669 comments

[ 4.0 ms ] story [ 330 ms ] thread
Not if everyone signs up for free credit monitoring as their settlement.
Gee, does that automatically settle the claim? I suppose it only would if there were some kind of agreement you make when you apply for the service.

I take some mild comfort knowing that > 90% of US adults likely have been impacted (wild guess at US folks who have ever applied for credit -- or it's probably a good amount smaller number if the scope is ever-requested-a-credit-report).

Not that it changes your point, but I'd put the percent impacted a lot lower than 90%. There's a large underclass of people who don't even have a bank account let alone a credit account of any type. A lot of poor people still basically live by cash and EBT-card.

I'd put it closer to 75% max.

Does it matter if you've applied for credit? They track everyone. The important thing to remember is that you are not and have never been a _customer_ of Equifax. You are their product. The banks, car dealerships, etc... that pay them for credit reports _about_ you are their customers.

You are their _product_. And, in my experience, they treat their product like shit when their product gets his identity stolen.

I'm not an Equifax customer and don't plan to become one by signing up for anything, so I haven't seen the terms, but I would fully expect to see some kind of indemnification in there.
You are a "customer" if you want it or not.
The super fucked up part is that it automatically signs you up for their "Credit protection" if you use their site to see if you were impacted. Doesn't ask if you'd like to, just says "Thanks for signing up, your year starts now!"
do the TOS require one to only go through mediation as a part of this, so by signing up you waive your right to sue?
Yes, the TOS does require arbitration (including for actions that occurred before signing the TOS), but it's not clear if it applies to just the child company that is providing the credit monitoring service or if it applies to the actions of the parent company, too.

I am not a lawyer.

https://trustedidpremier.com/static/terms

One thing I'm trying to wrestle with is why they would make you agree to arbitration for actions prior to signing TOS if indeed it applies only to the child company. Your relationship with the child company begins when you sign the TOS, no?
I'm curious as to wether any lawyers here can chime in on how well this TOS would hold up in court. I know when I went to check I was never shown the TOS or even a checkbox that needed to be checked to confirm that I agreed to the ToS with a link to them. It feels like the ToS are what comes with the ID protection service and were meant to apply only to lawsuits that might arise from using the ID protection service, but IANAL.
That should be ex-post-facto of the data breach (i.e. they leaked your data before you agreed to the TOS so you waive your rights to sue from that point forward). I'm not a lawyer and I wouldn't agree to this. I checked and I am affected. I'm going to sign up for LifeLock (because it's super expensive) and file a small claim to recoup the cost.

I really hope this puts Equifax out of business.

Actually, since I'm affected, I got a different message. It's even worse.

They gave me a date in September that I have to remember to come back and sign up for. It's the equivalent of grabbing a ticket in the deli line.

Look at this text: "Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process".

That's enraging. You tell me I'm affected and now I have to come back at some date/time and sign up? At least it has given me the time to read all the comments about waiving class action participation.

How can they justify that? This is 2017. It is stupid easy for them to send out reminders, once a day if need be.

At what point do we finally tell abusive companies like this that they're no longer allowed to be a company?

I got the same message, but nowhere did I read "you have been affected". Is this just implied?

I cancelled my Equifax credit watch account about 5 months ago, when they decided to raise rates.

Never have I hoped so much for a business to be sued out of existence. And hopefully their inside traders will get jail time (yeah, right).

It wasn't implied for me. I put in my SSID (6 digits) and last name. It then told me:

" Based on the information provided, we believe that your personal information may have been impacted by this incident."

It then had some button, I forgot what the button said. This led to the screen about "save the date" for protection.

I got the same message plus "Click the button below to continue your enrollment in TrustedID Premier." The button said "Enroll" so I stopped there.
When I entered my info I got a message saying they do not think I'd been affected by the hack. So if you get a different message, its probably safe to assume you're affected.
Same situation, same experience, same level of outrage. Sign me up for the class.
From my reading of ToS it also apparently waives your right to be a part of a class action lawsuit against Equifax...
> From my reading of ToS it also apparently waives your right to be a part of a class action lawsuit against Equifax...

IIRC, there wasn't even a clickthrough and they framed it as "find out if you're affected." How could that be enforceable?

You'll probably get nothing of note anyway from class action given the scale of this breach. If you are truly impacted in some way, you'll be better off in small claims (or a full suit if it devastates you enough.)
Even worse, you agree to arbitration in case of disputes waiving your rights to sue..not sure if even enforceable.

You can check if you're impacted then just not proceed to click "enroll" and be able to check without auto-enrolling and agreeing to their 1yr protection + arbitration agreement.

Nah it's OK, I'll just claim that someone got my SIN number and must have used it to access the site...wasn't me - I swear!

There is now plausible deniability for so many things.

(comment deleted)
I'm not excited about this class action; If they win, the individual payout will be almost nothing ($10?). The lawyers are the only ones who will really "make out" with 10's of millions in fees.

There is also a disproportionate effect in that a small portion of the 143 million affected will have a large impact, i.e., "identity theft" while most will be unaffected.

I think a fund setup to help those who are directly affected is a better idea. This could be done through government action where penalty proceeds are turned into a fund. In other worse, similar to the BP oil spill in the gulf where the fund helped those who lose income or suffered property damage.

I think a fund is a good idea, but how do you verify that the people claiming from the fund are the people who were affected? :)

Keeping my identity/online data safe just seems so hopeless that I don't think about it anymore.

IMO, the best outcome would be to put Equifax out of business. I have had my identity stolen and they were complicit in enabling the fraud against me. Once you tell them you're NPI has been compromised, they get incredibly passive aggressive against you and refuse to allow you to manage the situation (i.e. they won't let you unlock your credit to apply for a mortgage).

In short, this breach of public "trust" is only the smoking gun that proves how horrible Equifax is. But, they have a long history of being a parasitic organization that will hopefully die soon.

