The rollercoaster of stories that followed last month’s settlement between the FTC and Equifax was truly something to behold. The FTC touted its value, which critics excoriated as inadequate. Articles soon explained how to get a cash settlement for those who already have a credit monitoring service, but were quickly followed by those arguing that the widely-publicized $125 figure was dependent on the number of claimants for a $31 million pool. Some, like Karl Bode at Vice, said that the “FTC should fine itself for false advertising” after claiming that those affected could be eligible for $125.
I don’t think this fully grasps just how badly the FTC blew this settlement, and primarily for a reason almost entirely unrelated to the confusion about the $31 million fund for credit monitoring payouts.
I was among many who got this wrong when I repeated the claim of the $125 payout, and also in my summary of why that $125 figure may be incorrect, so I thought it would be valuable to go back to the settlement itself to explain why this is a raw deal. In its press release, the FTC summarized the divvying up of the $575–700 million settlement:
$100 million is paid as a fine to the Consumer Financial Protection Bureau
$175 million is paid to settle cases brought by 48 states, plus Washington D.C. and Puerto Rico
$300 million is set aside for a consumer restitution fund, which would compensate individual claimants directly
It’s that last bucket of cash in which two specific piles of money reside. The first is a $31 million pool for alternative payouts for credit monitoring, which the FTC required Equifax provide to claimants. But if a claimant already has credit monitoring, they can opt to be paid up to $125 instead. And we will get to that “up to” in a moment.
A second pool, also of $31 million, is to be used to compensate claimants for time spent dealing with the settlement. For example, if a claimant spent an hour on the phone with an Equifax representative to get their credit frozen, that would be paid out of this second pool.
The remainder of the $300 million is to be set aside for direct out-of-pocket losses arising from the breach, such as those stemming from fraud, identity theft, and so forth. None of the money from this settlement will be given back to Equifax, but the details are not as simple as the FTC portrayed, either.
I want to get the matter of the $31 million buckets out of the way first, and I think Lily Hay Newman of Wired explains it perfectly:
But not all is lost, and there’s still a decent chance that Equifax will pay you all $125. As Slate points out, the $31 million cap will lift, assuming Equifax hasn’t spent all of the $425 million in its “Consumer Fund” — money it has committed to things like covering people who can specifically document losses stemming from the breach — in four and a half years. At that point, whatever’s left of that $425 million will be applied to the $125 payouts, presenting much better, if belated, odds.
Like all things Equifax, this does not come without a caveat. Even if the full $425 million in the consumer restitution bank account goes towards $125 payments for compensation of credit monitoring services, that amount would only support the claims of 3,400,000 people. Over forty-three times that number were affected by this breach.
Also, because this bucket is part of a pile of money with broader scope, those claims will be mixed with requests for compensation of time spent, as well as direct losses from fraud.
A bigger problem still is that this settlement is designed to mitigate the financial damage to consumers. That would be handy if this data were stolen for economically opportunistic reasons, but that doesn’t seem to be the case. A February report from Kate Fazzini at CNBC noted that no Equifax breach data had surfaced anywhere, despite financially-motivated hackers usually publicizing their haul with urgency.
A more likely scenario is that those responsible for exfiltrating Equifax’s files were state actors. A Bloomberg story from September 2017, citing investigators and those briefed on their findings, claimed that China was a likely culprit, though another country could be responsible.1 It is likely that the data stolen — which comes from a financial firm, making it ostensibly more accurate than any old data dump — could be combined with other sources to target specific individuals, per Fazzini’s reporting and Bloomberg’s story.
This settlement does nothing to dissuade state actors from continuing to pilfer sensitive data, nor does it encourage care for those who stockpile information like this. Of course, the FTC has limited scope and powers. It could not accomplish the former, but it certainly could attempt the latter.
Instead, the Commission agreed to a weak deal that barely impacts Equifax’s financial status and does little to encourage better behaviour in data-hoarding industries. Even if this were a financially-motivated crime, this settlement does not protect those affected. But this breach was so much more, and this settlement doesn’t begin to address the far more serious and more likely rationale.
-
I am obligated to point out that this Bloomberg story bears in its byline the two reporters responsible for the inaccurate “Big Hack” feature.
By the way, that story just won the Black Hat Pwnie for the most overhyped bug. Congratulations — I guess? — Michael Riley and Jordan Robertson. ↥︎