In September 2017, Equifax revealed that there had been a massive hack of its internal systems with the personal data including dates of birth and credit card numbers of 147 million Americans, Canadians and Brits compromised.
Some galling revelations emerged in the wake of this gigantic security failing that show how little this company values its customers.
Equifax stated that its security team became aware of the breach in July 2017. This is despite a researcher recognising flaws in Equifax servers and websites that meant that personal identifiable information of American could be accessed, back in December 2016. The researcher told Motherboard that they immediately informed Equifax of the issue.
On top of that, in a display of miraculously fortuitous timing, four Equifax executives sold shares to the tune of $1.8 million just before the breach was announced. The company had also been lobbying to limit the legal liability of credit reference agencies as the scandal unfolded.
The compensation for this catalogue of mistakes, blunders, gaffes and egregious flaws in security the company agreed to pay was between $575 million and $700 million. Affected customers could choose between 10 years of free credit monitoring or up to $125. Just up to $125. That seems like a miserly, tight-fisted, penny-pinching number.
Had I been one of those customers, I would baulk at the idea of giving the company whose lax and negligent security practices led to my sensitive data being leaked, access to that same sensitive data for another decade. However, the cash compensation may end up being mere pennies. This because a great many claimants are opting for the cash but the amount that can be distributed as compensation is capped at $31 million. It seems the $125 figure is only feasible if just under 250,000 people make a cash claim.
Ultimately, it sends the message that organisations can play fast and loose with customer data without fear of substantive repercussions. All they have to suffer is a dent in their reputation and a dip in market value.
On the other hand, little to no value is ascribed to the customer, as there is no concept of a duty of care to look after their sensitive data. The customer is given the impression that neither the company that they have bought a service from nor the regulators charged with keeping those companies in check are backing them. The offending companies need to be reprimanded with more than a slap on the wrist and five minutes in the naughty corner.
We as customers and our data are worth much more than a few dollars and cents. Regulators need to dish out punishments that are actual deterrents and open up avenues that allow us to walk away and take our business – and data – elsewhere when our data and trust is breached.