Nearly two years after the sensitive information of more than 147 million consumers was exposed in the unprecedented Equifax data breach, a $671 million settlement has been reached to end a host of consolidated class action lawsuits and probes by the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), 48 states, Puerto Rico, the District of Columbia and the New York Department of Financial Services (NYDFS).
The dust is still settling, and given the gravity and breadth of this particular data breach, there’s a mountain of information to sift through about how to claim your piece of the historic settlement.
For that reason, we bring you a no-frills, no-fat breakdown of the settlement, as well as some of the most important fruits to pick off this vine.
First, the settlement.
The approximately 147 million U.S. consumers identified by Equifax whose personal information was compromised as a result of the September 7, 2017 data breach.
The total settlement fund will cover cash compensation for consumers, a cocktail of government fines and legal costs, and the creation of a fund to underwrite free credit monitoring and identity theft protection.
According to the document outlining the proposed settlement, at least $380.5 million will go toward paying class members through a consumer restitution fund. This dollar amount includes cash compensation, credit monitoring and help for those who experienced identity theft due to the data breach. Also available is another $125 million that Equifax could pay out if the money in the consumer restitution fund is used up. Individual payouts from the settlement are capped at $20,000 per person (we’ll get to that in a minute).
Equifax has also agreed to make payments totaling $290.5 million to certain state and federal regulatory agencies and for attorneys’ fees and costs related to the multidistrict litigation. The CFPB will receive $100 million as part of the settlement.
The settlement further stipulates that Equifax must spend at least $1 billion to improve its data security. The settlement document reveals that the total settlement tab for Equifax could hit at least $1.38 billion, “and might be significantly more,” in the (unlikely) event all 147 million class members sign up for credit monitoring.
Now for the nooks and crannies. Available through the settlement will be:
Compensation of up to 20 hours at $25 per hour for time spent taking preventive measures against or dealing with identity theft. Claims can be submitted for up to 10 hours without documentation. Reimbursement of up to $20,000 for documented losses fairly traceable to the data breach, such as the cost of freezing or unfreezing a credit file, buying credit monitoring or other losses related to identity theft or fraud. Class members can also claim reimbursement for up to 25 percent of any money paid to Equifax already for credit monitoring or identity theft protection products in the year prior to the breach. We hope you kept your receipts. Four years of three-credit bureau monitoring and identity theft protection services through Experian, an apparent $1,200 value, and an additional six years of one-bureau monitoring through Equifax (a $720 value). Compensation of $125 for class members who already have credit monitoring or protection services in place. Identity restoration services through Experian to help those victimized by identity theft for seven years.
Class attorneys are requesting up to $77.5 million in fees. Equifax denies any wrongdoing, and no judgment has been handed down in favor of either the company or consumers.
So you’re saying I could possibly get $20,000?
Well, you could, according to the terms of the settlement, but don’t count on it. CNBC’s Kate Fazzini wrote this week that proving you were harmed by identity theft to the extent that you’d be entitled to $20,000 from the settlement will be “exceedingly difficult,” in part because the consumer data stolen in the Equifax cyberattack was reportedly never found for sale on the dark web or any other unsavory marketplace.
We have a lot of ground to cover, so let’s move on.
The official settlement website
It’s live: https://www.equifaxbreachsettlement.com/
Where do I file a claim?
Where can I check if I was affected by the data breach?
Filing a claim
When you head to the settlement website to file a claim, first check to see if you were affected by the data breach. Once you proceed to file a claim, you can opt to receive either free, three-bureau credit monitoring OR a cash payment of $125 payable by either check or pre-paid card.
To be eligible for the $125 cash, you need to already have credit monitoring, like that provided for free by Credit Karma, and must assure you will continue to have it in place at least six months after you file a claim. You can file a claim for either the $125 cash or the credit monitoring—you cannot file a claim for both.
After that, you’ll be asked if you wish to file a claim for restitution for time lost because of the breach. Next, you’ll be asked whether you’d like to file a claim over money you lost or spent due to fraud or identity theft. Keep in mind that these options require you to have documentation proving you spent more than 10 hours dealing with identity theft or fraud. Any claims for 10 hours or less can be self-certified.
Once you go through all the steps, you’ll be provided with a claim number. Be sure to keep this claim number for future reference—print it out, write it on a Post-It note, write it on a napkin, save it to your computer as a PDF document, just make sure you keep it.
You have six months to file a claim for settlement benefits…
…from the date the settlement is given final approval by a judge. This could take a few months, so there’s no need to feel a time crunch just yet.
