How accessible those reimbursements and services will be for consumers remains to be seen. But the settlement agreement says that individuals, after they are identified as victims of the data breach, can “self-certify” that they spent up to 10 hours dealing with the aftermath. That simply requires providing an explanation of how their time was spent preventing misuse of their data or remedying it.
For claims beyond 10 hours, consumers will have to provide “reasonable documentation,” including credit card and bank statements, invoices, telephone records and receipts.
Victims are also eligible for free credit-monitoring services, or $125 cash if they already have such services in place. The credit monitoring is offered for four years through Experian, with up to six additional years through Equifax. The company is also offering seven years of free services to help consumers address the effects of fraud and identity theft.
Equifax is the latest — and biggest — in a string of high-profile customer data breaches in recent years, including 110 million Target shoppers and 56 million payment cards at Home Depot. For many customers, data breaches have resulted in somewhat routine replacements of their credit cards or notifications by companies to change their passwords.
The 2017 Equifax breach included Social Security numbers, credit card details and other sensitive data. On Monday, the Federal Trade Commission announced that Equifax will pay up to $700 million to settle with state and federal regulators over allegations that the company failed to take reasonable cybersecurity steps that might have prevented the breach. Pennsylvania Attorney General Josh Shapiro called it “the largest data breach settlement in U.S. history.” That total includes a victims compensation fund of $300 million, which could grow to $425 million if the number falls short of what’s required to compensate consumers.
Equifax has denied wrongdoing, and the settlement does not include a judgment or finding that it did. In response to a request for comment regarding the settlement announcement, Equifax spokesman Wyatt Jefferies referred to the company’s earlier statement, in which chief executive Mark W. Begor said the consumer fund “reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter.”
Robert Cattanach, a former Justice Department attorney who works for Dorsey & Whitney in Minneapolis focusing on cybersecurity and privacy issues, said that in his experience, fewer than 10 percent of eligible individuals take advantage of credit-monitoring services offered to them in a settlement.
It is unclear how many of the data-breach victims would qualify for the varying levels of compensation or how many would file for even the $250 that requires minimal documentation.
According to the website Equifaxbreachsettlement.com, which was set up to handle the claims, consumers must wait for the settlement to be approved to become eligible for the compensation. The settlement is being dealt with in the U.S. District Court in Atlanta. The site says consumers soon will be able to determine whether their information was compromised.
Margaret Suitor, who works in IT in Mansfield, Conn., said she discovered she was part of the data breach when it was announced in 2017. She subsequently spent about three hours researching the subject and communicating with Equifax, she said, and spent about $60 on credit-freezing services. She said she will probably file for reimbursement once the settlement is approved, particularly if extensive documentation isn’t required to prove the three hours of inconvenience. She won’t self-certify for any more than that, however.
“If I expect integrity from companies, I have to show integrity myself,” she said.