After Equifax’s calamitous 2017 data breach, its settlement with the Federal Trade Commission (FTC) and the private attorneys representing victims appears to offer two potential remedies to all 147 million American consumers affected: free credit monitoring, or if individuals already had free credit monitoring, an up to $125 cash payment. The FTC directed consumers affected by the breach to a third-party website where they could quickly and easily file their claim.
At the time, EFF tepidly commented on the settlements’ efforts to compensate consumers. But we also noted that the $125 payments would come from a $31 million fund, meaning that if all 147 million victims chose the payment, each person’s payment would be reduced on a pro rata basis to as little as 21 cents each.
Indeed. Less than one week after it announced the settlement, the commission began encouraging consumers to forego the monetary compensation in favor of free credit monitoring, even if they already had it. In a blog post, the FTC told consumers that, because an “unexpected number” of victims filed claims, “each person who takes the money option will wind up only getting a small amount of money. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.”
The government apparently failed to anticipate that, out of 147 million Americans victims, more than the maximum 248,000 who could have claimed their $125 without reducing the award given to each person would have opted to do so. Even worse, it instituted a variety of new burdensome, bureaucratic steps required to claim the monetary award to nudge victims away from financial compensation.
Consumers should not have to jump through hoops to receive compensation for serious data privacy harms. The “unexpected” number of claimants in this case should strongly signal to policymakers that Americans care about the security of their personal data. Consumers intuitively know what EFF has said all along: the companies that store consumer’s personal information—often without their knowledge—have an obligation to protect it. If they don’t, they should pay for the harm that ensues. And financial penalties should be high enough to incentivize better data privacy practices in the future.
This settlement ensures neither. While it’s easy to be angry at the FTC, the problem really lies with the current state of privacy law. We have said it before and will say it again: without new privacy laws, or a change in how the courts view those harms, companies will not adequately invest in consumer privacy protection.
If Congress wants to protect consumer privacy, it should enact legislation with the following rules and protections.
Information fiduciary and national data breach notification rules
This one is simple: companies that collect your personal information should have a legal duty to protect it. A strong information fiduciary law would require that companies follow best practices and exercise care to protect user information as a matter of course—not as a negotiated settlement years later.
Private right of action and real damages
We need to ensure a direct, private cause of action for data breaches and other digital privacy harms to give victims a more reasonable day in court than they have now. Because data harms can be hard to quantify financially, the law should provide statutory or liquidated damages, like it does for illegal wiretapping, where Congress long ago recognized that there should be no requirement to show financial harm in order to recover.
Data broker registration
Data brokers harvest and monetize our personal information without our knowledge or consent. Worse, many data brokers fail to securely store this sensitive information, predictably leading to data breaches. One good way to facilitate better oversight comes from Vermont’s new data privacy law, which requires data brokers to register annually with the government.
Pay-for-privacy is unfair. The law should prohibit companies from denying services, charging different prices, providing different quality levels, or otherwise discriminating against users who choose more private options.
Stronger rule-making authority for the FTC
Federal regulators must have the authority and funding to write and enforce consumer privacy rules. Congress should empower the FTC—an expert agency once tasked with data privacy regulation—to set and enforce sound security standards.
No federal pre-emption
Federal law should set a floor—not a ceiling—for privacy protection. States, as our “laboratories of democracy,” must retain their power to respond to technological changes and constituent concerns by enacting innovative data security policies.
No new criminal liability
And finally, one thing to avoid: existing computer crime laws are already extremely unfair and overbroad. That causes real harm and injustice. It also threatens the very security researchers—like the one who found an Equifax bug before the breach—who work to protect the rest of us. Any new efforts to address data breaches should focus on incentives to protect data rather than further expanding criminal liability for coders.
It has become increasingly clear that the Equifax settlement is inadequate for both compensating victims and preventing future harms. But future settlements won’t be better without changes in the law or in how courts treat privacy harms. U.S. privacy law does not even give FTC the power to require direct compensation to consumers—a powerful way to make companies pay consumers for the harm they caused. The FTC only secured it this time because individual suits were joined to its actions. Bottom line: we can’t expect the current, limited-power FTC to clean up the messes created by our failure to require stronger data protections.
Our legislators have an obligation to enact the stronger data privacy protections that their constituents want and deserve.
Note: Thanks to EFF Legal Intern Victoria Noble for help with this update.