I'm not so sure about that, the data they have just gets resold to some other party when they go bankrupt, possibly many other parties and shit gets worse.
Is there any legal way to stop sales like that? If it were shown that Equifax were negligent in protecting the data on their systems, could a court demand that they remove all of the data to mitigate further harm?
There are already 3 main credit bureaus who have all of your data. It's not about the data it's about how unethical they are in preventing you from controlling the data.

Think about it: if every person in america put a freeze on their credit, all of these companies would go out of business because they would no longer have a product to sell. It gets even worse if you're a victim of identity theft because they cannot charge victims of identity theft to freeze or un-freeze a credit report.

> they won't let you unlock your credit to apply for a mortgage

So how do you recover from something like that? Are you basically prevented from using credit for the rest of your life?

There are legal limits to how long the data can be stored for. (I want to say it's a federal 7 year limit, but I might be wrong and it might be state laws). Eventually it all times out and your credit resets.
That's not the issue. They are required to immediately remove incorrect information from your credit report. A freeze prevents them from reporting your credit to third parties (i.e. it prevents them from doing business). So, they hate people who freeze their credit. Their strategy seems to be to make having a credit freeze so onerous that you won't do it so they can continue to sell your information to their customers.
(comment deleted)
For many years I could not get a new credit card, overdraft protection on a checking account or a mortgage. I finally was able to completely remove the freeze so that I could secure a mortgage.
C'mon we live in the real world here. What makes you think Equifax will be put out of business? I agree, the scumbags should be put down like a suffering animal but that will never happen.
I think this comment is missing the fact that Equifax will be financially punished as a result, possibly resulting in better systemic security overall.
I don't think this logically follows. More likely, Equifax will settle out of court for a much smaller sum. At that point there's now a literal dollar amount associated with a data breach. Perhaps some math will be done, proving out that there would need to be "N" number of breaches before the cost of settling out-of-court for the breaches would be more expensive then materially changing the way they manage data. And "N" number of breaches, that's just so unlikely.

At that point it would be fiscally irresponsible to properly secure this data. They would owe it to their shareholders to continue with their shoddy security and data management procedures.

I would guess they've already done this calculation. Similarly, due to externalities, the cost (to banks) of credit card and similar fraud is small compared to the expense of preventing it.
I don't really care where the money goes. I think that having one catastrophic event (huge lawsuits or fines leading to bankruptcy) for a corporate entity because of negligent security measures may lead other board rooms to move security measures up their priority list.
I don't think that would matter either. Executives will get golden parachutes and/or get jobs elsewhere doing same thing.

I think only solution is criminal charges/jail time against higher ups who prioritized profits over security.

Could lead to actual legislation which IMO is needed. If companies like this fail miserably to protect data it's a sign something bigger is needed and missing. It's like the how Aurthur Andersen represented how accounting firms should not act, and failed miserably.
yes a case of "Pour encourjay lays ortras." as the late Terry Prachet puts it
It may cause security to get tightened to prevent these types of incidents, but I doubt that it will improve security culture. Going forward, we would theoretically be protected from a breach of this type in other companies, but proper security is a continually moving target. New methods exploits are discovered all the time. That's what I'm worried about - are they going to be proactive in securely protecting information against future threats, or will they just check a few boxes to continue with business as usual?
> I'm not excited about this class action; If they win, the individual payout will be almost nothing ($10?). The lawyers are the only ones who will really "make out" with 10's of millions in fees.

Equifax needs to feel pain so they behave better in the future. Their executives need to be taught that they need to invest in security or it will affect their balance sheet. That will happen even if the payout to individuals is small, just as long as it costs Equifax a lot.

I mean, as long as Equifax is hammered with damages, I'm happy.
Don't disagree just some more thoughts.

The risk to the greatest number of people is the increase in interest rates if the lenders do not have the same level of trust in the credit reporting companies.

1% over 30 years is a lot.

Secondly, just taking preventative measures for say 10 years of credit monitoring, from not the company that leaked your data, would cost 15x12x10 $1800.

>In the complaint filed in Portland, Ore., federal court, users alleged Equifax was negligent in failing to protect consumer data, choosing to save money instead of spending on technical safeguards that could have stopped the attack.

Doesn't "users" imply that we had a choice in the matter? As if we're Equifax's customers? I feel more like we're victims in this case.

One thing I'm not sure about is how this breaks down as to people who paid Equifax or signed up for some service through them compared with people who involuntarily had their credit tracked through Equifax.
I was wondering about this too. Like, I never signed up for them, but apparently their site says I might have been affected. CreditKarma or other credit score companies apparently share user data to these agencies.

Their announcement says social security, addresses and names have been stolen, this is really worse, this data is enough to do ton of things.

CreditKarma doesn't give info to Equifax, it gets info from Equifax.

The credit agencies (of which equifax is one of 3) get their info from credit card companies and other financial institutions. If you've ever signed up for a credit card or gotten a mortgage or car loan the information from that transaction was sent to the credit reporting agencies. That's how they get data to make their determination of how credit worthy you are.

If you've ever opened a bank account or a line of credit you signed something to the effect that you agreed to let your institution share your data with these agencies.
That doesn't make you a user. It just means the bank gave them your info.
After you made the choice to allow them to.
The non-negotiable choice between allowing them to and being denied service entirely.
It doesn't seem crazy to me that if you ask for someone to loan you money they only do it under the condition that you agree to participate in a system that helps them track your creditworthiness.
It does make sense for lenders to cartelize and force each other to report the creditworthiness-affecting information about their borrowers to one another.

It doesn't make much sense for borrowers, though. But since, by definition, the lenders have the money and the borrowers do not, the borrowers have no real ability to negotiate when lenders get together and do things like that.

But borrowers can vote just as much as lenders can, which is why such behavior is governed by law. So let's not pretend that borrowers somehow agreed to this system in any way. It was forced upon them, and the best they could do about it is pass laws to ensure that lenders at least had to be accurate when reporting, and had to respond reasonably to disputes. Since lenders can lobby and vote, too, borrowers were not able to mandate that the lenders would have much in the way of legal liability when they inevitably get lazy, screw up, and cause real damages to real people.

