Leave it to Equifax to find another way to hoodwink consumers. But it did. And this time the Federal Trade Commission (FTC) and other federal regulators and state attorney generals abetted through a flawed settlement.
The news world was abuzz last week with a proposed settlement to cover Equifax’s offensive handling of consumer’s most personal data. Even Alexandria Ocasio-Cortez tweeted about it to her 5 million followers:
What Happened Now?
In a blog post, Robert Schoshinkski, Assistant Director, Division of Privacy and Identity Protection at the FTC, claimed that the “the public response to the settlement has been overwhelming” and that there has been “an unexpected number of claims.”
As part of the proposed settlement, there is a fixed pot of $31 million to cover compensation for consumers whose data was stolen, but who may not have been victims of nefarious activity [yet]. Schoshinkski lays out the problem, which is “a large number of claims for cash instead of credit monitoring means only one thing: each person who takes the money option will wind up only getting a small amount of money. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.”
As a result, the FTC updated its claim page and is trying to steer people towards the free credit monitoring and away from the cash payment. Schoshinkski argues “frankly, the free credit monitoring is worth a lot more – the market value would be hundreds of dollars a year.”
Why Is This Ridiculous?
In his blog post, Schoshinkski used phrases like “overwhelming response” and “enormous number of claims filed” as justification for steering people to credit monitoring. But this begs the question: did he ever do the actual math?
Let’s help him out:
There was a pool of only $31 million allocated to compensate consumers who had their data hacked and the proposed settlement promised a payout of up to $125 per person. That means that the FTC assumed a maximum of 248,000 people would file a claim and ask for cash.
But remember, 147 million Americans had their data stolen, which means that the FTC assumed a claim rate of 0.17%. Yes, you read that right, it assumed that fewer than one out of a thousand people harmed would file a claim for cash.
Was it reasonable to assume that only 248,000 would want to at least get some money back after Equifax’s egregious handling of their data? Was it reasonable to assume that there wouldn’t be more anger and a desire to make Equifax pay for its security lapses?
Here’s another way to look at it: one million people filing a claim for cash would still represent less than 1% of all victims of the Equifax breach (0.68% to be exact). If one million people file a claim for cash compensation, then the $31 million pot would be split among them and each one would receive a check for $31.
If half of the 147 million victims filed a claim for cash, each would get $0.42. And if every single person filed a claim, then each would receive a check for a measly $0.21!
This is less about “overwhelming demand” than a tremendous failure on the part of regulators to accurately forecast Americans' anger at Equifax and desire to get at least some financial restitution.
Is This A Flawed Settlement?
While Mr. Schoshinkski uses a smaller potential payout to nudge people towards free credit monitoring, what it really illuminates is a potential flaw in the settlement that regulators negotiated with Equifax. Providing a fixed amount of compensation available to consumers is clearly in Equifax’s best interest because it caps the company's financial exposure. But does it really serve consumers who were affected by the breach? Instead, why not offer a fixed amount of money to anyone who files a claim?
Yes, this would make it harder for Equifax to forecast its liability, but it would help provide meaningful, and predictable, compensation for victims. (Let’s also remember that Equifax is a company with $3.4 billion in revenue for 2018).
What's The Ultimate Irony?
The irony is that the settlement does not cap Equifax’s cost to provide credit monitoring for those affected by the breach. Equifax is paying its competitor, Experian, to provide four years of monitoring and then it will provide additional monitoring for at least six years.
According to the settlement documents, each one million consumers filing a claim for credit monitoring costs Equifax $16 million. In other words, if all 147 million Americans who were affected by the data breach filed a claim, Equifax would be on the hook for more than $2 billion.
A lawyer representing consumers summed it up well: “If people want Equifax to pay more, sign up for credit monitoring”
Perhaps Mr. Schoshinkski of the FTC should have led with that?