This headline is dishonest. I’m not getting my $125 because the settlement fund is dramatically too small. It looks like I’ll get about $6. If the attorneys got absolutely nothing, that number would be maybe $8. So attorney fees are <2% of the shortfall.
I’m not pumped that Equifax is getting off for less than a half billion or that the attorneys are getting a big chunk of that. (It’s hard to say how much they should get, to be honest) But when I see a bullshit headline I have to call it out.
By the way, they based the $125 on the assumption that almost everyone would take the worthless credit monitoring option.
What I find especially bothersome is that their resolution has, in practice, only cost their victims more.
Because the time needed to fill out that form and provide the documents will have been worth more than the payout, if one ever comes, for just about anyone who bothered to do it.
I honestly, no bullshit, wish the hackers had simply released the entire dataset. Just drop kicked it into the the public domain.
It would have been the greatest thing ever. This dumb ass bullshit system of credit reporting would have dissolved overnight. Instead we're stuck with the worst of all worlds. Our information is completely fucked, and we're the ones expected to protect it. And we're not even permitted to have proper tools to protect ourselves.
I don't think the lending industry would go away with a leak, though I do think that more players with the ability to analyze the data could have come along and used the data set to lower the costs of lending and/or incentivized other systems of data collection/risk analysis and underwriting.
Though I do think it would have hurt the bottom line of the giants that have few incentives to innovate, and many incentives to maintain the way things are.
> I honestly, no bullshit, wish the hackers had simply released the entire dataset. Just drop kicked it into the the public domain.
A lot of systems that leverage data behind walled gardens, collected from the masses and for the benefit of the few could also have the same approach. A couple of high profile "leaks" come to mind…
The settlement is meant to be punitive, not necessarily amount to a windfall for you. It's not terribly easy in a case like this to even prove damages.
And no, it wouldn't be better to let them off the hook completely. I'm not saying this settlement is _at all_ satisfying, but c'mon.
That’s fine, I must have miss read it the first time. Because I re read it noted the double negative and was editing it when I then saw the final version...
They essentially stole my info and did nothing to protect can it. A corporate death penalty should exist and all assets seized including every paperclip
It isn't supposed to punish the claimants though. Filling out the form was worth less than the payoff. Better to just burn the settlement than to waste everyone's time trying to distribute it. Or give out $600 to every 1 out of 100 claimants based on a lottery instead of $6 to all.
Windfall? People are hoping at best for a tiny fraction of the cost of actual damages. That's not a windfall. The only people getting a windfall are the class action attorneys. The actual victims get basically nothing.
I think you interpreted what I said in the worst way possible, and again, it's incredibly difficult to prove damages. We all know they exist, but if you can prove them you don't need a class action.
If it's meant to be punitive, shouldn't the full penalty amount get divided evenly among everyone who applies for the compensation, rather than being a fixed $6 per person who applies? Or does Equifax somehow end up losing the full penalty amount regardless (e.g. is the unclaimed amount paid to the government etc.)?
It depends on the settlement agreement, but they don't typically go back to the defendant. In this case, I found one source without looking up the actual agreement
>Any funds unclaimed after 4-year extension will be distributed in services
>Services offered are for identity restoration, credit monitoring
And those services are from... Equifax, which I feel is pretty shitty. Like I said, I don't like the settlement itself, but lawyers get a lot of hate for class actions from people who seemingly don't appreciate the risk they take in taking in the case.
I’m so so glad they took all that risk on so that I can get $6 while they get 80 million. Poor lawyers, so charitable of them.
And who gave them the right to profit massively off the violation of my privacy. I should be able to sue them. This is not justice, this is profiteering off others misfortune.
> their resolution has, in practice, only cost their victims more
All class actions are this way.
The only correct move is to exclude yourself from the class and reserve your right to sue individually, after the class action, citing that as precedent.
Class members never get more than a useless coupon or comparable.
No this is worse, this is some fucking mafia shit.
Equifax: YOU NEED THIS PROTECTION. PAY US... or else maybe there will be an ACCIDENT with your data
Me: No, I don't, think so. Shit, sounds illegal to me
Equifax: WHOOPS. We had an accident.
