The news that Equifax has been hacked and that 143 million Americans have had their private financial data exposed sent ripples of frustration and fear through the credit card-carrying public.
Equifax is one of the three largest credit bureaus in the country. When its security protocols were compromised, the data thieves swiped names, Social Security numbers, birthdates, addresses, and in many cases driver’s license numbers – in short, all the identifying information that someone would need to impersonate you.
In addition, 209,000 credit card numbers were also compromised.
What Can Thieves Do With the Stolen Data?
The stolen information could potentially enable Bad Guys to ruin your financial life. For example, they could open checking accounts in your name and then bounce checks off them, effectively ruining your credit rating.
They could also open new credit cards in your name, max them out, and then default. They might even be able to use your identity to get a driver’s license, divert your tax refund, or swipe your Social Security check.
And the potential consumer impact goes beyond the financial realm. Using the driver’s license situation as an example, someone could run up tickets and other motor vehicle infractions, and leave you stuck with the fines – or a warrant for your arrest.
Criminals could also use your health insurance to get prescriptions in your name. This would mess up your medical records and even make it difficult for you to access your own insurance benefits, or to obtain legitimately prescribed medications.
What is Equifax Doing in Response to the Hack?
The Equifax breach is the largest and most serious data hack in US history. And to make matters worse, the company waited for six weeks to tell the world about it, giving criminals plenty of time to do serious damage before the public was aware of the danger.
When Equifax finally did own up to the problem, its response did not inspire confidence. It initially offered people “free” credit monitoring, but it also asked people for their credit card information and said that it would start charging for the monitoring once the free trial period ended unless the customer proactively canceled.
Faced with public criticism, the company has now stopped taking credit card information and has deleted the payment language in its credit monitoring contract.
If this wasn’t enough, Equifax also inserted a mandatory arbitration clause into the credit monitoring user agreement that many people interpreted as requiring them to give up their right to sue the company for negligently ruining their financial lives.
In fact, the arbitration clause only applied to Equifax’s credit-monitoring subsidiary, not to Equifax itself, but even the Attorney General of the State of New York demanded that the company remove the arbitration clause.
The company complied and “clarified” that consumers will not give up any right to sue by electing the company’s offer of credit monitoring.
What Can Consumers Do to Protect Themselves?
Since Equifax has done little to inspire consumer confidence, either in its data security or in its response to a crime that could seriously affect half of the people in the country, what should a smart consumer do?
Consumers who wish to be proactive in dealing with the hack should consider signing up with one of the various identity theft protection companies that monitor your credit, alert you to new activity on your credit report, and take immediate steps to scrub inaccurate information from your credit history.
The New York Attorney General's office also has an excellent summary of other things people affected by the breach can to do protect themselves.
While it’s certainly galling to have to spend money to protect your good name from the effects of Equifax’s inadequate data security, this is a case where spending a small sum now many well prevent you from far more serious losses later.
For those still concerned about the potential ramifications of the Equifax data breach, here we address some additional FAQs:
Q: HOW CAN I FIND OUT IF MY PERSONAL DATA WAS STOLEN?
A: Equifax has set up a website where people can enter their last name and the last six digits of their Social Security number and receive an immediate reply.
Replies to at-risk people read “Based on the information provided, we believe that your personal information may have been impacted by this incident.”
Replies to people who are not believed to be at risk read “Based on the information provided, we believe that your personal information was not impacted by this incident.”
Q: I HEARD THAT IF I CHECK WHETHER MY INFORMATION WAS HACKED OR SIGN UP FOR EQUIFAX’S CREDIT MONITORING SYSTEM, I WILL BE GIVING UP MY RIGHT TO SUE THE COMPANY. IS THAT CORRECT?
A: No. The confusion over this question stems from the fact that Equifax is offering free credit monitoring to potentially-affected consumers. The monitoring is done by a subsidiary of Equifax, not Equifax itself.
The user agreement with the monitoring company initially contained a mandatory arbitration clause which, by its terms, applied only to the monitoring services going forward and not to any past misdeeds by Equifax itself in connection with the breach.
Equifax has attempted to clear up this confusion by stating in multiple places on its website that “enrolling in the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action.”
The subsidiary company has also removed the mandatory arbitration clause from its user agreement.
Q: I DON’T HAVE ANY CREDIT CARDS, BANK OR CONSUMER LOANS, OR MORTGAGES. DOES THIS MEAN I AM NOT AFFECTED BY THE DATA BREACH?
A: Unfortunately, no. Many people have had a credit check run on them through Equifax as part of an employment application, a rental or lease application, a student loan or grant application, or as part of a security check.
In that case, your name and personal identifying information was sent to the company and may have been part of the data breach.
Q: IS EQUIFAX OFFERING TO REPAIR MY CREDIT IF MY PERSONAL INFORMATION WAS COMPROMISED BY THE BREACH?
A: No. Equifax is offering only monitoring services, not repair services. Credit repair services will have to be purchased by consumers independently.
There are a number of excellent companies that can assist with this.
Q: SINCE THE DATA BREACH, I’VE SEEN SOME FIRMS OFFERING CREDIT REPAIR AND OTHER OFFERING IDENTITY THEFT PROTECTION. WHAT’S THE DIFFERENCE?
A: Although there is some overlap between these two services, the key difference is that identity theft protection is generally forward-looking and seeks to prevent damage to your credit history.
Identity theft protection services, on the other hand, monitor your credit history and alert you to any changes in it. Some offer insurance against financial losses due to identity theft.
Others monitor sites on the dark web where consumer identifying information is sold (current going rate: $30 per person for a name, address, Social Security number, and date of birth). Some offer fraud resolution services, which assist consumers in clearing up bills that they did not incur.
Credit repair services, however, are generally retrospective. Once any harm has been done to your credit history, these firms work to scrub the damaging and false data.
Credit repair services challenge incorrect entries on your credit report and work with lawyers to ensure that credit bureaus are abiding by the consumer protection laws.
Q: I AM POTENTIALLY AFFECTED BY THE EQUIFAX DATA BREACH. HOW CAN I PROTECT MY LEGAL RIGHTS?
A: You should not sign any documents relating to Equifax and the data breach without obtaining legal counsel. You may also wish to join one of the class action lawsuits against Equifax.
As of this writing, there are 23 separate class action lawsuits have been filed in 14 states and the District of Columbia. It is likely that many of these suits will be consolidated eventually.
However, by enrolling or proceeding in the class action suit, you may be forfeiting your rights to sue Equifax individually. Again, make sure to get legal counsel in order to determine how best to proceed.
Q: WHAT ARE THE LEGAL CLAIMS AGAINST EQUIFAX BASED ON?
A: So far, lawyers representing consumers in claims against Equifax have advanced three legal theories. The first is that Equifax was negligent in its security protocols and procedures and thereby enabled the hack.
Another theory claims that consumers were harmed by Equifax’s delay in alerting the public that their private information had been stolen. The company first learned of the breach in late July but did not disclose the hack to the public until early September.
The third theory is that after the breach, Equifax did not properly disclose that the company performing the “free” credit monitoring after the breach was, in fact, a subsidiary of Equifax itself.