Go claim your $125 from Equifax. Right now. Even if $125 isn’t a sum of money that matters to you, even if you don’t feel you were really directly affected by the breach. Even if the prospect of filling out a relatively brief online form fills you with more dread than the theft of all your personal data.
Consider it a part of your civic duty: driving up the costs of data breaches for corporations so they have an incentive to invest more heavily in security. The payouts to individuals are part of the $575 to $700 million settlement that Equifax reached with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 48 states. (Indiana and Massachusetts are still pursuing their own lawsuits against Equifax.)
It’s an astonishingly large settlement for a data breach, though some people are still criticizing it as inadequate given the scale of the breach and the number of individuals affected. They argue that Equifax and other companies will view these fines as simply the “cost of doing business.” I’m OK with that. I think the costs of security breaches should, in some sense, be the costs of doing business, as opposed to an existential threat that drives the breached company into the ground. That way companies can weigh those costs against the costs of larger security investments and adjust their budgets accordingly. But I would like for those breach costs to be high enough to drive significant investment, and for that to happen, you have to do your part. (Also, if you won’t claim your check, then you forfeit your right to complain about how the costs of data breaches are too low.)
You may be thinking, But I don’t want to give Equifax the last six digits of my Social Security number and my birthdate and mailing address after it’s demonstrated just how much it can’t be trusted! Believe me, the company already knows all that information—and so much more. But it’s so much work to fill out the entire form! It’s really not, unless you want to claim additional lost time or expenses beyond the base $125 payout, in which case you have to submit a description of the time you lost or receipts for any identity protection services or other security purchases you made in the aftermath of the breach.
If, for instance, you went ahead and purchased LifeLock or some other credit monitoring service after the Equifax breach, go ahead and submit that receipt too. Each individual is eligible to receive up to $20,000 as part of the settlement; $125 is just the amount you can receive without having to do any extra work or claim any extra losses. The settlement also includes provisions to reimburse you for your lost time at a rate of $25 per hour. If you spent hours on the phone trying to clear up suspicious credit activity or figure out whether you had been affected, go ahead and submit that as well. One of the notable things about this claims process, in fact, is its recognition of the fact that people lose time dealing with these incidents and that time is, in itself, valuable to them.
Claiming your Equifax settlement share also prevents other people from claiming it for you. It’s only a matter of time before someone with a long list of stolen Social Security numbers starts trying to claim these payouts in bulk the same way criminals try to fraudulently claim other people’s tax refunds. Don’t be that person! And don’t let them steal your money either. (Also check to make sure that you’re at the legitimate settlement website, equifaxbreachsettlement.com, before submitting your information. If fraudulent sites don’t already exist to steal your settlement, they soon will.)
If you’re extremely worried about identity theft, you may be tempted to forgo the $125 and instead ask for four years of free credit monitoring through Experian. Don’t do that. Odds are very good you already have some free credit monitoring services from other data breaches you’ve been subject to over the past few years. If you don’t, go sign up for a free CreditKarma account instead and monitor your credit that way.
Even better, go freeze your credit so that no one can open new accounts or loans in your name without your knowledge. Credit freezes are free as of 2018, and they’re much more effective at stymieing identity theft than credit monitoring, though they can also be a little irritating to deal with when you do things that require people to be able to look up your credit (e.g., buying property or cars or applying for new credit cards).
Maybe $125 seems like a laughably small sum of money to compensate you for the loss of your personal data—and maybe it is. But as a standard for what happens to companies who lose your data, I’m not sure it’s a terrible solution either, for them or for us. If I had $100 for every data breach I’ve ever been affected by, well, I wouldn’t be rich, but I might feel like the incidents were a little less consequence-free. And if all of you had $100 for every data breach you’ve ever been affected by, then those incidents really wouldn’t be consequence-free. Sure, those costs would quickly become the cost of doing business. But they could be high enough costs of doing business that they might tip the scales in favor of a little more security. And that, in the end, is the real goal.
Update, July 31, 2019: The FTC is now encouraging people to take the credit monitoring because so many have filed for the $125. Josephine Wolff explains what’s going on—and what it means for your claim.