Skip to main content
InsightCody J. CooperIntellectual Property

Q & A: Equifax data breach victims may file for restitution

By July 10th, 2023No Comments

Phillips Murrah Director Cody J. Cooper was featured in the Oklahoman newspaper in a Q&A feature on Wednesday, Aug. 21. 

By Cody J. Cooper 

Cody Cooper online photo

Phillips Murrah Director Cody Cooper

Equifax is a consumer credit reporting agency and, ironically, one of the products it publicly sells is individual credit monitoring. In 2017, Equifax disclosed one of the largest known data breaches in the United States affecting about 143 million people — close to half of the U.S. population. Equifax claimed that the breach was the result of their systems being hacked by thieves seeking to obtain information that is commonly referred to in the world of data privacy and cybersecurity as personally identifiable information (PII). The thieves were able to exploit a website application vulnerability to gain access to files that included customer names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. Lawsuits were initiated by a number of entities, including the Federal Trade Commission, and a $700 million dollar settlement was recently reached, which included a total of $425 million to compensate individuals, $100 million in civil money penalty, as well as other relief.

Who is entitled to recover, how do you submit a claim and is $125 the amount I can recover?

Anyone whose information was included within the documents that were stolen is eligible to receive benefits. In order to submit a claim, an affected individual needs to go to and complete the requested information. While submitting your claim, there are two compensation options: (1) credit monitoring for 10 years or (2) a cash payment. The payment was estimated at $125, but that is likely to change because of the overwhelming number of people who have apparently opted in for the settlement payment. Apparently of the settlement amount, only a small portion — approximately $31 million — of the overall amount is earmarked for cash payments, which means that the more people who sign up for the cash payment could greatly decrease the amount paid to each person. In fact, the most recent stories suggest that the FTC is going to allow individuals who initially opted-in for cash payment to change their selection to credit monitoring because of the number of people who have already chosen the cash option and the small amount that would be paid to each.

What constitutes a data breach?

A data breach can be most easily described as the unauthorized access of information. The issues get nuanced from there. This is a particularly hot topic right now with the Equifax settlement and the most recent announcement that Capital One has suffered a data breach affecting about 106 million people or about a third of population.

How does the public find out about a data breach incident?

What we see in the news is for reportable breaches. Reportable breaches typically include PII. However, not all data breaches must be reported. In fact, most data breaches are likely never publicly disclosed. If PII is not involved, the organization that suffered the breach typically surveys the damage, addresses the breach, takes steps to mitigate the impact and moves along without ever telling anyone — except possibly industry regulators, if required, and their insurance company, if they are smart and have cybersecurity insurance.

What does the law say about organizations disclosing a data breach?

Importantly, there is no uniform “data breach” or “breach notification” federal law. Instead, these laws are formed by a hodgepodge of state laws (all 50 states have a breach notification law) and various other laws, including Gramm Leach Bliley Act, NAIC Insurance Data Security Model Law, New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies, and the National Credit Union Administration’s Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. Because of this, the standards applied from state to state and industry to industry can vary. For example, the definition of PII can be slightly different for each law. Some states include biometric data (fingerprint, facial scan, etc.) within PII, while others do not. Additionally, the deadlines for reporting a discovered breach can also vary widely. Significantly, some states and regulatory bodies have taken steps to increase the standards applied to protecting PII. As an example, New York has enacted laws that have very specific requirements a company must meet in order to be compliant.

How does data breach disclosure work in Oklahoma?

Generally, any person or entity that collects and stores PII is subject to Oklahoma’s data breach notification laws. If a breach of PII is discovered, that person or entity must comply with the various breach notifications in the applicable laws. In Oklahoma, notice is to be made as soon as practicable following discovery of the breach. Once notice is made to the affected individuals, there are requirements for what the breached entity must do, including reporting to specific law enforcement entities and providing credit monitoring for the affected individuals for a specific length of time. Again, these requirements can vary from state to state. Typically, the large data breaches ultimately result in litigation being filed by the affected individuals and/or specific related regulatory authorities, which is what led to the Equifax settlement.