Me: WTF? [calls authorities]
Equifax: Well, let us make this right, how about we now give you some _free_ protection as a sign of our goodwill... you know to try it out... just in case that WHOOPS ends up being a problem for you.
Me: [looks at response from authorities] This is okay? This is fucked.
This is state-sanctioned organized crime at its finest.
We should have all collaborated to sign up for the monitoring and let them charge the cards, then all simultaneously issue chargebacks when the first charge hit to wreck their ability to accept credit cards and destroy their business.
This is the correct answer. The problem isn't how the class action suit was orchestrated; the problem is that class action is the only plausible and scalable form of justice currently available. Severe automatic penalties of X dollars per account lost and / or criminal liability for executives similar to SOX is what we need to deter these mistakes.
A 10% off coupon that I not only received a few days ago, but has to be used before Jan 1, 2020. Just a middle finger to the people who's data they were irresponsible with.
Because the point of the settlement, in theory, is A) for Equifax to be sufficiently disincentivized from being careless again B) restitution for victims. In my opinion as a victim, amount of the settlement (paid to lawyers or otherwise) is too small to accomplish A, and the amount paid to lawyers, if redirected to victims, is still too small to accomplish B. These are the only things that feel relevant to compare the amount to.
If the two sides negotiated a settlement that involved a serious change of business practices at Equifax, a significant payout to meaningfully compensate victims, and a chocolate cake for every retired librarian in Tallahassee, I'd be slightly confused but I would be unequivocally happier with that settlement than the current one. While you could probably save a bit of money on the chocolate cakes, it would be much smaller than any of the other amounts in the case, and saving that money wouldn't have any real impact on the settlement actually doing what it needed to do.
Spending nearly $80,000,000.00 on lawyers didn't seem to explain to the court or FTC that the settlement should have been higher than mere dollars per person so I'm not sure how spending e.g. $800,000,000.00 on lawyers is supposed to result in anything beyond even less making it out to actual compensation.
It's not like there was some busy public defender that didn't have time to think "gee, these people deserve more than a couple bucks and the company is probably going to make money off this 'fine' once the yearly renewal kicks in for those that opted for the coverage how can we argue a stronger deal" there was a high end team that made bank on a deal they knew they were the only ones making real money on regardless of what the deal was.
I don't disagree about the part that lawyers enriched ourselves, but like the librarians eating cake in Tallahassee, I don't really care about that, personally. I do disagree with the part about spending $800M on lawyers - if that came out of Equifax's own pocket, that would be ten times more effective at B than spending $80M. If you made them spend $8B on lawyers, Equifax might well shut down, and scare the other credit reporting agencies into behaving. That is valuable to me.
I'll be honest, as a victim, I'm not sure what I'm supposed to do with $125, either. I expect most people will spend it on themselves, but even spending it on credit monitoring doesn't actually fix the problem, it just makes the problem a little less bad, maybe, at the cost of enriching other companies that depend on this ecosystem of profiting off other people's data. I would genuinely prefer a settlement that cost Equifax $800M and got me nothing to one that cost $80M and got me $125.
The lawyer pool isn't "in addition to" it comes "out of" the settlement amount that was already decided previously. I.e. the difference between 80 million and 800 million in lawyer fees is exactly 720 million that was supposed to have gone to compensation going to the lawyers instead.
OK, but the settlement was $380 million. There was no $720 million that was supposed to go to the lawyers (or to anyone else).
If the lawyers had instead negotiated a settlement that got them fees of $800 million, then, because as you say the fees come out of the settlement amount, the settlement would have to be at least $800 million. That would be good for me, as a victim, because it would have meant a larger penalty to Equifax.
The claim is "2% of the shortfall" (the amount of money that would be needed to get $125 instead of $6 to everyone in the settlement), not "2% of the settlement amount."
Yes, the attorneys are taking 20% of the resolution. The resolution is so tiny that 20% of tiny is also tiny. The article title is highly misleading.
All part of the push to make class-action lawsuits economically unviable. When it's not worth it for any lawyer, the corporations will be free to defraud everyone for small amounts.
The point wasn't for me to get a lot of money. The point was for Equifax to lose money.
