On Dec. 19, District Judge Thomas Thrash of Atlanta will hold a final approval hearing for the Equifax 2017 data breach settlement. There’s a lot at stake. If the settlement is approved, the $31 million pool earmarked for claims will be paid out to some victims. Others will get free credit monitoring (because the cash reward set aside for victims was so small, if all 147 million people affected by the breach filed a claim, everyone would get just 21 cents).
There’s another option. As I wrote in a September column, victims could file a formal, legal objection, which would nullify the settlement. If Judge Thrash finds those objections convincing, Equifax’s class-action counsel wouldn’t receive their $77.5 million fee and Equifax would be liable again to face a substantial penalty for the breach. I’m happy to report quite a few people — maybe even a record number — did just that.
Over the past month Reuben Metcalfe, the founder of Class Action Inc., helped 911 individuals object (another 294 objected but did not provide signatures by the Nov. 19 deadline) by creating a chatbot tool that allowed victims to file objections automatically for the Equifax settlement at no cost (Class Action Inc. waived its 5 percent fee for Equifax). Theodore H. Frank, a lawyer who specializes in class-action suits, has jumped in the ring himself along with another victim, David Watkins. Frank’s objections, which are more formal and detailed than Metcalfe’s many automated ones, argue that the settlement is too broad and doesn’t take into account state-by-state protections for data breaches (in Utah, where Watkins lives, victims could claim damages up to $2,000).
Now it’s up to Judge Thrash to sift through the settlement and its objections and decide. Thanks to Metcalfe and Frank, he’s likely to be feeling some pressure. Back in September a class-action lawyer told me that even if only 1,000 people object, it can send a powerful message. Frank is hopeful the settlement will look weak on its own merits. “If the judge gives an honest look, he’ll realize it doesn’t meet muster,” he told me recently.
I’d argue there’s even more resting on Judge Thrash’s shoulders, including whether companies can get away with abusing our data in the future. Metcalfe, who has steeped himself in the world of class-action suits, suggested that the settlements, initially a method for accountability, have become a mechanism for companies to knowingly skirt liability for not protecting consumers. “It’s becoming cheaper to say sorry after the fact than to obey the law in the first place,” he told me.
This feels especially true in the world of data privacy, where breaches are so frequent that a discovery last week of an open database containing the personal information of 1.2 billion people hardly made news. We seem locked in a vicious cycle: Companies that gather and trade data have few checks or regulations. This allows them to collect more, which means more money. And deeper pockets make it harder to impose meaningful penalties that might deter repeat and future offenders (see: the Federal Trade Commission’s $5 billion slap on the wrist of Facebook). Judge Thrash, then, has a unique opportunity to make a statement by objecting.
And he’d have many good reasons to do so. First, the cash payout to the actual victims is paltry — less than 5 percent of the total amount set aside for the entire settlement. The small set of lawyers, supposedly representing the interests of the class, stand to make double the entire victim payout (this ratio is not uncommon in class-action settlements). Perhaps most galling, the free credit monitoring service that Equifax is doling out as part of the settlement will be provided by fellow data broker Experian, which suffered its own data breach in 2015 (approximately 15 million Social Security numbers and other personal information were exposed).
To recap: Equifax is avoiding accountability by offloading millions of its users’ data to another party with a shoddy history of data security practices, which will then profit from the services.
Should Judge Thrash decide to approve the settlement (and if subsequent appeals are lost), three things are likely to happen. The minimal compensation for the 147 million Americans who had their data exposed would be more evidence that their data has little value, and those who took the time to file claims may not file after the next big breach. For future settlement lawyers, the ruling would set a precedent, namely that there’s a big fee to be had offering consumers very little restitution (also a common critique of class-action settlements). For data brokers, the Equifax lesson would be stark: Failing to invest in information security is not an irresponsible business decision. (The company’s total settlement was $700 million; last year it posted $3.41 billion in revenue; after the settlement, Equifax’s stock was higher than it was at the time of the breach.)
It’s an exaggeration to suggest that the future of data privacy rests on the decision of one district court judge. But as Metcalfe argues, Judge Thrash “has agency where 147 million people have none.”
No pressure.
And you’re not powerless, either. Interested parties can write a letter to this address:
U.S. District Chief Judge Thomas Thrash Jr.