The law isn't fair; it's just the best compromise that adversarial parties with differing amounts of money, power, and motivation could reach a threshold level of agreement on. It just so happens that a savvy and motivated borrower can completely whitewash their own credit reports for the cost of a few stamps, and maybe some small claims suits, while an ignorant borrower, or one who lacks the time and energy to ride herd on the CRAs, can get completely screwed. It's a numbers game, and the lenders and CRAs can make more money from the latter category than they lose from the former.

A choice made under duress of not having access to a bank account or credit (which makes someone a de-facto persona non grata in the modern world).

Monopolies aren't choices, and monopolies on essential services are coercive by definition.

Equifax isn't a monopoly. There are 3 major credit reporting agencies in stiff competition with each other. No doubt executives at TransUnion and Experian are cackling with glee at Equifax's stumble.
Agreed to it under compulsion. It isn't feasible to go without a banking account / credit union account. Modern society relies on these accounts. And all of these accounts have these reporting measures in their legalese. There is no option to not agree to it.
> Agreed to it under compulsion. It isn't feasible to go without a banking account / credit union account. Modern society relies on these accounts.

A) A credit account is not the same thing as a checking account or credit union account

B) Plenty of people, even in the US, operate without any of these things. It's not fun, but it's absolutely possible.

> Plenty of people, even in the US, operate without any of these things

After my company crashed, my wife divorced me and then I got cancer -- things were pretty grim on my credit-worthiness story. Net-net: I went without a bank-account for a few years and learned to live with pre-paid phones, money-orders, cashing checks at pawn-shops and pre-paid debit cards, and (for medical and other reasons - not able to drive. Good news: I saved on car insurance, gas and parking). All-in-all ... not a lot of fun (it's very expensive and time-consuming to be poor in America!).

But! As you say: it is do-able.

I had a problem signing up for a mobile phone contract a while ago. The mobile company eventually told me that Equifax were supplying them with (my) information which was slightly different from what I was saying about myself, so I called up Equifax. To "fix" things, Equifax wanted me to send a notarised copy of my passport to them (at my expense!)

Of course I told them to get lost and just used another mobile provider, but I learned from this episode that all of these consumer services companies share data both ways with these credit checking agencies.

Got an email from my Dad today:

"I checked myself, my wife, you and your brother. To the best of my knowledge none of us have Equifax accounts, but it says they probably got our address & driver's license for all four of us.

I don't want to waste money on LifeLock. What can I do? Just watch my accounts?"

Is Visa, MasterCard, etc. at least partially to blame here for picking a bad solution? My personal ties are not with Equifax, I have no direct means as a consumer to express dissatisfaction. Can I sue Visa? They are they ones (I presume anyway) who did the actual information collection from me, and then it was mishandled.

We need more tools for dealing with data breaches. Things aren't slowing down, and they aren't going to unless something big changes.

You should watch your accounts. I use Credit Karma and they will send you alerts and updates for various credit events (account opening/closing, paying off a balance, etc). It's free. Edit: They only monitor TransUnion and Equifax data; not Experian.

If you don't want to pay for LifeLock, which I agree is a bit steep, you can usually get an identity theft protection policy from most major insurances companies. The premiums vary, but are usually a fraction of LifeLock's fees. Just be sure you understand what's covered.

I use both of those and it costs me $25/yr total.

You can check the Fair Credit Reporting Act for more information about various parties' responsibilities in handling your credit information. However, I don't think you'd be able to sue lenders/creditors in this case. They are distinct from the credit reporting agency that seems to be at fault.

> I use Credit Karma

> They only monitor TransUnion and Equifax data

Where do you see that they monitor Equifax data? I only see TransUnion mentioned.

Visa and MasterCard don't issue credit cards, don't provide credit, don't have your personal information, and don't provide personal information to credit agencies. They are just the network that connects card issuing banks and merchant acquiring banks to process payments.

Your contract is with your card issuer, who provided your personal information to the credit agencies. But you probably agreed not to sue them as part of your agreement when you asked them to issue you a card.

This is why data protection laws are needed. Data about a person needs to belong to the person. This would prevent these large collections without consent.
Anyone have a good source for an unbiased (i.e. not trying to sell me something) "what exactly should I do" now? File for the class action? Freeze my accounts? Get identity protection?
How did you find out if you were affected?
Presumably (s)he holds a US credit card. The stats on this release are such that most adult Americans are more likely affected than not.
A buddy of mine sent me this reddit thread, I'm reading through it still and don't have much finance/credit knowledge, but it seems legit and unbiased to me so far:

https://www.reddit.com/r/personalfinance/comments/6yv4gb/off...

Would be interested in hearing other opinions on what's being said there, especially regarding using the www.equifaxsecurity2017.com site and legal rights.

I just finished filing a complaint with my state's attorney general's office. YMMV, though.
I'd love to see the $70B number pan out (though $500 per person is less than the damages, I think) -- Equifax is a $17B company, and would presumably stop existing if that happened.

On the other hand, these things always settle out of court, and Equifax certainly won't settle the suit for more than they're worth.

I said it elsewhere, but I think the right response is to opt out of the class, and sue for $1000 in small claims court. If ~15% of the class does this, they are out of business, and lawyers don't get a dime of the $1000.

Also, I'd love to see a new non-profit website that automated the paperwork.

Could we create a service that automates most of the work required to sue in SCC?
Why not? Wouldn't it be the same as the kid that automated fighting a speeding ticket or traffic infraction ticket?
Traffic tickets aren't generally resolved in SCC. Traffic tickets are very specific. As the actual attorney pointed out, if you make a generic "file a SCC claim here" app its resultant documents will be pretty quickly discarded as insufficient.

SCC is not hard, it's cheap, and it's designed to be easy to do and not require legal assistance to do so.

I'd pay $20 for a service that can walk me through what to do/say, templates legal forms, etc. I would absolutely take the time to sue Equifax in small claims court.
I would pay 20% of every penny that I win in the lawsuit
same here, heck I'd pay $99
I will also crowdfund taking down EQ.

Give me a service and I'm ready to pay.

Am an attorney.

