The Washington PostDemocracy Dies in Darkness

Equifax data-breach victims can get up to $250 each with little documentation

More than 147 million people could ‘self-certify’ that they spent 10 hours trying to remedy the situation.

Equifax will compensate consumers as part of a settlement with regulators. (Mike Stewart/AP)

Did you lose 10 hours of your life dealing with the 2017 Equifax data breach? You could get up to $250 from Equifax with minimal documentation of your woes, according to the credit-monitoring agency’s settlement agreement.

Under the agreement, the more than 147 million victims of the breach — slightly less than half of all Americans — are eligible to seek cash reimbursement and other services from Equifax. That includes $500 for time spent taking preventive measures or dealing with identity theft; up to $20,000 for losses related to the breach such as those related to identity theft; and 25 percent of any money paid to Equifax for credit-monitoring or identity-protection products in the year before the breach. The most an individual can receive is $20,000.

How accessible those reimbursements and services will be for consumers remains to be seen. But the settlement agreement says that individuals, after they are identified as victims of the data breach, can “self-certify” that they spent up to 10 hours dealing with the aftermath. That simply requires providing an explanation of how their time was spent preventing misuse of their data or remedying it.

For claims beyond 10 hours, consumers will have to provide “reasonable documentation,” including credit card and bank statements, invoices, telephone records and receipts.

Equifax to pay up to $700 million to settle state, federal investigations into security breach

Victims are also eligible for free credit-monitoring services, or $125 cash if they already have such services in place. The credit monitoring is offered for four years through Experian, with up to six additional years through Equifax. The company is also offering seven years of free services to help consumers address the effects of fraud and identity theft.

Equifax is the latest — and biggest — in a string of high-profile customer data breaches in recent years, including 110 million Target shoppers and 56 million payment cards at Home Depot. For many customers, data breaches have resulted in somewhat routine replacements of their credit cards or notifications by companies to change their passwords.

The 2017 Equifax breach included Social Security numbers, credit card details and other sensitive data. On Monday, the Federal Trade Commission announced that Equifax will pay up to $700 million to settle with state and federal regulators over allegations that the company failed to take reasonable cybersecurity steps that might have prevented the breach. Pennsylvania Attorney General Josh Shapiro called it “the largest data breach settlement in U.S. history.” That total includes a victims compensation fund of $300 million, which could grow to $425 million if the number falls short of what’s required to compensate consumers.

Equifax has denied wrongdoing, and the settlement does not include a judgment or finding that it did. In response to a request for comment regarding the settlement announcement, Equifax spokesman Wyatt Jefferies referred to the company’s earlier statement, in which chief executive Mark W. Begor said the consumer fund “reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter.”

I called Equifax with a simple question. This is what happened.

Robert Cattanach, a former Justice Department attorney who works for Dorsey & Whitney in Minneapolis focusing on cybersecurity and privacy issues, said that in his experience, fewer than 10 percent of eligible individuals take advantage of credit-monitoring services offered to them in a settlement.

It is unclear how many of the data-breach victims would qualify for the varying levels of compensation or how many would file for even the $250 that requires minimal documentation.

According to the website, which was set up to handle the claims, consumers must wait for the settlement to be approved to become eligible for the compensation. The settlement is being dealt with in the U.S. District Court in Atlanta. The site says consumers soon will be able to determine whether their information was compromised.

Margaret Suitor, who works in IT in Mansfield, Conn., said she discovered she was part of the data breach when it was announced in 2017. She subsequently spent about three hours researching the subject and communicating with Equifax, she said, and spent about $60 on credit-freezing services. She said she will probably file for reimbursement once the settlement is approved, particularly if extensive documentation isn’t required to prove the three hours of inconvenience. She won’t self-certify for any more than that, however.

“If I expect integrity from companies, I have to show integrity myself,” she said.