Values, Facts and Actions in the Equifax Data Breach Settlement

This recent Slate piece on the Equifax data breach settlement and its followup piece offer a quick lesson in the way that values interact with facts to inform right action in business ethics. It demonstrates unintentionally that having the right values is only part of good moral reasoning.

In the linked piece, the author urges everyone to avoid claiming free credit monitoring from Equifax (one optional payout from the settlement) and to choose instead to claim $125 (another optional payout from the settlement) because it “driv[es] up the costs of data breaches for corporations so they have an incentive to invest more heavily in security” and “that, in the end, is the real goal.” So real is the goal of incentivizing greater investment in data security that, according to the author, you should “[c]onsider it a part of your civic duty” to seek the cash payout instead of the free credit monitoring.

Viewed solely from a values perspective, this seems reasonable: the more cash Equifax pays out to settlement claimants, the greater the incentive Equifax has in the future to be vigilant in the protection of consumers’ data. So, why might this not be a good guide to right action?

Note the unstated factual premise informing the author’s call to action: each $125 claim is another $125 out of the corporate coffers of Equifax—the more claims, the more it hurts Equifax (and thereby incentivizes greater data vigilance).

The problem is that this factual premise is false: the settlement establishes a pool of only $31 million (US) out of which to pay these $125 claims. That means, as a different and better informed blogpost notes, “[t]here would need to be no more than 248,000 approved claims out of the 147 million consumers affected — or less than one-fifth of one percent — for approved applicants to get the full $125. . . . If there are enough claims to empty that bucket, the amount each person gets will drop as the pool of money is distributed proportionally.”

In other words, beyond 248,000 claims, it is not the case that the more claims, the more it hurts Equifax (and thereby incentivizes greater data vigilance). Equifax will never pay out more than $31 million to victims of the data breach.

So, what does this mean for right action? It depends on the number of claims. As the author’s five-days-later follow up piece relays from the US Federal Trade Commission, “The public response to the settlement has been overwhelming. Millions of people have visited this site in just the first week . . . [E]ach person who takes the money option is going to get a very small amount. . . . The free credit monitoring provides a much better value, and everyone whose information was exposed can take advantage of it” (emphasis added).

How does having the correct factual background (cash settlement payouts come from a fixed pool) interact with the values expressed by the author to guide action? The answer seems to be that we get greater data security (“the real goal,” according to the author) if claimants opt for free credit monitoring, rather than a cash settlement—the opposite of what the author recommends.

The lesson should be clear: having the right values is of little use if you have the facts wrong. Doing ethics well requires being aware of the fine features of your terrain. Moral hot takes are a kind of ethical reasoning, but often a bad kind. >>>

LINK: You Have a Moral Obligation to Claim Your $125 From Equifax (by JOSEPHINE WOLFF for Slate)

Go claim your $125 from Equifax. Right now. Even if $125 isn’t a sum of money that matters to you, even if you don’t feel you were really directly affected by the breach. Even if the prospect of filling out a relatively brief online form fills you with more dread than the theft of all your personal data.

Consider it a part of your civic duty: driving up the costs of data breaches for corporations so they have an incentive to invest more heavily in security. The payouts to individuals are part of the $575 to $700 million settlement that Equifax reached with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 48 states. (Indiana and Massachusetts are still pursuing their own lawsuits against Equifax.)

What do you think?

Brought to you by: