On Monday, consumer credit reporting agency, Equifax, agreed to a $700 million settlement for a major data breach that occurred back in 2017. $300 million was allotted to consumers affected by the data breach, as well as an additional $125 million if the fund is depleted. As one of the largest data breach settlements in history, this is a victory that should be celebrated by consumers as privacy and personal data are more at risk than ever. Large corporations need to prioritize our security and this settlement is a step in the right direction for protecting the American people and their personal data. Hopefully this begins a shift away from prioritizing monetary gain over consumer information.

Whose data? What data?

The magnitude of the data breach is quite astonishing. Equifax admitted in September of 2017 that 147 million customer’s information was exploited by hackers. They discovered that the breach began in mid-May of 2017 and they believe lasted all the way through July of that same year.

According to Equifax, the hackers were able to access the names, social security numbers, addresses, birth dates and in some cases even customers driver’s license numbers of nearly 143 million of those exposed by the breach. Additionally, they were able to access the credit card numbers for around 209,000 U.S. consumers.

Chairman and Chief Executive Officer of Equifax, Richard F. Smith, in a press release following the breach said, “This is clearly a disappointing event for our company…I apologize to consumers and our business customers for the concern and frustration this causes, we pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.” But despite his “pride” in protecting data they still managed to let nearly half the US population’s data get stolen from them. Equifax has maintained their denial of any wrongdoing in their security.

Where is the data?

In the wake of the breach, consumers scrambled to secure their information from identity theft. Equifax even offered free credit theft protection for those effected by the breach. Despite the massive breach, there was little to no trace of the personal information being used against the consumers. In their investigation following the breach, Equifax has not reported a single case of identity theft tracing back to the breach and they were unable to find any of the information being sold on the dark web, according to reports.

Contrary to Equifax, the consumer’s co-led counsel for the case, Joshua Shapiro, claimed that for some their identities were indeed stolen. But even with Shapiro’s assertion that some of the information was used against the consumers, the scarcity of incidents leaves a lot of question marks about where the information ended up and who was behind the hack.

How will Equifax make it right?

The agreement between consumer counsel and Equifax promises up to $20,000 for each of the individuals effected by the data breach. That being said, very few if any will likely receive the full amount. As I mentioned earlier, very few customers actually had their identity stolen as a direct result of the breach and so it will be rare for someone to have the documented losses to that extent.

As the filing said, the full amount will only be paid to a consumer who can show their “documented loses fairly traceable to the breach.” Whether through phone records for time loss, lawyer fees, credit card and bank statements, invoices or receipts, the claimant will have to prove the extent of their loss.

Despite the fact that few claimants will be eligible to receive the full $20,000, the settlement still looks to be a well-paying class action. Here are the reimbursement criteria that we have been given so far:

• Each claimant will be eligible for $500 to refund the “time loss” dealing with the precautionary measures after the breach or dealing with identity theft. That accounts for 20 hours of loss at $25 an hour. The first 10 hours ($250) is “self-certified,” so the claimants will not need to show any proof of time loss. In theory, each eligible claimant will be able to receive $250 without showing any documentation but will need to show documentation to prove any time loss over 10 hours.
• Each claimant is eligible for at least four years of free credit monitoring. If a claimant is already paying for a credit monitoring program, they will be eligible for a $125 cash payment to reimburse them.
• Each claimant is also eligible for a free identity restoration service to help mend any damages created by the breach.
• Whatever loss that is properly documented above and beyond the $500 for time loss will be rewarded up to $20,000.

With the final court agreement still pending, there is still some room for things to change. Thankfully, Equifax seems to want to make the situation right and correct the errors they made. For continued updates, you can check up on the site made specifically for the class action. Once everything is finalized there will be a way of checking your eligibility and seeing if you could be eligible for a cash payment.

‍