Probably for good reason. $500 per class member is an insanely high damages estimate. 99.9% of people will suffer zero damages because their identities will not be stolen. Even the ones who do have their identities stolen will likely be made whole by the credit card companies.
The real damages here are going to be to the banks and credit card companies that will have to absorb the costs of all the fraud.
As to the Ticket Master case, you can read the complaint yourself and see if $5 or so per class member settlement value was reasonable: http://www.ticketfeelitigation.com/docs/Fourth_Amended_Compl.... The theory was that TicketMaster didn't disclose that it was marking up fees for things like UPS delivery and order processing, and that if customers had known they wouldn't have ordered the tickets. That's a weak damages theory, because customers don't care about line items they care about the bottom line. Either they'll pay $X for the tickets or they won't. Unsurprisingly, that weak damages theory lead to a small per-class-member settlement.
> Even the ones who do have their identities stolen will likely be made whole by the credit card companies.
Are credit card companies now in the habit of reimbursing consumers for the considerable time and headache required to sort out fraudulent charges caused by insecure data storage practices in the credit reporting agencies that the credit card companies contract with?
There are numerous reports of identity fraud causing a significant amount of trouble for the consumers involved, and as far as I know, not a one of them has ever received a letter beginning, "We're sorry for the time and trouble you went through to clear this up", with an attached check.
Replacement credit cards are not the issue. Whoever has this data has the complete dataset to open new credit cards in your name, buy a car in your name, get plastic surgery in your name, etc.
The hassle will be convincing all those companies that you do not in fact owe them thousands, and there is no automatic protections for these types of harms.
Even worse, is if you don't immediately notice a new account on your credit report, that then goes to collections. -_- 10 years later and I still get threatening calls from the shadiest of shady "collection agencies"
Do you know if there's any way to "notice" these new accounts without having to freeze your credit or otherwise mess with the normal process for getting new credit? I just want a notification, nothing else.
> Are credit card companies now in the habit of reimbursing consumers for the considerable time and headache required to sort out fraudulent charges caused by insecure data storage practices in the credit reporting agencies that the credit card companies contract with?
It's not a "habit", it's the law. It doesn't matter how the fraudulent charges came to be. If a person disputes a charge and has evidence to show it's fraudulent, then by law the credit card company has to investigate, and deal with it.
It also makes business sense. CC companies make a ton of money with legal transactions, and an anti-consumer, pro-fraud reputation would cost them customers.
> There are numerous reports of identity fraud causing a significant amount of trouble for the consumers involved, and as far as I know, not a one of them has ever received a letter beginning, "We're sorry for the time and trouble you went through to clear this up", with an attached check.
Why would the bank or credit card company send a check? Presumably they're not the one who committed the crime, so why should they cover the damages?
I've had my identity stolen, and it was a PITA to clear up, but the bank and credit companies were reasonable about it, IMO. In a case like this, where it's easy to point at the Equifax breach and say, "See? This is how they got my info.", it's probably even easier to clear up, though I'm sure it's still a hassle.
Time. I'm pretty old, retired, and have a few bucks. Time is my most precious commodity, and I prefer to give it to those who deserve it.
I'm not sure how much I'd want someone to pay me for an hour of my time. Clearing up identity theft can take many hours. Those are hours I can spend bugging the missus, or even bugging you folks.
I am clearly not to blame for their data exfiltration. Who is going to pay me for my time? What is my time worth to them?
This is all theoretical. My credit has been frozen for a long time. It has been that way since the OPM hack. However, for the sake of expression, I point out that my time is pretty valuable to me. Those who steal my time are worse than those who would steal my property. I can insure my property, I can not replace my time.
This has been hitting me hard lately. I'm pretty young at the tail end of my 20s, job is finally stable enough not to worry about money, and have really started to realize how few free hours I can find in a week. Work and its on call rotation, obligations to the girlfriend and social circles, maintenance on the house and cars, bills that don't have an auto pay option.
Last month my auto registration sticker didn't show up in the mail after renewing it. A trip to the county clerk, then the sheriff's office to file a report, then back to the clerk to get another sticker took almost two hours. Stopping by the local bank to change my address after the online system locked my account for two incorrect password attempts took 90 minutes. 6 phone calls after a cancelled auto insurance policy made an auto draft the next month. My coworker has a pile of kids, two with medical issues, it seems like his wife has a part time job dealing with medical billing issues.
