Leading credit bureau agency Equifax, which in September 2017 was found to have misplaced the personal data of more than 143 million people, has been ordered to pay $671 million in class-action lawsuits.
As part of the settlement, Equifax will be required to set up a $425 million fund, with the view of covering any consumer-based losses pertaining to the data leak. More specifically, those affected by the data leak will be liable for compensation of up to $20,000, on the proviso that they are able to prove they were affected by the breach.
However, here lies the problem. Those behind the data theft itself have yet to be brought to justice. Not only this, but law enforcement agencies have yet to encounter the stolen data for sale on illicit black marketplaces, making it all but impossible for consumers to know whether or not they were directly affected by the breach.
Where did the Stolen Data end up?
In fact, as per a number of leading cybersecurity experts who have extensively searched for the breached data’s end destination, it is somewhat surprising that those behind the hack have yet attempted to profit. Ordinarily, stolen data ends up on the black market, subsequently allowing users to anonymously buy and sell the data via Bitcoin trading. However, with no such marketplace in existence, one such theory is that the Equifax data was stolen by a rogue nation-state.
As a result, it remains to be seen how the $20,000 restitution fund will ever reach those affected. Nevertheless, those that are already signed up for the credit bureau’s monthly subscription service have the option of claiming a $125 payment. The only caveat is that users will need to remain on the platform for at least 6 months after the claim is made.
Difficulties in Proving Out-of-Pocket Data Breach Claims
While the Equifax data breach is just one of many brought to light over the past few years, successful data breach claims are extremely rare anyway. Whether it’s Facebook, Uber, or Yahoo, it is ultra-challenging for victims to actually prove that they need debt consolidation.
One such hurdle is proving on the balance of probability that a fraudulent transaction was caused by a data breach. A common defense is that the data leak could have been a result of a third-party entity, and thus, those responsible for the breach are rarely required to settle out-of-pocket claims.
One such solution has been brought forward by the New York Attorney General’s Office, which is set to enact new regulations concerning out-of-pocket data breach claims. While affected consumers will still need to show a paper trail that illustrates how they were financially impacted, victims will be able to claim for their time. This will be capped at 20 hours, at a cost of $25 per hour.
Ultimately, while the $425 million restitution fund that Equifax has been ordered to set-up is certainly a step in the right direction, it’s unlikely that much of this will trickle down to those affected by the breach.