I titled this post with an asterisk as every day brings about new developments to this massive data breach story.
Going off the numbers, it is not far-fetched to say that it is more likely than not that your personal information may have been exposed as a result of the Equifax data breach. Equifax revealed that 143 million Americans may have had their personal information compromised.
The population of the United States is 323 million. The population below the age of 18 is 74 million. That leaves 106 million people who are unaffected. Those people are perhaps lucky, live off the grid, or do not apply for credit regularly enough for this data breach to be an issue.
For the rest of us, the question is: what do I do now? The first step is to go to Equifax’s website and see if you were impacted. Ironically, you have to provide the last six digits of your social security number along with your last name in order to view your results. Here is what mine said:
A New York Times article reported that typing in a random name would result in the notification that the fictitious individual may have been affected. That must have been a glitch because I have friends and family who received the good news that they were definitively not at risk.
If you do not fall into this group, the next step is to decide whether you want to join TrustedID Premier, a credit protection service offered by Equifax free of charge for one year. Again, it is ironic that the company that allowed data to be compromised on its watch is asking users to entrust it to protect them from future attacks.
Initially, Equifax was offering the service only if the consumers agreed to waive their right to a class action. Corporations be damned, but this was a stealthily clever attempt for Equifax to fully insulate itself from the firestorm that will be arriving at its door. To be clear, there is no class action waiver for enrolling in TrustedID Premier in response to this cybersecurity incident.
Having said that, Equifax’s remedy for this epic blunder is far from adequate. First, as the same NYT article pointed out, cyber bandits would wait a year for the TrustedID membership to expire before exploiting the treasure trove of data. At the same time, there is nothing to stop criminals from using the information now to open fraudulent accounts that pull information from TransUnion or Experian. What is most absurd is that Equifax could potentially profit from this data breach because those that enroll in TrustedID would be too paranoid not to pay for the monitoring service after the trial is up. The data is out there forever. It is a matter of ‘when’ not ‘if’ that a thief would do something with it. As a result, TrustedID users would reup on their membership for many years to come.
Legal Action
If you have been or may have been affected by the data breach and you want to take legal action against Equifax, the next question is how.
The Obvious Option: Class Action
The angry mob of those affected by the data breach took to Twitter to with their virtual pitchforks to demand a class action be filed against Equifax for this historic event. Their prayers were answered as the law firms of Olsen Daines PC and Geragos & Geragaos (Mark Geragos was the former attorney to Michael Jackson) filed a claim alleging more than 70 billion in damages. The complaint stated that “Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach. Equifax could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to.”
While I agree with the allegations in the complaint, I do not necessarily agree that all those affected should join the action. The more that join, the less each plaintiff will receive. For example, assume that 143 million people join the class and the demand of 70 billion is awarded. If the attorneys receive absolutely nothing, each claimant would come away with $489.51. Regardless of the number of plaintiffs, the lawyers will come away with billions, and the consumers will end up with a rounding error award.
I speculate that this case will settle with plaintiffs receiving a nominal amount of money and a few years of TrustedID protection.
The Other Option: Consumer Arbitration
Consumer arbitration is a more efficient, albeit unknown, process for resolving disputes and obtaining meaningful results compared to litigation. Here’s why:
Individual Basis
In consumer arbitration cases are filed on an individual basis. That means each claimant can decide if he or she would like to accept a settlement or go through the entire process. This gives much more control to the claimant than in a class action where the class representative (and his or her lawyers) have the ultimate say. It may also result in a substantially higher payout to the claimant as he or she does not have to split the award with tens of thousands of other claimants.
Cost
In many consumer arbitration claims, including one against Equifax, the consumer’s share of the filing fee ($200), the administrative fee ($1,700), and the arbitrator’s compensation ($1,500) are covered by the respondent. An automatic bill of $3,400 per claim multiplied by thousands of people would likely force Equifax to address the claims expeditiously.
Time
If Equifax chose not to settle and go through the arbitration process, a resolution would still come about much faster than a class action as the average time from filing to an arbitrator’s award is months not years.
What’s Next?
It remains to be seen how Equifax will handle all the claims. Will it end up as a massive, consolidated class action? Will Equifax close the arbitration gates if too many take that route? Will the government step in? Will an automated chatbot be the answer? It is too early to know, but there is only way to find out– take action!
If you were affected, what legal steps are you taking?