You could create a system that'd help you file SCC complaints quickly, but to have it detailed enough to pass the defendant lawyer's complaints about the deficiencies in your documents would be difficult.

The size of that problem, however, decreases with the narrowness of the subject matter you want to cover/make claims about. If it were a 'Sue Equifax For The 2017 Data Breach' service, then it might work (the whole point about class actions being that they're similar - commonality, typicality etc - enough)

It's small claims we're talking about, the defendant will not have a lawyer, right?
If you sue a corporation, who do you expect to defend it? It will be an attorney.
I think the point of doing this in SCC is that the cost of defending against small-claims is usually greater than the cost of just settling the SCC. Lawyers aren't cheap, and folks going to SCC are banking on them being more expensive than their claim.
Actually, at least where I live the law is that it can not be an attorney.

It must be a regular staff member or manager.

I did not check how many states have a law like that.

I don't know about other states, but in California if you sue a corporation in small claims court, they can NOT send an attorney:

Corporation or other legal entity — A corporation or other legal entity (that is not a natural person) can be represented by a regular employee, an officer, or a director; a partnership can be represented by a partner or regular employee of the partnership. The representative may not be an attorney or person whose only job is to represent the party in small claims court. An attorney may appear to represent a law firms as long as that attorney is a general partner of the law firm or is an officer of the corporation. However, in both instances, all the other members of the partnership and all the other officers of the corporations have to be attorneys as well.[1]

[1] http://www.dca.ca.gov/publications/small_claims/basic_info.s...

So they find someone to send who isn't a lawyer but has a lot of experience in that area of law and is coached by a lawyer.
Apparently this is not uncommon even in normal court.

I sat on a jury in TX where a couple was suing an insurance company, and the insurance company wasn't represented by an attorney. It was really strange, because the first thing the gentleman does is stand up and spend 5 minutes explaining how he isn't an attorney but he regularly represents the insurance company for smaller claims (it was something like $20k IIRC). Then for the remainder of the next hour and a half or so he stumbled around with arguments against the couples slick lawyer. I guess the guy probably lost most of his cases (?) but its worth it to the insurance company to spend a few hundred bucks getting this guy to show up unprepared for an hour or two in the odd chance he could save them $20k every few dozen cases.

Perhaps it would be an officer of the corporation, named in one of the documents on file with the state's Secretary of State or department governing business records. If only the CEO is named, that is the person who has to appear.

I think states usually allow a regular employee of the corporation to appear, though.

Obviously, the small claims court procedures may vary according to jurisdiction, so you'll have to at least check your state's website before running down to the clerk with filings in hand.

Who do you think is going to represent the company?
yes in this case with the amount of people affected the idea would be to do a one-off website 'Sue Equifax For The 2017 Data Breach' each person would pay a fee $ and get a package they could use in their state to file the SCC complaint. Would this be possible? I think there's plenty of people willing to pay $100 in order to sue for $1,000 if it is even possible
If you already have to enter your name/ssn/dob/address 3x for the credit freezes a 4th time to generate the paperwork for a small claims case isn't much extra work
flightright and the likes come to mind
I saw your post about this in the other thread. If anyone wants to work together on this idea, my contact info is in my profile. If someone has a lawyer we can loop in (or is a lawyer), that would be ideal.
I am in the state of Kansas and will be filling out a small claims petition as well.
Can I actually do this? Cause if I can I'm totally doing this.
IANAL, but I think you'd find it virtually impossible to show $1000 of direct, material damages as a result of having your information leaked[0] and to the best of my knowledge this is the only sort of claim that small claims courts allow - I believe they do not allow punitive damages, nor theoretical ones.

0: Unless your info is actually used in a way that harms you, and you can prove that it was a result of this, but that seems unlikely to be true for the majority of affected people.

Many time the thiefs are actually caugh. If he she admits to stealing your data in this leak AND you are damaged, then here is your proof.
I think it's unlikely you'll actually be damaged. Any real financial impact would have been reversed by your bank. Maybe a fee or two that two parties argue about who should reimburse your for it, however I can't see stuff like that adding up to $1,000 (or even $100).
Well about 2 months ago (when the leak was happening apparently) I had false information showing up on my credit report for a Comcast debt.

The weird thing is the Comcast debt couldn't have actually been mine. As the date of the debt was smack dab in the middle of when I had service with Comcast before switching to ATT.

Now, during this period I tried to refinance my home and was denied due to a low score with Equifax. I pulled my EQ 2 weeks before trying to qualify and there was nothing. Then I found that after I was denied and pulled it again of course. I submitted a challenge on it, and it was removed within 2 weeks but the damage was already done.

So would this count as real damages?

You need to show a dollar amount that it cost you. If you can do that, you also need to show that had the leak never happened, you never would have had the issue in the first place.

Whether the debt "could have been yours" isn't relevant, what's relevant is how it showed up there. If someone fraudulently signed up for a Comcast account using your social, and they obtained your social via the leak, then yes the leak damaged you. You could go after the difference in your refinanced interest rate now v. what it would have been had you gotten it at the first request (are you paying 0.1% more because rates went up a week after your denial?) and possible the additional interest paid between the denial and the successful refinancing.

But if the Comcast account showed up on your report because someone fat fingered a social and there was no fraud, the leak didn't damage you at all and it was just bad luck.

You misunderstood how this affects SS #s holders. Its way more serious than just opening up a credit card and disputing it later on. In such situation the bank will reimburse you and close down fake account, but many banks will put negative information on your account just to warn other banks. You have to look at it from bank perspective, not your own. The bank can report: "okay we don't know how and when but someone opened account in client's name on his behalf so this clients has problems with his identity being stolen. Be warned".

Edit: not to mention the worse damage will be from fraudsters taking loans.

Does this "be warned" flag on someone actually damage them in any way?
Is it really so hard? Cost of a service like Equifax's own TrustedID or LifeLocks is over $100/year. Seems you could easily argue that you'd have to subscribe to said service for the next decade to guarantee your credit and identity aren't stolen?

