back to article Equifax to world+dog: If we give you this $700m, can you pleeeeease stop suing us about that mega-hack thing?

Data-spaffing consumer credit biz Equifax is offering a package of roughly $700m in order to kill off lawsuits regarding its 2017 super-cyber-heist. The credit reporting agency announced on Monday it has proposed the payout in hopes of settling class-action suits, as well as state and federal investigations, over its conduct …

  1. a_yank_lurker Silver badge

    Right

    Not enough should be 10x. Plus the Chinese treatment for the executives.

    1. Jediben

      Re: Right

      1000x.

      1. Anne-Lise Pasch

        Re: Right

        $4000 for spaffing my data sounds about right. My data is worth more than $4 to me. Although, thanks to Equifax, its now *public domain*

  2. Nick Kew

    This is just the US

    ... but Equifax is multinational. Isn't anyone else taking them to the cleaners?

    I guess this breach escapes the potential Big One by virtue of being pre-GDPR.

    1. Doctor Syntax Silver badge

      Re: This is just the US

      "Isn't anyone else taking them to the cleaners?"

      https://ico.org.uk/action-weve-taken/enforcement/equifax-ltd/

      1. gerdesj Silver badge
        Childcatcher

        Re: This is just the US

        "The Information Commissioner’s Office has issued Equifax Ltd with a £500,000 fine for failing to protect the personal information of up to 15 million UK citizens during a cyber attack in 2017."

        UK citizen's data are only worth about thruppence a pop.

        1. testytest3@mailinator.com

          Re: This is just the US

          The breach happened pre GDPR and at that time the maximum fine the ICO could impose was £500,000 so it would have been more but they were hamstrung by current legislation.

    2. Blazde Silver badge

      Re: This is just the US

      There are several confident-sounding solicitors firms in the UK offering no-win no-fee group claims but they don't give the impression of representing many people yet. I suppose, ironically, the solicitors have trouble reaching affected individuals in part because their contact data is so well protected now by GDPR.

  3. Mark 85 Silver badge

    Settlement is BS

    Most of the money will used for "credit protection services" from guess who?

    I believe Widen is right. It's about time execs start taking some heat to more than their bonuses. But it that happens, they'll end up at the so-called "country club prison". Maybe Alcatraz needs to be re-opened for executive miscreants?

    1. The Nazz

      Re: Settlement is BS

      Yes, Wyden is right, there should be personal accountability on such matters.

      But isn't Wyden a lawmaker? It falls to him and his colleagues to pass laws that have criminal responsibility, deterrents and punishments.

      Oh, and whilst you're at it Sen. Wyden, make sure the law includes the same criminal responsibilities for politicians too.

      1. eldakka Silver badge

        Re: Settlement is BS

        But isn't Wyden a lawmaker? It falls to him and his colleagues to pass laws that have criminal responsibility, deterrents and punishments.

        There are criminal liabilities for these actions. Negligence, fraud and many other crimes could be seen to have been committed.

        However, it is up to the executive, that is, the DoJ, or state AG's, etc., to choose to file and then prosecute criminal charges. The executive has absolute, sole, discretion, and absolute immunity, on whether or not to file criminal charges. Someone could murder someone right in front of an AG, and the AG would be entirely within their legal authority to refuse to prosecute the murderer. And there is nothing anyone can do, legally, to force the AG to do so. Of course, the AG could be fired and another AG appointed who could then pursue charges, but the previous AG would have done nothing legally wrong.

        No-one else, not the public, not the legislature, has the authority to file, or force the executive to file, and prosecute, criminal charges.

        1. Claptrap314 Silver badge

          Re: Settlement is BS

          And to be clear, this is in fact a good thing. There are some rather famous cases that should not have been brought that were, and it is next to impossible to predefine the scope where such things should be.

          Public outrage really is the appropriate guide.

          1. Cederic Silver badge

            Re: Settlement is BS

            Hmm, no. In the UK you can bring a private prosecution for a criminal offence, with the same punishments under law possible as under a Crown prosecution.

            This lets people exert justice even where it's politically deemed undesirable. Public interests are served by the ability for the CPS to take over and close down a prosecution should it be deemed inappropriate, but they'd need strong reasons for such action and it would force a public action (rather than the private inaction of choosing not to prosecute).

            The US would benefit greatly from such a capability.

        2. phuzz Silver badge

          Re: Settlement is BS

          Aren't AG's elected in the US though? It seem odd to me that you'd want someone who's effectively a politician, making decisions about who gets prosecuted.

          1. Just An Engineer

            Re: Settlement is BS

            Nope, in about half the States they are appointed by the Governor. But still politicians...

            1. doublelayer Silver badge

              Re: Settlement is BS

              Whether elected or appointed, they're politicians. And yes, it's a bit weird to effectively elect someone who can choose not to prosecute something. However, someone has to choose, and as stated above, there are benefits to having that choice. The alternative is that someone still has that power, but they're not elected. That is the same from the possible conflict of interest perspective, but in that case it'd be harder to get rid of them if they did something citizens didn't like but wasn't technically illegal. Completely fair government is hard.

    2. Anonymous Coward
      Anonymous Coward

      $700m / 145m people is less than $5 each assuming the lawyers don't take it all.

      Indeed BS

      Jail time and a data retention exclusion for complete management team along with a security review of every other credit reference company and bank they shared data with.

      Taking off and nuking the planet from orbit is the only way to get the message across to these leeches

      1. Charles 9 Silver badge

        Re: $700m / 145m people is less than $5 each assuming the lawyers don't take it all.

        But what if they're an Andromeda Strain and can FEED off nukes?

    3. Zippy´s Sausage Factory

      Re: Settlement is BS

      I have to say, I think the security was basically left lax on the grounds that it would give them an opportunity to sell more "security" products and services, on the grounds that not many other people do what they do. A licence to print money.

      Just for once, I agree with a politician here. (I usually don't, but that's basically a reflex action on the grounds that... well, they're a politician)

      1. Cederic Silver badge

        Re: Settlement is BS

        I doubt security was left lax to boost sales of their own products. Far more likely were oversights, resource constraints, business priorities and poor processes.

        Their security products wiill sell purely because of all of those things being endemic everywhere else.

  4. Anonymous Coward
    Anonymous Coward

    Once again...

    Senator Wyden is the voice of reason and of the people in this age of surveillance capitalism.

    It's a shame there are those on the other side of the spectrum like the telco lobbyist at the head of the FCC.

    1. Anonymous Coward
      Anonymous Coward

      Re: Once again...

      Unfortunately, given the current political polarisation, a Democratic Senator getting the first word in will probably mean they'll walk free with compliments of Trump and a Mar-a-Lago invite, just to spite the other party.

  5. Anonymous Coward
    Anonymous Coward

    In a perfect world...

    This scandal should have destroyed their credibility to the point that they would be out of business by now.

    1. DCFusor
      Facepalm

      Re: In a perfect world...

      You can't opt out. None of their customers were harmed. I didn't hear of any customer being sold false data as a result of the hack. How would loss of credibility to those of us who have zero choice about them gathering our data and selling it affect anything whatever about their viability as a business? Maybe we vote for someone who won't just be bought like 100% or so of all previous elected officials?

      1. BoldMan

        Re: In a perfect world...

        We, ie the public, are not their customers, we are their product, therefore if we get harmed they don't give a shit.

        However you were correct, none of their customers were harmed - their customers are the banks and financial businesses that use their credit check services.

  6. ThatOne Silver badge

    This should set an Example

    "All right, you've got your identity stolen, lost your house and car, here is $5 for your troubles." Seriously? This is definitely taking the piss.

    But the even bigger problem is that if they get away with it, every information pusher out there will know they don't really need to worry about losing information.

    On the other hand, if the Equifax execs go to prison, I'm pretty confident everybody else will suddenly behave...

    1. Anonymous Coward
      Anonymous Coward

      Re: This should set an Example

      Big wigs almost never go to jail. They have enough money to make offers that ard hard to refuse.

  7. vtcodger Silver badge

    Jail Time?

    US Sen. Ron Wyden (D-OR) put out a statement on Monday blasting the proposals and arguing that company execs should have been personally prosecuted for their negligence in handling the personal information of others.

    Jail for corporate officers? Won't happen. I'm pretty sure that the US constitution bars that except for those, like Bernie Madoff, steal from the wealthy. (Mr Madoff -- age 81 -- is currently serving a sentence of 150 years for a long list of indiscretions).

    Seriously. Do you folks have any idea what would happen if corporate officers were routinely held legally responsible for their actions?