This six-month window applies only to monetary benefits claims. If money is still left in the settlement fund after the six months is up, an extended claims period will run for four years, during which class members can file claims for out-of-pocket losses and time spent rectifying identity theft that occurred after the end of the initial six-month claims period.
Don’t forget: the settlement still needs to be approved by a judge.
If you’re seeing the legal phrase “preliminary approval” a lot this week, that’s because a judge still has to formally approve of the settlement before money will start being handed out.
You can submit a claim right now—here—but keep in mind that no settlement benefits will be distributed or available until the court finally approves the deal.
Preliminary approval is not the same as final approval. Numbers on paper and handshakes between attorneys are one thing, but all class action settlements are subject to a judge’s final greenlight before people can start getting paid.
We’ll keep you posted on this one.
The program to notify class members is the first of its kind.
The notice program for the settlement will encompass “tools used in modern commercial and political advertising” to ensure the maximum level of engagement and participation in the settlement from class members. And from the looks of it, the claims process itself is easy to use, which comes as a relief given the look and feel of some settlement websites. Both the claims process and the settlement notice program, the settlement documents say, were designed with input from the FTC, the CFPB and representatives of 50 state attorneys general (all of whom except two have entered into their own settlements with Equifax).
What’s more, the emails and ads, which will include a link to the settlement website, will be tested for effectiveness through “focus groups, conducting a national survey of 1,600 likely class members, and sampling their impact on small subsets of the class.” This first-of-its-kind all-out digital class notice campaign will be continuously adjusted to ensure maximum exposure to those affected by the Equifax data breach. We could very well be looking at the future of class action settlement administration should this program be as effective as it aims to be.
Here’s how the settlement notice program will work.
Keep an eye on your email.
Class members covered by the settlement will receive at least four emails sent to their email address.Keep an eye on the Internet.
If and when the deal is formally approved, the settlement administrators will roll out an “aggressive” digital and social media campaign that aims to reach “90 percent of the class an average of eight times” before the notice date, i.e. the date 60 days after the court allows for class members to be notified of the settlement, and at least six more times before the end of the six-month claims period.Keep an ear on the radio and an eye on the newspaper.
The settlement notice program will also make use of radio advertising and a full-page ad in USA Today for those who may be a little less online these days (we can’t really blame you).Or, if you don’t feel like waiting for notice, submit a claim right now.
Not everyone thinks the settlement is a win for consumers.
On the one hand, consumers affected by the Equifax data breach will in fact receive a not-insignificant amount of compensation as long as they submit a claim. On the other hand, some consumer advocates and lawmakers feel the historic settlement does not go far enough given just how bad the data breach was and how many people were affected. If anything, the settlement’s perceived shortcomings speak to the sheer scope of the data breach and amount of consumer information that was stolen. It’s worth asking, is there any amount of money that can undo the damage?
In a statement, a portion of which was shared by Reuters, Democratic Senator Sherrod Brown (Ohio) said the settlement “is just a drop in the bucket of what Equifax’s disregard for privacy could cost American families.” The publication also cited Public Interest Research Group’s Ed Mierzwinski, who called the settlement “a parking ticket, not a penalty.” Moreover, a spokeswoman for the Massachusetts attorney general said the state, along with Indiana, is not participating in the settlement, choosing instead to continue litigation.
A piece from MarketWatch’s Jacob Passy quotes Consumer Reports director of privacy and technology policy Justin Brookman, who said of the settlement’s compensation for identity theft victims that “it’s virtually impossible to prove that [identity theft] is the result of any particular breach.”
Another concern raised in the same MarketWatch op-ed is the timing of the settlement. Though the settlement is set up to provide compensation to class members right now, National Consumer Law Center staff attorney Chi Chi Wu notes that “the risk of identity theft is forever because our stolen Social Security numbers can be traded by hackers in perpetuity.” Given the time period to file a claim is at most four years, Wu asks, “What happens if a consumer is the victim of ID theft in the fifth year resulting from the breach, which costs the consumer tens of thousands of dollars?”
I have questions that you did not answer here. Where can I go for answers?
We suggest the FAQ page on the official settlement website. Another option is to reach out directly to the settlement administrator by phone at 1-833-759-2982 or by mail at:
Equifax Data Breach Settlement Administrator
c/o JND Legal Administration
PO Box 91318
Seattle, WA 98111-9418
What else can I read about the settlement?
If you’re looking for more information on the settlement, we suggest you start with these:
We also recommend signing up to receive email updates on the settlement directly from the FTC, who’s expected to roll out a tool sometime soon for consumers to be able to check whether they were affected by the data breach.
The complete document outlining the proposed settlement over the 2017 Equifax data breach is embedded below.