2188 Richard B. Russell Federal Building and United States Court House
75 Ted Turner Drive, SW
Atlanta, GA 30303-3309
Mike Bloomberg’s Troublesome Privacy Views
There’s a new candidate in the 2020 presidential race — former New York Mayor Mike Bloomberg. One piece of the new campaign’s merchandise was pinging around Twitter this week and caught my eye:
The phrase was supposedly coined by a pioneering management consultant, W. Edwards Deming. Apparently, it was also once fellow candidate Cory Booker’s “mantra.” But since it’s on Bloomberg’s swag, I was curious: What does a man who loves data supremacy so much he will put it on a T-shirt think of our current data privacy? I found an answer in a New York Daily News piece from 2013. The quotes are from the mayor’s former Friday morning radio program. According to the remarks, the erosion of privacy is inevitable.
He acknowledged privacy concerns, but said “you can’t keep the tides from coming in.”
“You wait, in five years, the technology is getting better, there will be cameras everyplace … whether you like it or not,” Bloomberg said.
It continues:
“The argument against using automation is just this craziness that ‘Oh, it’s Big Brother,’” Bloomberg said. “Get used to it!”
“It’s scary,” Bloomberg said. “But what’s the difference whether the drone is up in the air or on the building? I mean intellectually I have trouble making a distinction. And you know you’re going to have face recognition software. People are working on that.”
“We’re going to have more visibility and less privacy. I don’t see how you stop that. And it’s not a question of whether I think it’s good or bad. I just don’t see how you could stop that because we’re going to have them.”
Trust no one and bring data, indeed! We’ll be reaching out to the campaign to see whether these views have changed since the radio interview.
What I’m Reading:
You’re tracked everywhere you go online. Use this guide to fight back.
Your health data isn’t as safe as you think.
Facebook built a facial recognition app that let employees identify people by pointing a smartphone at them.
Like other media companies, The Times collects data on its visitors when they read stories like this one. For more detail please see our privacy policy and our publisher's description of The Times's practices and continued steps to increase transparency and protections.
Follow @privacyproject on Twitter and The New York Times Opinion Section on Facebook and Instagram.
Source: Read Full Article
Home » Analysis & Comment » Opinion | One Man Can Bring Equifax to Justice (and Get You Your Money)
Opinion | One Man Can Bring Equifax to Justice (and Get You Your Money)
On Dec. 19, District Judge Thomas Thrash of Atlanta will hold a final approval hearing for the Equifax 2017 data breach settlement. There’s a lot at stake. If the settlement is approved, the $31 million pool earmarked for claims will be paid out to some victims. Others will get free credit monitoring (because the cash reward set aside for victims was so small, if all 147 million people affected by the breach filed a claim, everyone would get just 21 cents).
There’s another option. As I wrote in a September column, victims could file a formal, legal objection, which would nullify the settlement. If Judge Thrash finds those objections convincing, Equifax’s class-action counsel wouldn’t receive their $77.5 million fee and Equifax would be liable again to face a substantial penalty for the breach. I’m happy to report quite a few people — maybe even a record number — did just that.
Over the past month Reuben Metcalfe, the founder of Class Action Inc., helped 911 individuals object (another 294 objected but did not provide signatures by the Nov. 19 deadline) by creating a chatbot tool that allowed victims to file objections automatically for the Equifax settlement at no cost (Class Action Inc. waived its 5 percent fee for Equifax). Theodore H. Frank, a lawyer who specializes in class-action suits, has jumped in the ring himself along with another victim, David Watkins. Frank’s objections, which are more formal and detailed than Metcalfe’s many automated ones, argue that the settlement is too broad and doesn’t take into account state-by-state protections for data breaches (in Utah, where Watkins lives, victims could claim damages up to $2,000).
Now it’s up to Judge Thrash to sift through the settlement and its objections and decide. Thanks to Metcalfe and Frank, he’s likely to be feeling some pressure. Back in September a class-action lawyer told me that even if only 1,000 people object, it can send a powerful message. Frank is hopeful the settlement will look weak on its own merits. “If the judge gives an honest look, he’ll realize it doesn’t meet muster,” he told me recently.
I’d argue there’s even more resting on Judge Thrash’s shoulders, including whether companies can get away with abusing our data in the future. Metcalfe, who has steeped himself in the world of class-action suits, suggested that the settlements, initially a method for accountability, have become a mechanism for companies to knowingly skirt liability for not protecting consumers. “It’s becoming cheaper to say sorry after the fact than to obey the law in the first place,” he told me.