    1. DCFusor

      Re: Jail Time?

      The constitution doesn't contain corporate law. But the corporate "veil" can be pierced if there's demonstrable malfeasance and I believe sufficient negligence.

      Somehow, even in utterly egregious cases like this, it never seems to happen, though.

      Something about the big guys being able to afford the better legal help, or golf clubs for the judge.

      So they're kind of hard to sue and win big.

    2. Doctor Syntax Silver badge

      Re: Jail Time?

      "Do you folks have any idea what would happen if corporate officers were routinely held legally responsible for their actions?"

      Yes. Instead of anyone in the lower ranks proposing improvements to security being told to GFO they'd be being asked anxiously if they were sure there wasn't something else that could be done.

    3. Anonymous Coward
      Anonymous Coward

      Re: Jail Time?

      > what would happen if corporate officers were routinely held legally responsible for their actions?

      Uh, they might be less corrupt, greedy, and just generally awful?

  8. Anonymous Coward
    Anonymous Coward

    Bring back the pillory

    Fines don't mean a thing, that just gets passed on to shareholders. Any activity that results in profound human damage (and I think having to fight to keep yourself from having your identity stolen with all the fun financial consequences amongst that) ought to mandatory result in some time in public pillory, with the sale of rotten vegetables automatically authorised in the near vicinity.

    The US approach to white collar jail time is more a Club Med with locked doors, which is why it is not helping.

    Either that, or mandatory publishing of all their details and being barred to change any of it without that being out in the open too.

    1. Anonymous Coward
      Anonymous Coward

      Passing the loss to the shareholders is fine

      The behavior we want is for companies like Equifax to take security breaches seriously, "too big to fail" banks to take knowingly making bad loans seriously, etc. The way you do that is to make sure that shareholders and bondholders lose everything in the event of a major breach of trust, and this definitely qualifies.

      If there was a possibility of losing everything, shareholders would force management to assign a much higher priority to keeping information secure, acting ethically etc. They'd also insist on management having skin in the game so they'd probably force them to earn their bonuses in stock and hold it for several years before they could sell it. Then the interest of management, shareholders and consumers would all be aligned as far as preventing security breaches or other breaches of trust.

      Making them pay a fine, no matter how large, doesn't accomplish this. They need a "death penalty" for a corporation - not one that ends the corporation because you don't want to punish employees for bad decisions of management. One that zeroes out the stockholders and bondholders of the company. Hit the 1% where it hurts, and behavior will change.

      1. Pascal Monett Silver badge

        Re: Passing the loss to the shareholders is fine

        I like that idea. Should be simple to implement as well - just instruct Wall Street to down the global value of the shares by the amount of the fine. Shareholders will scream bloody murder and then things will change.

        1. hplasm
          Thumb Up

          Re: Passing the loss to the shareholders is fine

          "down the global value of the shares by the amount of the fine."

          this.

          i like this!

        2. Anonymous Coward
          Anonymous Coward

          Re: Passing the loss to the shareholders is fine

          Its not that simple, it isn't like the market cap of a stock is a bank account, you can't "down the value" by a specific amount. What I suggest is really an all or nothing thing. Either you zero the value of the stock/bonds or you fine, there is no middle ground. The zeroing would be done only for egregious cases where the corporation deserves the "death penalty", for lesser cases a fine would continue to be the only viable option.

          1. Michael Wojcik Silver badge

            Re: Passing the loss to the shareholders is fine

            it isn't like the market cap of a stock is a bank account, you can't "down the value" by a specific amount

            No, but in theory (and ignoring the fact that there's no legal precedent for this, and quite likely no legal foundation for doing it), some authority could implement a fine by attaching an additional tax penalty to transactions in Equifax stock and dividends issued for same. That would make it less attractive and increase Equifax's cost of capital.

            Probably that would have to be implemented by passing a law creating a new classes of short-term and long-term capital gains with a higher tax rate, and giving some branch of the executive the power to assign shares of stock issued by particular corporations to those classes. It would be a bit of a bureaucratic mess, but in the world of tax law that'd hardly be noticeable.

            1. Anonymous Coward
              Anonymous Coward

              Re: Passing the loss to the shareholders is fine

              But why not fine the company itself? That way the loss is distributed equally to shareholders, and without the huge expense of administering a special tax for trades/dividends on those shares to collect the fine (and it wouldn't be distributed equally - if I hold my shares and the stock pays no dividend I get off scot free)

          2. elvisimprsntr

            Re: Passing the loss to the shareholders is fine

            How about taking away stock options from executives/directors found criminally negligent or culpable?

