Column: Did the FTC mislead consumers about its Equifax data breach settlement? Yes!

Equifax's reputation isn't glowing.
(Justin Lane / EPA)

The Federal Trade Commission is supposed to protect consumers from being deceived by businesses. But what happens when the FTC itself is the deceiver?

That question arises in connection with a new wrinkle in the settlement of up to $700 million that the agency and other regulators reached in July with Equifax, a credit bureau that allowed the personal data of as many as 145 million consumers to be breached by hackers.

Thousands, and perhaps millions, of victims are just now discovering that they’ll have to jump through an unexpected hoop if they wish to take advantage of a $125 settlement payout that’s one of the options for compensation.


It appears the agency itself may have misled the American public about the terms of the Equifax settlement and their ability to obtain the full reimbursement to which they are entitled.

— Sen. Elizabeth Warren, D-Mass.

The discovery has come through an email sent to applicants by the settlement administrators, threatening to deny their applications for the cash payout if they don’t respond with some personal information by Oct. 15. The email is sufficiently generic that it might be deleted, whether automatically or by a recipient’s choice, as spam. That’s what happened to two separate emails sent to my household.

The FTC knows the email looks bogus. In a Q&A on its web page detailing the settlement, it acknowledges that consumers might ask: “I got an email about the settlement. Is it legit?” Its answer is “Yes.”

This is only the latest bait-and-switch connected with the Equifax settlement, which was announced July 22 and billed as the largest such settlement ever in a data breach case. The settlement covered claims made against Equifax by the FTC, the Consumer Financial Protection Bureau and 50 states and territories. Like many such settlements, a big number ends up amounting to pennies on the dollar for individual victims.

The fine print in the Equifax case began to emerge almost immediately. It transpired that only $31 million of the total settlement was allocated to the cash payout. As Sen. Elizabeth Warren (D-Mass.) observed in a blistering letter to the FTC, that would cover only 248,000 individuals, or less than 1% of the 145 million consumers affected by the breach.


If more than 248,000 requested the cash, the payout would be reduced on a pro-rata basis. If all 145 million victims requested cash, they’d each receive 21 cents. The rest of the settlement covered civil penalties and the cost of credit monitoring to be offered victims for free.

The ID theft protection firm LifeLock is certainly one of the big winners from the big data breach suffered by Equifax, which exposed the personal information of 143 million Americans to hackers.

Sept. 18, 2017

“It appears the agency itself may have misled the American public about the terms of the Equifax settlement and their ability to obtain the full reimbursement to which they are entitled,” Warren wrote.

With that in mind, consumer advocates were forced to advise the victims that the alternative compensation — up to 10 years of “free monitoring of your credit report at the three credit bureaus (Equifax, Experian and TransUnion) and $1,000,000 of identity theft insurance” — might be the better choice.

Among them was Rep. Alexandria Ocasio-Cortez (D-N.Y.), who initially advised constituents to opt for the cash, but then backtracked.

The latest wrinkle involves the realization that the $125 cash benefit was available only to people who already had credit monitoring in place (possible as a benefit from an earlier data breach permitted by our stunningly lackadaisical retailers, banks and data firms.


The FTC says it believes it has given consumers adequate notice of the terms of the deal. “We would dispute the assertion that we had not previously made clear that the alternative cash payment was for those affected consumers who already have credit monitoring,” FTC spokeswoman Juliana Gruenwald told me by email. She cited a July 22 blog post specifying that “affected consumers were only eligible for the alternative cash option if they already had credit monitoring.”

Gruenwald noted that the FTC, in a July 31 blog post, notified applicants to expect an email from the settlement administrator asking them to identify the credit monitoring service they already have.

Yet the agency’s multiple web postings arguably have stoked consumer confusion. The deal, the FTC said in a July statement, was for “up to 10 years of free credit monitoring OR $125 if you decide not to enroll because you already have credit monitoring.” What wasn’t clear was that you couldn’t seek the cash payout unless you already had credit monitoring.

CalPERS and other marketers of long term care insurance screwed up their calculations, creating a crisis for millions of customers.

July 25, 2019

In yet another notice posted on its website and dated this month, the agency says that the settlement includes free credit monitoring for up to 10 years and adds parenthetically: “(Previously, a cash payment was identified as an alternative to the free credit monitoring, but there are limited funds available.)”

The FTC seems to have decided that most consumers would have no trouble navigating through its multiple formulations of the settlement terms. Bad call, since the FTC itself seems to have been rather confused itself. For an agency with the job of ensuring that people aren’t misled or cheated by the fine print in consumer contracts, its failure to make the terms crystal clear up front, and in BOLD TYPE, is inexcusable.

The bottom line is that countless Americans signed up for a $125 cash benefit plainly on the assumption that they’d get $125, on the condition only that their data had been breached — which they could determine by plugging their name, address and a few other personal facts into a settlement website. Interestingly, the website currently requires applicants for the cash benefit to give the name of their existing credit monitoring service before proceeding. That’s new. As recently as Aug. 3, according to a web archive, claimants who opted for the cash benefit were asked only if they wanted the money paid by check or prepaid card.

That brings us to the email, which showed up in my email account only Saturday. The email, which came from the Equifax Breach Settlement Administrator, informs applicants to “verify your claim for alternative compensation by providing “the name of your credit monitoring service that you had in place when you filed your claim.”


Facebook’s investors weren’t fazed by its $5-billion fine. So what would shake them?

July 18, 2019

The email warns, “Please note that if you do not take action by October 15, 2019, your claim for alternative compensation will be denied.” Applicants can still change their choice to free credit monitoring until the application deadline, next Jan. 22.

This is, of course, an ancient dodge well understood by insurance companies and other consumer-facing businesses: With every hoop claimants are forced to jump through, a certain percentage will give up. That’s why the first, reflexive response by a health plan to a big claim is to deny it, forcing the claimant to file an appeal. Then that’s denied, requiring yet another appeal, and after a few months of this roundelay a sizable liability can be whittled away to nothing.

Should the nation’s premier consumer watchdog be participating in what is, at heart, a scam? The email doesn’t merely present a hoop to jump through, but requires consumers to rummage through their records to find the name of their credit monitoring service and submit proof that the service will remain in force for at least six months after the date they filed their initial claim.

This is a classic example of the proverbial “Hobson’s choice” — a choice in which only one thing really is being offered. In other words, no choice at all. Free credit monitoring may be the right choice for many of Equifax’s victims, or it might not. Quite a few victims might reasonably wonder at the value of a service being offered by the very firm that created their problem in the first place, through an inexcusably lax approach to the security of the personal data of half the residents of the United States.

Yes, the credit monitoring might be free, but it might be worth nothing. But forget about the $125 alternative — it doesn’t really exist in the real world.


The Equifax settlement is beginning to look not like a triumph of regulatory scrutiny but just another ripoff — but government certified.