(and I would think refusing to accept Equifax's "coupon" for TrustedID would be a similarly easy argument to make)

> to guarantee your credit and identity aren't stolen?

there's no right to not having your identity not stolen tho. By this logic, shouldn't you _always_ have the identity-theft prevention service paid for already, regardless of what happened to equifax?

I think you'd have to show _actual_ identity theft occurring with your name to claim damages.

No, now you need to sign up for identity-theft protection because Equifax handed all your info to the bad guys.

If it weren't for Equifax, anyone trying to use your identity would have a much harder time.

Why $1,000? And how would you prove damages equaling that amount?
You could prove how much it will cost to buy service that will protect your identity for a period of time.
> that will protect your identity for a period of time

For the rest of your life

$15/month for identify protection/tracking X 12 X 40 years.

You can't even dispute $15/month, since that's how much Equifax charges for their identity protection, so that must be how much it's worth since they caused these damages.

That makes it more like $7200 in damages, not including the cost of money over time, inflation, etc.

That exceeds the $$ limit for claims is many states.
For anyone reading this: I believe it’s a one time $10 per credit bureau to freeze your credit. Equifax would obviously like to charge you more if you’re willing. Do not sign up for Equifax’s service. It is a rip-off for a number of reasons.
I'm sure equifax would respond by offering you free credit monitoring for life (which costs them nothing to do)
Who said the hypothetical plaintiff was interested in _Equifax's_ credit monitoring services? They've already demonstrated they can't keep data safe.
future payments are usually discounted rather than inflated (IE money you have to pay now is more of a burden than money you have to pay in the future)
I said it elsewhere, but I think the right response is to opt out of the class, and sue for $1000 in small claims court.

There's usually no enforcement of penalties in small claims court.

Submit it to debt collectors and put it on Equifax's credit report
This. So much this.
send in the bailiffs to confisticate goods ideally the c level execs Porsche
And because their security will probably still be a joke after this is all over, someone can hack their database again to ensure they actually put the claim in there.
Then what's the point of it?
I don't know how many times you have been to Small Claims Courts but there are multiple ways to enforce penalties in Small Claims; a judgment from a judge, a till-tap, levy their wages, place a levy on their bank account, placing a sheriff in their area of business (for a fee) and will stay there until he's collected all the funds, submit to a collections agency etc.

Don't speak on something if you don't know what you're talking about.

levy their wages

Whose wages? If you win against Equifax, Equifax isn't getting a wage. Equifax is paying wages, but you didn't win a suit against its employees. You won against the corporation.

place a levy on their bank account

Seems like your best bet. However, this might be complicated, depending on how they've distributed their assets. Quick, can you tell me the name of the bank, the account number and the exact name on the account?

placing a sheriff in their area of business

Seems to me that Equifax might just keep draining your account through continued fees.

submit to a collections agency

I suspect this might be satisfying in its symbolism, but not necessarily effective against Equifax.

Don't speak on something if you don't know what you're talking about.

Seems like good advice.

> There's usually no enforcement of penalties in small claims court.

perpetuating this mindset that the average consumer is too weak to do anything to these corporations and individuals who hurt them through the court system is nonsense and needs to be avoided. From the article posted below (where my other comment is):

"Allen then reported to a local branch of the bank with sheriff’s deputies, who he instructed to remove cash from the tellers’ drawers, furniture, computers and other property. Approximately one hour later, the Naples News reports, the bank manager produced a check for $5,772.88 to satisfy Allen’s fees and additional costs."

You have a lot more power than you think against corporations and people through our court systems. even small claims courts.

The ideal way to recompensate $500 or $1000 dollars is to sign up everyone for credit/id theft protection, for say, 5 years.

I don't know where else they get their revenue from, but free credit protection will hurt them significantly in the long run.

I've heard that those credit monitoring plans are a joke, and provide very little value besides the simulation of "doing something."
They just tell you after the fact that a new credit line has been established. It's still on you as the consumer to go prove that it wasn't you and that you didn't open it...

And guess what, the same questions that they ask you to prove you are who you say you are, are the ones that have likely been stolen!

Lifelock themselves were subject of a data breach in 2015.
If they are out of business, they sell their assets which are office chairs, fax machines, and a giant database with information on everybody. Are you not worried about the sale of that data?
i think that cat's already out of the bag..?
(comment deleted)
In a situation like this, if they get bankrupted, the company continues to operate. The ownership is just transferred to the creditors.
Their business revolves around selling access to that database. So no, not worried about them selling data that they already sell. Very annoyed that they exist to collect & sell the data, of course.
Isn't the potential impact from selling access to the data versus selling the data different?
This class action will likely be settled in the same way the Ticketmaster case was settled ... with a coupon book good for 2 free credit reports.
Is that what the lawyers received for taking the Ticketmaster case?
Probably for good reason. $500 per class member is an insanely high damages estimate. 99.9% of people will suffer zero damages because their identities will not be stolen. Even the ones who do have their identities stolen will likely be made whole by the credit card companies.

The real damages here are going to be to the banks and credit card companies that will have to absorb the costs of all the fraud.

As to the Ticket Master case, you can read the complaint yourself and see if $5 or so per class member settlement value was reasonable: http://www.ticketfeelitigation.com/docs/Fourth_Amended_Compl.... The theory was that TicketMaster didn't disclose that it was marking up fees for things like UPS delivery and order processing, and that if customers had known they wouldn't have ordered the tickets. That's a weak damages theory, because customers don't care about line items they care about the bottom line. Either they'll pay $X for the tickets or they won't. Unsurprisingly, that weak damages theory lead to a small per-class-member settlement.

All of the identities have been stolen. It’s a matter of whether they’re used at this point.
True, but in the US you can not really sue for possible harms. You can only sue for actual harms which can be remedied by the court. Leaking your information isn't a harm the court can remedy. Abuse of the leaked information is a harm the court can remedy.
I don’t think that’s a generally accepted legal standard. It seems similar to saying that Edward Snowden and Chelsea Manning only released information, which the courts can’t remedy. If anything bad should happen due to that leak, then the courts can remedy that in the case of the people who committed those acts.

The government is clearly of the opinion that they can and should prosecute people for leaking information which could cause possible harms.