      2. Nunyabiznes

        Re: Passing the loss to the shareholders is fine

        @ DougS

        I like your idea but many times employees of the corporation are forced to invest into it for their retirement plan. This would hurt the bees more than the queens, maybe. Although with the stock options most C-level positions get it might hurt them enough to get their attention.

        1. Anonymous Coward
          Anonymous Coward

          Re: Passing the loss to the shareholders is fine

          There would be need to be laws that give employees a choice - and the stock market might pay attention to the investment level of the employees. They see a company where the employees own little stock they might think "they know something" and stay away themselves.

        2. Michael Wojcik Silver badge

          Re: Passing the loss to the shareholders is fine

          many times employees of the corporation are forced to invest into it for their retirement plan

          Is this actually all that common? Apparently (according to various online sources of varying dubiousness) many 401(k) plans include an employer-stock option, and of course many firms offer ESPPs or similar. But those are options - employees are not forced to use them. How common is it for corporations, particularly large ones, to offer only investments in their own stock for retirement plans? Is that even legal?

          1. Just An Engineer

            Re: Passing the loss to the shareholders is fine

            It was legal until the Enron. WorldCom, Lucent fiascoes.

            The law was changed after all of the value of these companies was essentially zero'd out, by mismanagement and fraud.

            There was a time when 401K plans could be directed to company stock, and a second option was a guaranteed interest fund. Since there is no return on the GI fund, everything was "forced" into company stock.

            Now they are no longer allowed this option, but you can have, I believe, up to 15% of your 401K invested in company stock, but it is the employees option, and cannot be decreed by the company.

          2. Anonymous Coward
            Anonymous Coward

            Re: Passing the loss to the shareholders is fine

            Companies that offer ESPPs often require holding the stock for a certain number of years before being full vested, when purchased below market price. These programs would be less attractive at companies where the employees suspected management was playing fast and loose with the regulations.

            Thousands of employees at the big banks knew how poor their mortgage underwriting standards were, if they thought there was a chance of losing their stock they'd either not participate in ESPPs or sell them early and lose the vested part. Probably fewer would know about the Equifax breach, but the IT people would at least know how little attention they paid to security, and tell their friends in other parts of the company "sell your stock, it is a matter of time before disaster strikes!"

            1. doublelayer Silver badge

              Re: Passing the loss to the shareholders is fine

              There are a number of ways to force employees into investing in company stock. One easy method is to ensure that any stock they have is on a vesting schedule that makes it hard to sell. For example, while they can't force employee retirement contributions to be in company stock, they can offer a matching plan that is in company stock. This would be seen as a major benefit--it's essentially free money--but if the stock becomes zeroed, that benefit is retroactively erased. And if they really wanted to prevent this from happening, there are lots of ways to try to make sure employees get hurt in the scenario. Some of those might be later shown as illegal, but not before regulators get nervous that a company might have a way around it.

  9. Doctor Syntax Silver badge

    "This comprehensive settlement is a positive step for US consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company,"

    Of course it is. It establishes the price of the industry's raw materials as being quite low.

  10. Potemkine! Silver badge

    "In a just world, these executives would be going to jail"

    In a just World, Equifax would not exist.

  11. Cuddles Silver badge

    Offering a package?

    Why is this even a thing? If someone commits a crime, they don't get decide what the appropriate punishment for themselves should be. Equifax shouldn't be in a position to propose anything, they should be told exactly what they have to do and then be forced to actually do it.

    1. ThatOne Silver badge
      Devil

      Re: Offering a package?

      > If someone commits a crime, they don't get decide what the appropriate punishment for themselves should be.

      Welcome to the world of the wealthy and powerful. Laws don't apply to them, at least not directly, old boy networks take care of any problems which were accidentally revealed to the great unwashed:

      "I've got a couple hundred thousand set aside for employee bonus pay. What about you fine me that, and in return we promise to run an internal investigation to secure our systems: My daughter, the one which is studying modern dance, is looking for an internship."

      1. GnuTzu
        Mushroom

        Re: Offering a package? -- Another Too Big To Fail???

        This can't keep happening. People are going to get fed up--so, so, so fed up. Break out the torches and pitch forks.

