The bad news: Nearly half of all Americans were affected by the 2017 Equifax data breach, in which hackers stole personal data for more than 147 million people: credit card numbers, Social Security numbers and other identifying information.

The good news: As part of a settlement agreement with the Federal Trade Commission, the people whose data was stolen can get some compensation: 10 years of free credit monitoring, or maybe $125, depending on how badly you were affected. The payout could be as much as $20,000 if you can prove your identity was stolen and you suffered because of it.

But there’s a lot of fine print, and there are deadlines. And if you think your identity has been stolen, there are some critical things you should know before you try to cash out.

[Related stories: How to self-certify to get $250 in compensation / How the Equifax data breach settlement could be better / Senators slam Equifax, Marriott executives for massive data breaches]

First, if your information (most importantly, your social security number) was part of the hack, then you should assume it’s out there forever. Even if someone hasn’t stolen your identity yet, it could still happen.


Before trying to cash out in the settlement against Equifax, if you think your identity has been stolen, there are some critical things you should know. (Michael Nagle/Bloomberg News)

Second, even if you file for reimbursement, there’s a good chance you won’t actually get the full $125 that Equifax and the FTC are talking about. Things are worded carefully in the agreement, but the bottom line is there’s a limited amount of money in the payout pool, and it won’t cover $125 checks for 147 million people.

Given all that, the biggest loophole you should be aware of is that if you do nothing, you will automatically waive your right to take legal action against Equifax in the future.

Learn if your data was stolen in the breach

Check if your data was stolen by entering the last six digits of your social security number and your last name on the Equifax form, (or call 833-759-2982). If it was not stolen, you are not eligible and you can move on with your life without thinking about this settlement.

If your data was compromised . . . you have several options.

File for ‘Alternative Reimbursement Compensation’

Note: By doing this you waive your right to pursue legal action against Equifax in the future

Deadline: Jan. 22, 2020

You can file a claim for the standard payout, up to 10 years of credit monitoring — OR — up to $125 to if you already pay for credit monitoring. They are calling it the “Alternative Reimbursement Compensation,” and it is the most straightforward path you can take.

If you really want the cash, you can sign up for a free credit-monitoring service like CreditKarma. Some credit card companies and banking services (like Mint) also offer credit monitoring services.

Fine print reveals why a lot of people won’t get the full $125. They are only going to pay out that amount until the requests hit a $31 million cap. After that, the payouts will be lowered and distributed on a proportional basis. The total pool for restitution is $380.5 million.

We tried to find out how many payout requests had been submitted by Friday afternoon, but the FTC could not provide an answer because it was still early in the process. Equifax did not return answers to our questions.

File for a bigger reimbursement

Note: By doing this you waive your right to pursue legal action against Equifax in the future

Deadline: Jan. 22, 2020

If you have spent or lost money as a result of the hack (legal or accounting fees, or the money you lost because someone stole your identity and charged a large amount of money on accounts in your name, the money you spent freezing and unfreezing your credit, postage, etc.) then $125 isn’t going to be enough.

In this case, you could file a claim for up to $20,000. You will need to provide proof of time and money spent, and the process is more involved.

You can also just file for time spent as a result of the data breach, $25 per hour for up to 20 hours. If you claim more than 10 hours, the FTC writes, you must detail the actions you took and provide documentation to indicate identify theft or fraud. If you claim fewer than 10 hours, you only need to detail what actions you took and how much time was spent.

You do not have to prove your identity was stolen directly as a result of the 2017 breach, but it has to have to occurred after the breach. You must file a claim by Jan. 22, 2020. Learn more about how to file a claim online here, or via mail here. If you were a minor on May 13, 2017, you must download and mail in this claim form.

Don’t settle, keep the option to pursue your own legal action

Note: This is the only option in which you keep your right to sue Equifax in the future

Deadline: Nov. 19, 2019

It sounds counterintuitive, but if you were affected by the breach you are automatically included in this settlement. And it’s similar to some of the settlements you hear about in court — if you settle, you’re done. You cannot bring it up in court again. You cannot sue Equifax for harm caused by the breach, because you were already a member of the group that settled.

If you don’t want to settle, and you want to keep the option to take legal action against Equifax as an individual, you must opt out of the settlement by mailing a written “request for exclusion,” postmarked by Nov. 19, 2019, to the settlement administrator. If you do not meet that deadline, you lose the right to sue Equifax for the breach.

Read more about this process in Equifax’s Frequently Asked Questions under section 23.

If you do nothing

If you were impacted by the breach and opt do nothing, according to the settlement’s terms, you will not be eligible for any of the aforementioned benefits. Moreover, it means you will forfeit your right to sue Equifax for harm caused by the breach or continuing pursue separate claims you’ve filed.

Click here to sign up for FTC email updates on the settlement.

Marie C. Baca contributed to this report.

Read More:

The unnerving tale of having my Social Security hacked

Equifax to pay up to $700 million to settle state, federal investigations into security breach

I called Equifax with a simple question. This is what happened.