I’m clearly not a lawyer, but these scenarios seem pretty similar to my untrained eye.

The difference is that their intentional leaking of classified information as people with a security clearance is letter of the law illegal. The difference seems huge and obvious to my untrained eye.
To add to this, their acts were intentional. Yes, you're very right that they were very much illegal acts. However, it needn't be intentionally spilled classified information in order to be illegal. Under certain circumstances, even accidental 'spillage' is a felony. Negligent 'spillage' is also very much a felony.

I've been through quite a bit of training and held my clearance for years. I was a victim of the OPM hack. Well, I guess I still am a victim. Mens rea doesn't really apply when handling classified material/data. If it is accidental AND you report it properly, it's not jail - you are so losing your job, however. You also lose your clearance. It has been a while, but I'm pretty sure you lose it forever.

The State prosecuting someone for a crime is not the same thing as a private individual suing another individual for a tort. Basically everything is different: different rules of procedure, different rules of evidence, different standard of proof required, etc. etc.
(comment deleted)
Fair point. I would argue that Equifax has breached one of the terms of the Fair Credit Reporting Act, and possibly other privacy regulations.
(comment deleted)
> Even the ones who do have their identities stolen will likely be made whole by the credit card companies.

Are credit card companies now in the habit of reimbursing consumers for the considerable time and headache required to sort out fraudulent charges caused by insecure data storage practices in the credit reporting agencies that the credit card companies contract with?

There are numerous reports of identity fraud causing a significant amount of trouble for the consumers involved, and as far as I know, not a one of them has ever received a letter beginning, "We're sorry for the time and trouble you went through to clear this up", with an attached check.

> Are credit card companies now in the habit of reimbursing consumers for the considerable time and headache required to sort out fraudulent charges caused by insecure data storage practices in the credit reporting agencies that the credit card companies contract with?

It's not a "habit", it's the law. It doesn't matter how the fraudulent charges came to be. If a person disputes a charge and has evidence to show it's fraudulent, then by law the credit card company has to investigate, and deal with it.

It also makes business sense. CC companies make a ton of money with legal transactions, and an anti-consumer, pro-fraud reputation would cost them customers.

> There are numerous reports of identity fraud causing a significant amount of trouble for the consumers involved, and as far as I know, not a one of them has ever received a letter beginning, "We're sorry for the time and trouble you went through to clear this up", with an attached check.

Why would the bank or credit card company send a check? Presumably they're not the one who committed the crime, so why should they cover the damages?

I've had my identity stolen, and it was a PITA to clear up, but the bank and credit companies were reasonable about it, IMO. In a case like this, where it's easy to point at the Equifax breach and say, "See? This is how they got my info.", it's probably even easier to clear up, though I'm sure it's still a hassle.

> It's not a "habit", it's the law. It doesn't matter how the fraudulent charges came to be. If a person disputes a charge and has evidence to prove they didn't make it, then by law the credit card company has to investigate, and deal with it.

But the time it takes on the phone to talk to an agent, review your records for legit vs illegit charges, etc. are not reimbursed, which is what they were on about.

> Why would the bank or credit card company send a check?

I think we're talking Target writing the check. Which they didn't exactly volunteer to do, but was covered in the class action at least: https://targetbreachsettlement.com/mainpage/CommonlyAskedQue...

Time. I'm pretty old, retired, and have a few bucks. Time is my most precious commodity, and I prefer to give it to those who deserve it.

I'm not sure how much I'd want someone to pay me for an hour of my time. Clearing up identity theft can take many hours. Those are hours I can spend bugging the missus, or even bugging you folks.

I am clearly not to blame for their data exfiltration. Who is going to pay me for my time? What is my time worth to them?

This is all theoretical. My credit has been frozen for a long time. It has been that way since the OPM hack. However, for the sake of expression, I point out that my time is pretty valuable to me. Those who steal my time are worse than those who would steal my property. I can insure my property, I can not replace my time.

This has been hitting me hard lately. I'm pretty young at the tail end of my 20s, job is finally stable enough not to worry about money, and have really started to realize how few free hours I can find in a week. Work and its on call rotation, obligations to the girlfriend and social circles, maintenance on the house and cars, bills that don't have an auto pay option.

Last month my auto registration sticker didn't show up in the mail after renewing it. A trip to the county clerk, then the sheriff's office to file a report, then back to the clerk to get another sticker took almost two hours. Stopping by the local bank to change my address after the online system locked my account for two incorrect password attempts took 90 minutes. 6 phone calls after a cancelled auto insurance policy made an auto draft the next month. My coworker has a pile of kids, two with medical issues, it seems like his wife has a part time job dealing with medical billing issues.

Most of these rambling examples aren't the fault of the organizing institution (unlike the Equifax leak at hand), but in the end individuals are bound by those institutions' organizational practices in their pursuit of normalcy. I don't know how it could be implemented or enforced, but at a certain point it feels like individuals should be compensated for suffering organizational incompetence or negligence.

I got lucky and sold my business when I was just 49. However, I worked a minimum of 60 hours per week, for years.

Which gets me to my response:

Cherish that time. I don't care about longevity, I care about maximum value. I may be content to die today, but I'm not content wasting time on something that is forced on me.

I don't regret much, but I do regret my time that was wasted by others. As I look back, I see do many situations where I could have disallowed that while still getting the same eventual outcome.

They do it on purpose and have no intention of fixing their administrative inefficiencies. They know most people don't have the patience for this crap so that discourages people from creating a hassle for them with problem/things that they have to do.

For instance, in a past life I may call up to question a charge on my cable bill. Now that I have more money, I don't waste my time on such nonsense. If the cable company wants to charge me an extra $20 for no reason, they can do so, because it's not worth my time to call them up and get shuffled between departments for 2 hours.

Last time a cable company charged me wrongfully (I wasn't even their customer anymore), I called my bank and had them reverse the charge, as well as block any future ones. Took me like 5 minutes. Now the only time investment I have is throwing their monthly threat letter in the trash about how they will cut my internet access if I don't pay up.
What headache? Get with Capital One, Chase, Citi, or one of the other big names. They are very professional about replacement cards and zero hassle.
Replacement credit cards are not the issue. Whoever has this data has the complete dataset to open new credit cards in your name, buy a car in your name, get plastic surgery in your name, etc.