Most of these rambling examples aren't the fault of the organizing institution (unlike the Equifax leak at hand), but in the end individuals are bound by those institutions' organizational practices in their pursuit of normalcy. I don't know how it could be implemented or enforced, but at a certain point it feels like individuals should be compensated for suffering organizational incompetence or negligence.
I got lucky and sold my business when I was just 49. However, I worked a minimum of 60 hours per week, for years.
Which gets me to my response:
Cherish that time. I don't care about longevity, I care about maximum value. I may be content to die today, but I'm not content wasting time on something that is forced on me.
I don't regret much, but I do regret my time that was wasted by others. As I look back, I see do many situations where I could have disallowed that while still getting the same eventual outcome.
They do it on purpose and have no intention of fixing their administrative inefficiencies. They know most people don't have the patience for this crap so that discourages people from creating a hassle for them with problem/things that they have to do.
For instance, in a past life I may call up to question a charge on my cable bill. Now that I have more money, I don't waste my time on such nonsense. If the cable company wants to charge me an extra $20 for no reason, they can do so, because it's not worth my time to call them up and get shuffled between departments for 2 hours.
Last time a cable company charged me wrongfully (I wasn't even their customer anymore), I called my bank and had them reverse the charge, as well as block any future ones. Took me like 5 minutes. Now the only time investment I have is throwing their monthly threat letter in the trash about how they will cut my internet access if I don't pay up.
> It's not a "habit", it's the law. It doesn't matter how the fraudulent charges came to be. If a person disputes a charge and has evidence to prove they didn't make it, then by law the credit card company has to investigate, and deal with it.
But the time it takes on the phone to talk to an agent, review your records for legit vs illegit charges, etc. are not reimbursed, which is what they were on about.
> Why would the bank or credit card company send a check?
"Even the ones who do have their identities stolen will likely be made whole by the credit card companies."
Fraudulent charges on a credit card are the least of my concerns. This opens us up to a lifetime of identity theft and insecure accounts of every sort. I'm not even sure how they can approach remedying the problem. Coordinate with the SSA to get 150 million people new SSNs at the least.
This is really the concern. With this level of detail, someone can open any kind of new account - not just credit card - dig into everyone's lives (or political opponents on social media for doxxing). And the threat remains in perpetuity.
There is mo way to even estimate the damage as some devious ways of it harming us may not even exist yet.
> There is mo way to even estimate the damage as some devious ways of it harming us may not even exist yet.
Scifi story idea:
Far future. Life extension possible. The government will provide it free (if you want it) - one time only though - when you are near the end of your first life. Upon extension, this technology also turns the clock back to renew you to 20 years old.
You're 78 years old, frail, ready to kick it, but decide to do the extension. You go into the clinic. Give them your information, etc.
Bzzt.
We're sorry, you've already been rejuvenated before. We can't help you, unless you want to pay $$$$$$ for us to go ahead with the procedure.
Why would people need new SSNs? It was the credit industry that misused them as combination of unique identifier and authenticator, and that is not the SSA's responsibility to fix. The government even tried to curb misuse of the SSN, but it was not binding on private entities, and they just ignored it.
The solution, whatever it is, does not include anyone continuing to pretend that the SSN is now or has ever been suitable for any purposes other than for tracking government benefits managed by the SSA, and possibly also for tax filings with the IRS.
> other than for tracking government benefits managed by the SSA, and possibly also for tax filings with the IRS
... and all of the other government benefits, programs, or mandated activities, many (all?) of which demand your SSN. Are you even sure that the credit industry, i.e. banks, originally misused SSNs? I wouldn't be surprised if they were required, by the government, to use them, precisely because it is the closest thing to an official "unique identifier".
Some people also might be concerned with not receiving their SS benefits either, which isn't entirely far-fetched given that others might now be using it for nefarious purposes (like trying to collect their SS benefits).
> I wouldn't be surprised if they were required, by the government, to use them, precisely because it is the closest thing to an official "unique identifier".
I read something somewhere else (maybe on a different HN thread, maybe here?) that this was changed in 2000 for something called "red flag laws", IIRC.