Look, I'll badmouth lawyers as much as the next person, but anyone who wants to claim class actions are a mistake needs to come up with a better system before they trash this one. There are so few avenues for consumers to hold companies accountable right now. They just don't exist. And thanks to arbitration and class action bans in EULAs, even the few avenues we do have are getting gradually eroded.
So first make regulatory penalties stricter, first set up real consequences for CEOs and boards. Then we can talk about revising class actions. I'm not satisfied with someone saying, "theoretically this could be better." Make the alternative systems better first, and then we'll talk about throwing away what we currently have. Like, holy crap, how short sighted can CNBC be? There are no working alternatives in the US to class actions right now.
The tragedy isn't that the lawyers took 20% of 380 million dollars. The tragedy is that it was only 380 million dollars. I'd happily trade another 25-50% on top of the current lawyer take if they had gotten that total up to 750 million, or even a billion.
Laywers get 20% of the restitution costs, on top of the restitution costs.
If the courts deem that the resulting costs to the defendant are too low, additional amounts may be levied and given to relevant charities, or the ACLU (or things like it).
If the company would collapse due to the costs, or otherwise would be unable to pay the full costs, executive bonuses (and potentially some pay, with limits) may be reclaimed, both towards allowing payment, and preventing failure in "too big to fail" situations.
I miss anything?
People get restitution. Lawyers get rewarded for quality work. Companies both pay damages, and a penalty on top of damages. Executives bear responsibility as people, not just the corporate entity.
Off the top of my head, I'd have no issue with this. Sounds great, particularly in how it would expand the ways we could hold executives personally responsible.
The request I would make is, "can we build a real, working version of the system you propose before we get rid of the existing one?" I'm not eager to throw away what we have on the promise that we could build something great afterwards.
The annoyance I feel when I read articles like this is that it's a bunch of reporters saying, "we need to do something about lawyers", and I just feel like -- if I'm in a leaky lifeboat, don't tell me to jump out of it until you have another boat next to me that I can climb into. We all know the lifeboat has leaks, but this lifeboat is real, and yours is (at least for now) imaginary.
Already done.[1] Literally took me 10x longer to log into HN to comment than it took me to verify my vague memory of this event.
In addition to the SEC litigation into the executives, Equifax did a company-wide investigation and found that one of the developers for that breach notification website (the one that provided tons of false positive and false negatives and was spoofed by a security researcher) traded using his SO's equities trading account before the breach was revealed. The company found him and he has also been prosecuted[2].
From a tech perspective I feel like issues like this should have a public canonical ID. That would help regulators and reporters alike deliver information in a more clear, cost effective and accountable manner, disambiguation by default. Interested and affected parties could subscribe to updates on that key across the web.
Isn't that guilty until proven innocent? Rather, I would think that whoever does the prosecution would need to prove the execs knew of the hack prior to selling the stock. The execs don't have to prove anything.
When you are exposed to information that it would be improper to act on, you generally have to demonstrate affirmatively that your decisions aren't based on it to stay out of hot water. It's the same deal as clean-room reverse engineering, where you need separate teams with a lawyer as a firewall to prove you're only replicating certain aspects of the source. It's not that presumption of innocence isn't applicable; it's just, when your defense is that you tracked provenance in your head and were careful to ignore the tainted information when thinking about certain things, it probably won't be hard to prove you guilty.
However, I think a journalist is seriously delinquent if they don't acknowledge that insiders normally schedule their stock trades ahead of time to insulate from insider trading accusations. A reader needs to know whether this was the case or not in order to be appropriately outraged.
It was. I posted the SEC PR filing in reply to another comment on this article.
> I think a journalist is seriously delinquent if they don't acknowledge ...
I'm not sure I agree. If you consider how many topics journalists write about and how much necessary context that they would have to background-boilerplate, a 2 sentence update could easily become the length and readability of a ToS contract.
If there is one single thing that you could put in a sentence or two, but it makes your article irrelevant, then the maximum word count is not the reason it was left out.
This isn't like, one article with a unique context. There have been lots of similar ones and will continue to be.
To be fair, one guy sold his stock because it seemed like people were acting really fishy and not telling him anything, and he put 2 and 2 together. So no one explicitly told him insider information, but he is still being charged.