The hassle will be convincing all those companies that you do not in fact owe them thousands, and there is no automatic protections for these types of harms.

Even worse, is if you don't immediately notice a new account on your credit report, that then goes to collections. -_- 10 years later and I still get threatening calls from the shadiest of shady "collection agencies"
Do you know if there's any way to "notice" these new accounts without having to freeze your credit or otherwise mess with the normal process for getting new credit? I just want a notification, nothing else.
Credit Karma seems to do that OK. Their score is wildly different from their supposed source though.
Oh yeah I don't need the scores, I just want notifications for new accounts. Cool, thanks! I'll check it out.
must be terrifying. sorry about that. but free money is free money.
> 99.9% of people will suffer zero damages because their identities will not be stolen. Even the ones who do have their identities stolen will likely be made whole by the credit card companies.

The extent of the potential damages here isn't limited to credit card fraud. Having your SSN leaked along with your name, date of birth, every recent address you've had, etc. opens you up to a lot of other attack vectors.

Furthermore, credit reports can often inadvertently contain information that relates to one's medical history - you can request that this information be obscured or sealed in your report if you find it, but that means that certain medical information is also within the scope of the potential leak.

A bank 'absorbing' a cost surely means passing on that cost to consumers in some way.
> Even the ones who do have their identities stolen will likely be made whole by the credit card companies.

No one will be paid for their time wasted over ID theft resulting from this breach. That's what "made whole" would mean to me.

"Even the ones who do have their identities stolen will likely be made whole by the credit card companies."

Fraudulent charges on a credit card are the least of my concerns. This opens us up to a lifetime of identity theft and insecure accounts of every sort. I'm not even sure how they can approach remedying the problem. Coordinate with the SSA to get 150 million people new SSNs at the least.

Why would people need new SSNs? It was the credit industry that misused them as combination of unique identifier and authenticator, and that is not the SSA's responsibility to fix. The government even tried to curb misuse of the SSN, but it was not binding on private entities, and they just ignored it.

The solution, whatever it is, does not include anyone continuing to pretend that the SSN is now or has ever been suitable for any purposes other than for tracking government benefits managed by the SSA, and possibly also for tax filings with the IRS.

You're absolutely correct. We should move to a well designed identity system. However I'd SWAG the development and deployment of such a system around 10-15 years if all of the involved parties were on-board. Equifax could provide the SSA a pile of money and the victims could have a reasonably effective defense against identity theft within months.
wouldn't it be simpler to make ssn number last only five years? it's a partial workaround, but would immediately help by reducing the attack opportunity time massively, along with making it standard to have variable ssn thorough the system and making it easier for people to just renew their after breaches like this, since the current bar for obtaining a new one is quite high
> other than for tracking government benefits managed by the SSA, and possibly also for tax filings with the IRS

... and all of the other government benefits, programs, or mandated activities, many (all?) of which demand your SSN. Are you even sure that the credit industry, i.e. banks, originally misused SSNs? I wouldn't be surprised if they were required, by the government, to use them, precisely because it is the closest thing to an official "unique identifier".

Some people also might be concerned with not receiving their SS benefits either, which isn't entirely far-fetched given that others might now be using it for nefarious purposes (like trying to collect their SS benefits).

> I wouldn't be surprised if they were required, by the government, to use them, precisely because it is the closest thing to an official "unique identifier".

I read something somewhere else (maybe on a different HN thread, maybe here?) that this was changed in 2000 for something called "red flag laws", IIRC.

So yeah - it is required.

This is really the concern. With this level of detail, someone can open any kind of new account - not just credit card - dig into everyone's lives (or political opponents on social media for doxxing). And the threat remains in perpetuity.

There is mo way to even estimate the damage as some devious ways of it harming us may not even exist yet.

> There is mo way to even estimate the damage as some devious ways of it harming us may not even exist yet.

Scifi story idea:

Far future. Life extension possible. The government will provide it free (if you want it) - one time only though - when you are near the end of your first life. Upon extension, this technology also turns the clock back to renew you to 20 years old.

You're 78 years old, frail, ready to kick it, but decide to do the extension. You go into the clinic. Give them your information, etc.

Bzzt.

We're sorry, you've already been rejuvenated before. We can't help you, unless you want to pay $$$$$$ for us to go ahead with the procedure.

lolwhut

yep.

honestly this is only really an issue because organizations are using SSN as authentication and not just as identification, caused probably by the lack of a federal id scheme, compound by the inability to easily change the SSN itself as you would with an id document (which is why here ids are relatively short lived and we can get away with ssn equivalents that are for life)
Bingo. In sweden as example our birth date plus 4 unique digits is your nation wide id/ssn. So obviously your ssn is not exactly a secret and instead you also have to proove that you are you with a photo id or online 2FA id.

There's no such thing as loosing your ssn because it is already public.

Do you think that the FCRA punitive damages ($100-$1000 per person) might apply here?
Unlikely since it doesn't appear credit report-related data was leaked, only PII.
The leaked PII makes it trivially easy to obtain the credit report data
There was a class action suit because a company was marking up the cost of the goods / services they were selling? Isn't this just called business?
Most businesses include their markup in their displayed price. Ticket Master was displaying one price and then sneaking in an extra fee later in the process.
$500 may be high, but $100 would be more reasonable even for those that didn't have their identity stolen, I've already spent an hour researching the hack to figure out what to look for and whether or not I was included in the set of stolen identities.
If there are 140 million members then any settlement will be individually quite modest (Equifax has annual income of ~600 million dollars, so multiple years of all of it to get to even $10).

It does seem like any penalty for something like this should severely impact the ability of the company to operate though.

I suppose a $0 way to penalize them severely would be to force Equifax to allow individuals to opt out of having Equifax store information about them. Lots of people would do so without understanding that it might impact their ability to get a loan, but so what.

