S. Treasury as disgorgement," with is pretty much what happens with GDPR penalties.
In other words, whatever else breach victims might think of the proposed settlement, they can at least know that Equifax won't be getting any of the money back.
But is that enough, given that so many Americans face a lifetime of identity theft risk while the credit reporting giant continues to buy, sell and profit from their personal information, promising that this time, it's really safeguarded?