You're absolutely correct. We should move to a well designed identity system. However I'd SWAG the development and deployment of such a system around 10-15 years if all of the involved parties were on-board. Equifax could provide the SSA a pile of money and the victims could have a reasonably effective defense against identity theft within months.
wouldn't it be simpler to make ssn number last only five years? it's a partial workaround, but would immediately help by reducing the attack opportunity time massively, along with making it standard to have variable ssn thorough the system and making it easier for people to just renew their after breaches like this, since the current bar for obtaining a new one is quite high
honestly this is only really an issue because organizations are using SSN as authentication and not just as identification, caused probably by the lack of a federal id scheme, compound by the inability to easily change the SSN itself as you would with an id document (which is why here ids are relatively short lived and we can get away with ssn equivalents that are for life)
Bingo. In sweden as example our birth date plus 4 unique digits is your nation wide id/ssn. So obviously your ssn is not exactly a secret and instead you also have to proove that you are you with a photo id or online 2FA id.
There's no such thing as loosing your ssn because it is already public.
> 99.9% of people will suffer zero damages because their identities will not be stolen. Even the ones who do have their identities stolen will likely be made whole by the credit card companies.
The extent of the potential damages here isn't limited to credit card fraud. Having your SSN leaked along with your name, date of birth, every recent address you've had, etc. opens you up to a lot of other attack vectors.
Furthermore, credit reports can often inadvertently contain information that relates to one's medical history - you can request that this information be obscured or sealed in your report if you find it, but that means that certain medical information is also within the scope of the potential leak.
True, but in the US you can not really sue for possible harms. You can only sue for actual harms which can be remedied by the court. Leaking your information isn't a harm the court can remedy. Abuse of the leaked information is a harm the court can remedy.
I don’t think that’s a generally accepted legal standard. It seems similar to saying that Edward Snowden and Chelsea Manning only released information, which the courts can’t remedy. If anything bad should happen due to that leak, then the courts can remedy that in the case of the people who committed those acts.
The government is clearly of the opinion that they can and should prosecute people for leaking information which could cause possible harms.
I’m clearly not a lawyer, but these scenarios seem pretty similar to my untrained eye.
The difference is that their intentional leaking of classified information as people with a security clearance is letter of the law illegal. The difference seems huge and obvious to my untrained eye.
To add to this, their acts were intentional. Yes, you're very right that they were very much illegal acts. However, it needn't be intentionally spilled classified information in order to be illegal. Under certain circumstances, even accidental 'spillage' is a felony. Negligent 'spillage' is also very much a felony.
I've been through quite a bit of training and held my clearance for years. I was a victim of the OPM hack. Well, I guess I still am a victim. Mens rea doesn't really apply when handling classified material/data. If it is accidental AND you report it properly, it's not jail - you are so losing your job, however. You also lose your clearance. It has been a while, but I'm pretty sure you lose it forever.
The State prosecuting someone for a crime is not the same thing as a private individual suing another individual for a tort. Basically everything is different: different rules of procedure, different rules of evidence, different standard of proof required, etc. etc.
> The real damages here are going to be to the banks and credit card companies that will have to absorb the costs of all the fraud.
This is not true at all. They simply reverse the charges. Businesses who accepted the fraudulent transaction(s) are on the hook for it. Anyone who runs a business and handles credit card processing can confirm this.
If there are 140 million members then any settlement will be individually quite modest (Equifax has annual income of ~600 million dollars, so multiple years of all of it to get to even $10).
It does seem like any penalty for something like this should severely impact the ability of the company to operate though.
I suppose a $0 way to penalize them severely would be to force Equifax to allow individuals to opt out of having Equifax store information about them. Lots of people would do so without understanding that it might impact their ability to get a loan, but so what.
But that would also make Equifax's product not that appealing to the companies that would purchase it. So organisations would have to use one of the other agencies as well.
$500 may be high, but $100 would be more reasonable even for those that didn't have their identity stolen, I've already spent an hour researching the hack to figure out what to look for and whether or not I was included in the set of stolen identities.
Most businesses include their markup in their displayed price. Ticket Master was displaying one price and then sneaking in an extra fee later in the process.
The real damages here are going to be to the banks and credit card companies that will have to absorb the costs of all the fraud.
As to the Ticket Master case, you can read the complaint yourself and see if $5 or so per class member settlement value was reasonable: http://www.ticketfeelitigation.com/docs/Fourth_Amended_Compl.... The theory was that TicketMaster didn't disclose that it was marking up fees for things like UPS delivery and order processing, and that if customers had known they wouldn't have ordered the tickets. That's a weak damages theory, because customers don't care about line items they care about the bottom line. Either they'll pay $X for the tickets or they won't. Unsurprisingly, that weak damages theory lead to a small per-class-member settlement.