How Fighting Data Breaches Has Changed
The Capital One and Equifax hacks highlight the need for different consumer strategies
As more companies report the theft of customer data, the chances that your personal information will be stolen or fall into the wrong hands grow every day.
As a result, consumers need to change the way they protect themselves and how they respond to data breaches.
Freeze Your Accounts
One of the best things you can do to protect yourself is to freeze your credit. This is essentially locking down your credit so that no one can gain access to it. That prevents cybercrooks from opening a new account in your name, a brand of ID theft that's both hard to detect and especially harmful to the victim, according to Maureen Mahoney, a policy analyst with Consumer Reports.
A credit freeze has always been a good idea, but it also had drawbacks in terms of cost and convenience. Those two obstacles were eliminated in the last year or so in response to outrage from consumers and advocates like CR.
In the wake of the 2017 Equifax breach, changes to the Fair Credit Reporting Act required companies to make placing and lifting a credit freeze free and easier.
To place a credit freeze, you need to contact each of the three major credit bureaus: Equifax, Experian, and TransUnion, as well as the lesser-known Innovis. You'll also need to place a PIN or a password on your account, which will allow you to lift the freeze.
There are a number of activities—ranging from applying for a mortgage to an employment background check—that will require a temporary lift of the freeze.
"While a lift can often be done within hours, it's good advice to do it a day or two before someone will need to check your credit," Mahoney advises.
There's also a possibility that this process will get even easier in the future. Consumer Reports is backing legislation that would make freezing credit the default for all consumers—you'd have to contact the credit bureaus to open your account for credit checks.
CR is also in favor of changes that would require you to contact just one of the credit bureaus, which would then be responsible for enacting a freeze at the others.
Apply for an Equifax Payout
The FTC's settlement with Equifax has gotten a lot of attention in recent days, and not all of it good. The agency had initially explained to consumers that they could apply for a cash credit of up to $125 in lieu of free credit monitoring.
In the wake of a response that was "unexpected" and "overwhelming," the FTC explained that, because of a $31 million cap on the fund for these payouts, consumers "might end up getting far less than $125."
(With 147 million potential claimants, if each potential victim were to apply, the payout could be as little as 21 cents.)
The FTC is instead urging consumers to consider signing up for the free credit monitoring.
What should you do? Charity Lacey, vice president of communications for the Identity Theft Resource Center, suggests ignoring the FTC's change of heart and staying the course.
If you have credit monitoring from another source, like an employer or from a previous data breach, the additional monitoring from Equifax won't increase your security.
And in general, Consumer Reports warns consumers that relying too heavily on credit monitoring is outdated thinking.
"We question the effectiveness of credit monitoring because it only informs you after the fact," says CR's Mahoney.
And in the end, framing a check from Equifax for, say, $3.45 might actually feel like a moral victory.
Keep Track of Your Time
If the Equifax settlement showed anything, it's that record keeping is especially important for consumers who want to get reimbursed for out-of-pocket expenses or the time spent handling a data breach.
For all the attention being focused on the $125 reimbursement in the Equifax settlement, consumers can also claim up to $20,000 for losses, out-of-pocket expenses, and lost time . . . if they can document that harm.
For example, you can apply for reimbursement for the first 10 hours of your time at $25 an hour. However, you must describe the tasks on the claim form. Getting reimbursement for 10 additional hours, as well as for expenses or damage, will require receipts or other written documentation.
And though the funds for these reimbursements are also capped, the response rate is also likely to be far lower as well, so there's a good chance consumers will get an amount closer to what they asked for.
"Consumers need to make sure they’re documenting everything they're doing, " says Lacey of the Identity Theft Resource Center. "Then when the settlement comes around, they'll have the evidence they need."
She notes that the Identity Theft Resource Center's app has a feature that enables you to track the process easily.
Indeed, Lacey warns that the documentation requirements are likely to become stiffer in future cases, after the relatively low bar in the Equifax case prompted a surprising response.
So if you discover that you're a victim of the Capital One breach, make sure to begin accounting for your efforts from the moment you start investigating the breach to the time when your credit is finally fixed, right through to filling out the claim form after the settlement is reached several years from now.