If I worked at Amazon and saw Jeff Bezos in a meeting room going ballistic on the lead security engineer, would I be insider trading if I shorted amazon stock?
> If I worked at Amazon and saw Jeff Bezos in a meeting room going ballistic on the lead security engineer, would I be insider trading if I shorted amazon stock?
Yes, for sure. You'd still be acting on non-public information (the fact that he went ballistic on the head of security).
If you leaked that meeting to the press first, then maybe you'd be in the clear on insider trading (but you'd be in deep water for the leak!).
No, it's only insider trading if it's material non-public information. If you can twist that definition to make it even remotely plausible that a guy getting yelled at by his boss qualifies, I'll be very impressed.
Would seeing an angry Bezos count as "material information"? There are all sorts of secenarios where Jeff could be angry with a person - when did it become material?
Andrew Yang should campaign on making Equifax pay for data pollution. In fact, every one of these "data breaches" should be treated like the BP Oil spill. If these companies can't be held accountable for protecting our data then they shouldn't be allowed to collect it in the first place.
If it cost them as much to clean up each spill as it cost BP, you better believe they would take better care not to let it happen again.
From my reactive, emotional side, I would argue yes.
From my rational, informed side, I would argue no. Here's my rationale.
The data stolen from Equifax has not shown up on the black market and hasn't been actively used, which suggests this was a nation-state using the data for something other than profiting from fraud. This also suggests that the hack could easily be considered an "act of war", so given enough time+effort+resources, no company would likely be able to resist that breach (although I know Equifax could have done FAR better than they did).
Technically I don't "own" the data that Equifax has about me. Equifax owns the collection of it, their reporters (ex retailers, landlords, bank/mortgage companies) each own a shard, and other data aggregators who contract with any one of these actors can own part/all of it.
I am not Equifax's customer. They are required to deal with me based on a few rules defined in the Fair Credit Reporting Act, but the FCRA also provides some protections for credit reporting agencies who don't violate those rules. I'm sure they minimize the effort/resources they devote to helping credit consumers because that is the profit motive of every company.
I'm sure Equifax has a ridiculous EULA/ToS that I probably implicitly agreed to when I used the AnnualCreditReport website, and probably additionally when I deal with any retailer that pulled credit reports from Equifax (including the IRS after the breach was revealed). It likely involved me signing away my rights to a class action litigation or my rights to a trial by jury, because that is par for large contemporary corporations.
The standard for "protecting consumer data" is remarkably low except in a few sectors (ex. healthcare, retailers storing credit card data), and even in those it's still disheartening. The problem here is that companies can easily argue to {regulators, judges/juries, their BoD, cybersecurity vendors} that they can't be expected to spend more than the industry average because that hurts them more than the competitors. This just becomes a Prisoner's Dilemma where our data's security becomes the victim to corporate (in this case credit reporting bureau) self-interested decision making.
> The data stolen from Equifax has not shown up on the black market
Yet - and also the absence of evidence doesn't mean the evidence of absence. Not all criminals are stupid, a smart one would wait till vigilance dies down.
I'm skeptical of the claim that only a nation-state could have done this. Too lazy to look it up now, but I could swear that it was publicized that they were pwned using vulnerabilities that had been publicly known and patched for months? That would be extreme negligence no matter how you slice it.
> Technically I don't "own" the data that Equifax has about me.
This itself is a big part of the problem. It should absolutely be illegal for companies to hold sensitive info like my SS# without my permission.
I dispute that the data doesn't belong to you, even if it was collected by someone else. That's the crux of the matter, isn't it? If the information shares entropy with me or my various states, because it physically came from my body or my actions, then there's a strong argument to say it belongs to me, its origin, no matter how far it has been transmitted.
Class actions are broken and rarely actually directly benefit the consumers. At best you can say it is a large club that can be wielded on behalf of consumers to force large corporations to behave responsibly. At worst it's a total racket where attorneys can get very very rich by "representing" consumers and shaking down large corporations, which will eventually end up being paid for by the consumers who were meant to be protected in the first place.
I think the USA needs stronger regulators who can actually enforce the laws using fines and lawsuits rather than the legal system which does not work.
