American citizens have been offered an option to get settlement money over the Equifax data breach. However, the hurdles being thrown up is sparking criticism.
We’ve been following the major Equifax story for nearly a year at this point. We picked up the story clear back in February when the Equifax data breach wound up being worse than initially reported. At the time, it was reported that 145 million people were affected by the breach. In March, that number grew by 2.4 million people.
By May, lawsuits were filed over the breach. In September, Equifax was fined in Britain for £500,000. For those wondering about the General Data Protection Regulation (GDPR), the breach took place before the laws went into effect. So, as a matter of fact, that fine is quite significant given what tools were available to deal with the situation.
In early July, a prison sentence was handed down to an Equifax executive for what was effectively insider trading. The short gist of that is that the executive learned of the breach. Instead of going public, he researched what happens to stock prices when a company is hit with a breach. He then proceeded to sell his shares to avoid getting hit with those losses. Only after did he allow the story to go public. It was those moves that sparked an investigation and ultimate conviction.
In late July, Equifax ended up settling for up to $700 million. Part of that settlement money was set aside for people affected by the breach. Americans can go to the settlement website and get their settlement benefit. One option is to get free credit monitoring. Another settlement offer is to receive $125.
It became quickly apparent that a number of American’s were more interested in the cash offer. By early August, it started to become apparent that many were choosing the cash settlement option. That sparked a problem. As we reported at the time, only $31 million was set aside for those wishing to settle. For those who have a head for math, $31 million is nowhere near enough to divide among 147 million people if the settlement is $125 per person. The funds were quickly drying up.
Now, it seems that the Electronic Frontier Foundation (EFF) is weighing in on this one. They are saying that bureaucratic hurdles are being erected to dissuade American’s from taking the cash settlement. From the EFF:
The government apparently failed to anticipate that, out of 147 million Americans victims, more than the maximum 248,000 who could have claimed their $125 without reducing the award given to each person would have opted to do so. Even worse, it instituted a variety of new burdensome, bureaucratic steps required to claim the monetary award to nudge victims away from financial compensation.
Consumers should not have to jump through hoops to receive compensation for serious data privacy harms. The “unexpected” number of claimants in this case should strongly signal to policymakers that Americans care about the security of their personal data. Consumers intuitively know what EFF has said all along: the companies that store consumer’s personal information—often without their knowledge—have an obligation to protect it. If they don’t, they should pay for the harm that ensues. And financial penalties should be high enough to incentivize better data privacy practices in the future.
This settlement ensures neither. While it’s easy to be angry at the FTC, the problem really lies with the current state of privacy law. We have said it before and will say it again: without new privacy laws, or a change in how the courts view those harms, companies will not adequately invest in consumer privacy protection.
If Congress wants to protect consumer privacy, it should enact legislation with the following rules and protections.
It’s an interesting way of tackling this problem. Essentially, they are pointing to the current state of privacy laws in the US and saying that they need to be strengthened to better protect consumers. Indeed, what we’ve been seeing time and time again is that the laws surrounding personal privacy are frequently the weak link in all of this.
Some argue that we should let the free market decide for itself what to do in these situations. The problem is that the free market wound up deciding that, under the current environment, the loss of personal information of people is something to hide. Don’t say anything happened, don’t admit to anything that happened. Just keep quiet and deny. If people have their personal information misused, so what? That’s their problem now. If consumers file lawsuits, then, at worst, it’s the cost of doing business.
So, we know what happens if businesses simply decide for themselves what the appropriate action. For many people, such an answer simply isn’t good enough. So, if the so-called “free market” doesn’t offer a sufficient solution, what option is there after that? Government legislation. As a result of what we see, it’s very understandable that organizations like the EFF would offer the idea of legislating as a solution.
There is, unfortunately, one problem with this at this point in time. We are about a year away from elections. If lawmakers decide tomorrow that we need to create better laws to protect consumer privacy, an election would, at minimum, disrupt the passage process. Additionally, trying to make political noise about privacy laws is going to be especially difficult in the midst of the current ongoing presidential impeachment inquiry currently digging up evidence of criminal wrongdoings of the president. When Americans are discussing politics, how much of it is revolving around the impeachment process?
From our perspective, the EFF is making all the right steps, but is facing a considerable uphill battle to get attention to this important issue. This political climate is completely out of their control. The only thing organizations like the EFF can do is say, “Hey, we raised our concerns when these issues came up.”
Sometimes, all you can do is play the cards you are dealt. If the cards you are dealt are awful, what choice do you have? Play them anyway and hope for the best.
Drew Wilson on Twitter: @icecube85 and Facebook.