This feels especially true in the world of data privacy, where breaches are so frequent that a discovery last week of an open database containing the personal information of 1.2 billion people hardly made news. We seem locked in a vicious cycle: Companies that gather and trade data have few checks or regulations. This allows them to collect more, which means more money. And deeper pockets make it harder to impose meaningful penalties that might deter repeat and future offenders (see: the Federal Trade Commission’s $5 billion slap on the wrist of Facebook). Judge Thrash, then, has a unique opportunity to make a statement by objecting.
And he’d have many good reasons to do so. First, the cash payout to the actual victims is paltry — less than 5 percent of the total amount set aside for the entire settlement. The small set of lawyers, supposedly representing the interests of the class, stand to make double the entire victim payout (this ratio is not uncommon in class-action settlements). Perhaps most galling, the free credit monitoring service that Equifax is doling out as part of the settlement will be provided by fellow data broker Experian, which suffered its own data breach in 2015 (approximately 15 million Social Security numbers and other personal information were exposed).
To recap: Equifax is avoiding accountability by offloading millions of its users’ data to another party with a shoddy history of data security practices, which will then profit from the services.
Should Judge Thrash decide to approve the settlement (and if subsequent appeals are lost), three things are likely to happen. The minimal compensation for the 147 million Americans who had their data exposed would be more evidence that their data has little value, and those who took the time to file claims may not file after the next big breach. For future settlement lawyers, the ruling would set a precedent, namely that there’s a big fee to be had offering consumers very little restitution (also a common critique of class-action settlements). For data brokers, the Equifax lesson would be stark: Failing to invest in information security is not an irresponsible business decision. (The company’s total settlement was $700 million; last year it posted $3.41 billion in revenue; after the settlement, Equifax’s stock was higher than it was at the time of the breach.)
It’s an exaggeration to suggest that the future of data privacy rests on the decision of one district court judge. But as Metcalfe argues, Judge Thrash “has agency where 147 million people have none.”
No pressure.
And you’re not powerless, either. Interested parties can write a letter to this address:
U.S. District Chief Judge Thomas Thrash Jr.
2188 Richard B. Russell Federal Building and United States Court House
75 Ted Turner Drive, SW
Atlanta, GA 30303-3309
Mike Bloomberg’s Troublesome Privacy Views
There’s a new candidate in the 2020 presidential race — former New York Mayor Mike Bloomberg. One piece of the new campaign’s merchandise was pinging around Twitter this week and caught my eye:
The phrase was supposedly coined by a pioneering management consultant, W. Edwards Deming. Apparently, it was also once fellow candidate Cory Booker’s “mantra.” But since it’s on Bloomberg’s swag, I was curious: What does a man who loves data supremacy so much he will put it on a T-shirt think of our current data privacy? I found an answer in a New York Daily News piece from 2013. The quotes are from the mayor’s former Friday morning radio program. According to the remarks, the erosion of privacy is inevitable.
He acknowledged privacy concerns, but said “you can’t keep the tides from coming in.”
“You wait, in five years, the technology is getting better, there will be cameras everyplace … whether you like it or not,” Bloomberg said.
It continues:
“The argument against using automation is just this craziness that ‘Oh, it’s Big Brother,’” Bloomberg said. “Get used to it!”
“It’s scary,” Bloomberg said. “But what’s the difference whether the drone is up in the air or on the building? I mean intellectually I have trouble making a distinction. And you know you’re going to have face recognition software. People are working on that.”
“We’re going to have more visibility and less privacy. I don’t see how you stop that. And it’s not a question of whether I think it’s good or bad. I just don’t see how you could stop that because we’re going to have them.”
Trust no one and bring data, indeed! We’ll be reaching out to the campaign to see whether these views have changed since the radio interview.
What I’m Reading:
You’re tracked everywhere you go online. Use this guide to fight back.
Your health data isn’t as safe as you think.
Facebook built a facial recognition app that let employees identify people by pointing a smartphone at them.
Like other media companies, The Times collects data on its visitors when they read stories like this one. For more detail please see our privacy policy and our publisher's description of The Times's practices and continued steps to increase transparency and protections.
Follow @privacyproject on Twitter and The New York Times Opinion Section on Facebook and Instagram.
Source: Read Full Article