From what I have read stuff like this is also high risk for the lawyers who may be working on this for years without getting paid. I agree that regulators should go after these companies and also prosecutors instead of putting people in jail for years for possession of marijuana.
1) regulators don't lock people up for marijuana use.
2) We would save Lawyers the risk of not getting paid if they didn't have the chance of getting paid. Expressed with less sarcasm, there is no shortage of lawyers coming out of the woodwork to start class action suits when something happens. Every time anything big happens there is a half dozen class actions that get filed straight away, then there is lots of overhead figuring out who's class action is the correct one and combining lawsuits, and all this "work" is only to the benefit of the attorneys filing the lawsuits not to the actual people they are claiming to represent. Anyway, it's rotten to the core.
But why a preset percentage? Why not costs + a 10% profit? Once you do a certain amount of work, why does the amount of profit rise when you can extract more from the defendant?
Under this scheme, the only way to make more money as a law firm would be to increase your costs, so this creates an incentive to prosecute the case as expensively as possible.
The eventual endgame of this system would be that law firms’ costs should rise to eat as much of the settlement as possible, which leaves as little as possible for the actual victims.
A fixed percentage system creates an incentive to maximize the settlement (on behalf of the victims) and leaves the law firm to pay its own costs.
Equifax has made more money after the hack now that they are selling their credit monitoring as a service.
I went to their website trying to figure out how to lock my credit report (which US govt mandated be a free thing to do) only to learn that in order to use the "free" option you have to go through hours of phone trees, or write in snail mail.
If you want the ability to lock the report online or via an app, you have to pay ~$20/mo to Equifax. Total BS, and of course I wouldn't put it past this company to make money off their own data leak.
Equifax muddies the water here with “lock” vs “freeze” terminology on their web site. One costs money and one is free. The free is the mandated government version, which is a lock but I think they call it a freeze and can be done online. I’ve done it recently. It’s a really deceptive and dark pattern as they try and steer you Towards their paid version.
This is actually a good thing. The more lawyers get to suckle at the teat of class actions, the more class actions they will file, which will have a deterrent effect on corporate malfeasance even if there is no restitution to the victims.
> That's what all your personal information and your identity is worth. $6.
That's not how much it's worth, that's just how much Equifax was able to corruptly negotiate to pay for losing it.
If you really want to know how much it's worth, you could probably compute a reasonable estimate by taking all the money the credit bureaus from your credit file, and divide that by the number of credit files.
Also, when that statement is ever made, it really highlights flaws in our system when the rich/corporations/layers write the laws in their favor... So much for "for the people" right?
I just got a settlement check in Lovelace v Global Payments Inc (http://lovelacesettlement.com/). The grand total? 20 cents. Read the FAQ, it's fascinating:
$540,000 total from the company
-$135,000 lawyers fees
-$2,500 settlement representative (whatever that is)
-$164,224 to distribute the payment
-----
$233,276 for clients.
I have no idea how much the company made by charging transaction fees on credit card payments for student loans (that's what they're accused of) but they got off with a slap on the wrist. They should have been required to give back ALL the money they made. Fucking scammers.
Which is utterly insane considering it’s a near 100% margin business for them. The breach was basically a funnel into their free trial of credit monitoring.
The majority of the money is set aside for victims who can show specific damages. A relatively small portion was set aside for the vast majority of the victims who's information was leaked but not actually used to cause them any specific harm.
The money set aside ... specifically for cash compensation was capped at $31 M. It would have been somewhat more clear with something like It turned out there was a cap of $31 M specifically for cash compensation of the $380M restitution fund.
Correct me if I'm wrong, but my understanding about class action suits rarely benefit anyone but the lawyers; isn't the whole point to hurt the corporations where it hurts?
I made sure to give as little information as possible when trying to apply for this settlement. I have no faith that that information will be secured, so we'll be doing this again in a year or two.
I’m not pumped that Equifax is getting off for less than a half billion or that the attorneys are getting a big chunk of that. (It’s hard to say how much they should get, to be honest) But when I see a bullshit headline I have to call it out.
By the way, they based the $125 on the assumption that almost everyone would take the worthless credit monitoring option.