Last week, news broke of a large financial settlement for the massive 2017 Equifax data breach affecting 147 million Americans. While the direct compensation to those harmed and the fines paid are important, it’s equally important to evaluate how much this result is likely to create strong incentives to increase data security for both Equifax and the other companies that are closely watching.
We doubt it will do enough. Without stronger privacy legislation, the lawyers and regulators trying to respond to these data leaks are operating with one hand tied behind their back.
In the meantime, EFF strongly urges everyone impacted by the calamitous Equifax breach to participate in the settlement claims process. Equifax must pay for the harm they have caused to everyone. And all too often, the fact that too few people make claims in these consumer privacy cases is used in the next case to argue that consumers just don’t care about privacy, making it even harder to force real security upgrades. If you do care about your privacy and want to make companies more responsible with your data, make your position known.
Overview of the Equifax Settlement
The ultimate Equifax settlement number is flexible—Equifax will initially pay $300 million into a fund that will provide breach victims with credit monitoring services, reimburse (up to 25%) for credit monitoring services purchased from Equifax, and compensate for other out-of-pocket expenses incurred as a result of the breach. If the $300 million is not enough to compensate affected consumers, then Equifax is required to pay an additional $125 million into the fund. Equifax will also pay $275 million to states and the Consumer Financial Protection Bureau. Those are big numbers, but they don’t paint the whole picture.
To get some perspective, a potential total settlement amount of $700 million is less than a quarter’s worth of Equifax’s revenue in 2017. So, while it’s a lot of money to you or me, it isn’t that much to Equifax.
Out of the potential $425 million available to consumers, only $31 million is initially available for consumers if they elect to receive a $125 cash payment instead of credit monitoring services. So, the amount paid out goes down after 248,000 people elect this remedy. If all 147 million affected people were to file for a claim, each person would receive mere 21 cents for the breach of their most sensitive personal information, although there are some contingent provisions in the settlement that might increase that amount.
If a consumer chooses to forego the cash payment, they can enroll in credit monitoring services for 10 years—though only the first 4 years include monitoring at all 3 major credit bureaus, and the remaining 6 years are only for monitoring the Equifax credit report. Moving forward, we hope policy makers will require consumer credit reporting agencies to provide free-and-easy credit freezes, in addition to any credit monitoring.
In addition, the settlement includes compensation for consumers’ out-of pocket-damages. For instance, it includes hourly compensation for time spent dealing with the immediate aftermath of the breach in Equifax’s horrible, slipshod processes (up to 20 hours), and damages for misuse of personal information as a result of the breach. All data breach victims will receive access to identity theft recovery assistance for a period of 7 years. This is especially helpful, since the U.S. currently has no good ways for people who suffer identity loss to set the record straight. Instead they are forced to rectify the problem piecemeal at each individual place where they need credit or a clear identity, so help doing that one-by-one negotiation could be a good thing.
The settlement also includes some ambitious notice provisions, including a multi-part plan to try to give notice to the 147 million people potentially impacted and to make sure that they are aware of and can use the identity recovery service even a few years later.
Aside from the money, Equifax will have to set up better security practices—although the company should already have had these practices in place before the breach even occurred. The new security practices will include a third-party auditor who will monitor and report Equifax’s compliance with the security practices in the settlement to the plaintiffs’ attorneys, the FTC, and some state Attorneys General. We would have preferred a process where the public was informed of Equifax’s compliance, rather than the information being kept secret. But still, this may mean that future bad decision-making around security will be avoided or caught before another breach.
We Need Better Privacy Laws
The bad news is that this result is still far from what is needed to incentivize companies like Equifax to prioritize security and, better yet, limit what they collect and keep, so that there’s less to leak. The lawyers who sued Equifax—both private and governmental—had to negotiate for all of this relief with far less leverage than they should have had. Why? Because the law is still far behind in recognizing the kinds of harms that occur from these data breaches.
As we explained just after the breach occurred, right now privacy law is simply insufficient to spur companies to protect us from these large data breaches. There is no comprehensive federal privacy law, much less one with the kind of teeth that could push companies to invest in information security the way they invest in, say, compliance with securities law. Worse, efforts to strengthen and protect state laws, like California's Consumer Privacy Act, have faced stiff opposition from the very companies who voraciously gather, buy, sell and trade our data.
The truth is, while the numbers can seem large, these settlements confirm that we need stronger privacy legislation to give the lawyers and regulators the leverage they need to protect us. These include:
- We need to create (or recognize) fiduciary or other high-level responsibility for those who hold the kind of data that can be used in identity theft. Anyone who holds data that, if stolen, can let someone effectively “be you” for purposes of credit, purchasing, accessing your bank accounts, travel, and otherwise should be held to a high duty of care and loyalty to you with real accountability if they fail. This must include, at a minimum, prompt notification, simple fast and free credit freezes and a specific duty to secure customers’ personal information as a matter of course, not as a negotiated settlement years later.
- We should encourage a race to the top by states in passing privacy laws, and the federal government should raise the bar, not lower it. One good idea comes from Vermont’s new data privacy law, which requires data brokers to register annually.
- People should be able to have their day in court. A direct private cause of action for data breaches and other digital privacy harms is crucial to get us there.
- Data harms can be hard to quantify financially, especially when damage only occurs over time, so we should apply statutory liquidated damages like we do for illegal wiretapping, copyright, and similar harms.
- Non-discrimination rules can ensure that companies don’t just turn your desire for privacy into another strategy to make you pay more. Pay-for-privacy is unfair.
- A federal advocate for victims could help, with mandatory reporting on data breaches and harms.
- Federal regulators must have the authority and funding to write and enforce rules that dig deep into digital security for our data.
And finally, one thing to avoid: existing computer crime laws are already extremely overbroad. That causes real harm and injustice, and often creates threats to the very security researchers who are trying to keep the rest of us safe. Any new efforts to address data breaches should focus on incentives to protect data rather than further expanding criminal liability.
The Equifax settlement is a good effort, especially considering the hurdles that the lawyers and the agencies faced in trying to hold Equifax accountable. But the data breaches continue unabated, with one affecting Capital One revealed just yesterday.
Going forward, we need to eliminate those hurdles or mass data breaches are going to continue unabated. Anyone who hasn’t been a victim of a data breach so far needs to join with those who have—because without a serious change in course, we’ll all be victims sooner or later.
And again, don’t forget to file a claim.
Special thanks to former EFFer (and current Hastings Law student) Amul Kalia for help with this blog post.