        1. ThatOne Silver badge
          Devil

          Re: Offering a package? -- Another Too Big To Fail???

          Yes but well, people can take a lot of abuse. They usually don't get violent unless a problem is affecting them personally (like famine killing their children), and in our modern societies this doesn't happen very often.

          And then there is entertainment, taking your mind off things. French peasants wouldn't had beheaded their king if they had had television, and the October Revolution would probably had just been a vocal Facebook group...

  12. 0laf Silver badge
    Mushroom

    I'd be happier with jail time over compo

    Look it's a huge figure but per individual it's barely a coffee. Even 100x that fine doesn't really add up to a whole heap per individual and it'll probably end up in the pocket of some law firm anyway.

    Nope I'd much rather forgo any payout personally and see the executives do some time. That will make my information much more secure for much longer. A fine just becomes a part of the accounting process.

    If executives think their penny pinching might make them end up as 2yrs of fresh meat for a horney prisoner they might chose to protect my stuff a bit better.

  13. Anonymous Coward
    Anonymous Coward

    They have a history of poor security...

    In 1993 I was supporting their (Solbourne!) Unix server as part of an external supplier. Root password was 'Equifax' and it was connected to a modem for remote support.

  14. Lee D Silver badge

    I'll let you off.

    When you tell me how your core business is compatible with GDPR.

    1. Alister

      Sadly Lee, under the GDPR they have a right to collect data for the purposes of conducting their business. We may not like it, but credit reference agencies are a necessary evil.

      However Equifax should be sanctioned for failing to properly protect that data, and that was and is possible under previous data protection laws as well as GDPR.

      1. Doctor Syntax Silver badge

        The data they collect was passed to them by other firms who collected it for various other purposes. By the time Equifax have processed it and turned it into credit scores it must be legally dubious as to whether there's a chain of informed consent.

        I don't know if the term chain of informed consent is in use but seems a useful concept rehter like chain of continuity handling court evidence.

      2. Lee D Silver badge

        Only with explicit (not implied) consent, for a reasonable period, only for that legitimate business function, never to be shared with anyone else without additional, optional and specific consent.

        Credit reference agencies literally are the only organisation apart from the government to have the last 20 years of my addresses, not to mention pushing that information to organisations that I may well not consent to, not to mention providing little to no reasonable method to correct errors, and also collect far too much information than that necessary for the purpose.

        They're gonna be the "big" test of GDPR as soon as all the early test cases build confidence to take them down. My own bank can't hold the information they do, for as long as they do, and I'm a paying customer of theirs - I never consent to Equifax holding or collating that information, seemingly into perpetuity.

  15. Mahhn

    Still a security fail

    Their website right now has an F rating due to shit security. They haven't learned an fricking thing, lock them up!

    https://www.ssllabs.com/ssltest/analyze.html?d=equifax.com

    1. JCitizen
      Flame

      Re: Still a security fail

      Totally agree!!

  16. rtharrison
    Joke

    Is there a betting pool on how long it takes for the database of claims to be pwned?

    1. Nunyabiznes

      Even Vegas isn't giving odds on that!

  17. Anonymous Coward
    Anonymous Coward

    Well, I for one am completely satisfied with Equifax's settlement - I mean it is the equivalent of what I get for one full week (almost) of my share of the great US tax cut bill of 2017, and reinforces my belief in the fundamental fair and equitable treatment that individuals receive under the legal system when compared to corporations and those that head them, and the sense that the lawyers involved earned every million of the dollars that they were paid to negotiate this most honorable and hurtful of punishments. It is nice to know that Equifax's credit rating will now go up because the uncertainty of this issue is resolved, and that they will be able to get lower interest rates on their corporate car loans and qualify for cheaper mortgages on their facilities.

    Please sir, may I have some more - porridge, punch in the face, feces smeared on me, whatever......

  18. elvisimprsntr

    Class action lawsuits only serve to line lawyers pockets. Settling the case means it will not become a landmark liability case for similar corporate/executive negligence. Everyone wins, except the netizens most affected by the breach.

  19. williamsth

    Allowing a settlement cap like this, or bailing out a failing company just shouldn't be allowed, as they won't learn their lesson.

    Capitalism is designed to allow companies to fail and nothing should interfere with this process. Maybe then companies will think twice on things like how they handle your data.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021