But that would also make Equifax's product not that appealing to the companies that would purchase it. So organisations would have to use one of the other agencies as well.
> The real damages here are going to be to the banks and credit card companies that will have to absorb the costs of all the fraud.

This is not true at all. They simply reverse the charges. Businesses who accepted the fraudulent transaction(s) are on the hook for it. Anyone who runs a business and handles credit card processing can confirm this.

One scenario would be SSN being massively used by pirates, so companies would stop trusting SSN altogether. Let's hope a startup creates a "proof of identity" service with a photo ID with a chip, a code, and an online certificate for tax purpose.
ah lovely "papers please citizen" and what happen when friend computer with all this proof of identity gets hacked.

Maybe the USA needs everyone to have a new ssn and ban with very strict penalties is use by any one other than the state and then only for highly restricted usages as it is in the UK

True only if the papers are issued by government. A private or non-profit scheme, if hacked, could be abandoned within hours and replaced. To post this comment i had to present some virtual ID to a private organization.
Considering that Social Security numbers are not secure, and were never intended to be secure, I favor this approach. Unless you’re the federal government, you shouldn’t know or care about my social security number. Idiots are always going to think SSNs are a good UUID, and I’m always in favor of punishing idiots.
almost 20 years ago when working for british telecom we where read the riot act an where told any non permitted use on NI numbers would be considered gross misconduct and you would be sacked on the spot.
> ah lovely "papers please citizen" and what happen when friend computer with all this proof of identity gets hacked.

While it doesn't solve the "papers please" aspect:

1. Card holds biometric data of person, plus PIN. Card is the only thing that holds this.

2. All card does is output "yes or no" if you are you.

3. You have or use a reader for authenticating who you are. The reader takes you biometric data (fingerprint scan, face scan, or something else), and has you enter your pin. It takes this info, hashes it, compares to the stored info, and outputs the "yes" or "no" answer.

Very basic thing here. 3-factor, and the data about you is never stored anywhere, and the card/reader combo does the rest. The data about you never leaves the card (in fact, it can't - it would be write only for that data).

We have all the technology to do this today. What we don't have is the will. So it won't be implemented.

I'm not saying the above is perfect - but it is 3-factor (what you are, what you have, what you know), and that is what is needed most. The information stays with the owner on the card. All transactions can only be done with the card on-hand to prove you are you. You can change the PIN at will, maybe even the biometric data - but both are write-only, and can't leave the card. The card can read in data (an image for the biometric data, and the code for the PIN), but all it does is hash that together, compare it to the stored hash, and output a yes/no.

I'm not saying the above is perfect, and I am sure I have forgotten something. But it - or something like it - is what we ultimately need. But we won't get it. Ever.

(comment deleted)
If the card outputs "yes" or "no" you are creating new security incidents just waiting to happen - proxying, oracular attacks, faux cards that respond improperly to the binary question, etc. This means that your system is actually two factor, a pin and biometrics. A pin is extremely weak, and for sure biometrics need to be designed and implemented properly.

Also, notice the other subtle dependency that was introduced with the PIN only kept on the card - the PIN might as well not exist.

This is all known. The issue isn't how to design a security system. The issue is the fly by the seat of the pants lack of security with deadline driven products. Those products only appear to implement a feature set and really don't work, just appearing to work in order to achieve the release exit criteria of a minimum viable product. This gets compounded by products hardly ever revisiting their earlier phases, choosing in this case to add new web features instead of hiring a security team.

Where are the blockchain proponents? Oh, right, this kind of thing isn't a pyramid scheme. It would be a lot of grunt work and wouldn't be worth a VC investment.
I can hear it coming now... A VC backed military contrator is right now creating MilChain and DarpaCoins.
And after some time it'll become apparent it was a CIA front, and ultimately only achieved to fund the latest insurgency in $PLACE
It isn't paranoia if one is right. Sadly, we are both right.
To be fair, class action suits aren't really about recovering damages for the class members. Or at least, not entirely. That's almost incidental. Rather, they're most often about leveraging a large class of injured parties--whose injuries are usually relatively minor on an individual basis--to force a change of behavior by adding up all of those small injuries.

The cost of pursuing each claim individually would usually be sufficiently high as to make pursuing a claim unviable. The behavior would remain uncorrected, and the injured parties would receive neither compensation nor the knowledge that the behavior has been altered or eliminated. Nobody wins in that situation.

And while it's almost inevitable that discussions about class action suits will involve complaints about the lawyers fees, that's not really fair. Mass tort litigation is complex and involves significant investments of time and resources on the part of the attorneys involved. Especially if they actually make it to trial. It might seem unfair at first glance, but it enables the class to access the legal system and justice where it otherwise would not. They may be imperfect, but they're a hell of a lot better than the alternative and have had a profound positive impact on our society.

Exactly. It's hard to measure the value of class actions without knowing how the behavior of companies would change without them. I expect we'll see that natural experiment play out now that arbitration clauses are commonplace.
>And while it's almost inevitable that discussions about class action suits will involve complaints about the lawyers fees, that's not really fair.

Of course it's fair. It's not like the members of the class get to shop around for cheaper lawyers. The class gets shit either way, they just have to decide if they hate the company more than the lawyers that charge the obscene percentages. And you can't make any kind of cost argument because a billion dollar case isn't anymore complex than a million dollar case. The whole point of it being a class is that it impacted everyone the same so the dollar figures don't change the complexity.

Attorneys' fees in a class action have to be approved by the court, and for large class actions the percentage fee tends to be lower than what a privately-retained lawyer would receive. The privately-retained lawyers in NTP's lawsuit against Blackberry got an approximately 1/3 payout of a $600 million settlement. 20-33% is quite typical in a pure contingency situation. Most court-approved fee awards in class actions that large ($100m+) tend to be a lot lower than that, in the 10-20% range. Courts usually will demand that attorneys submit their billing records (or summaries thereof) along with their fee petitions, and will regularly cut down any fee requests that exceed a certain multiple of what the attorneys invested in the case.

This case is typical: https://www.paymentcardsettlement.com/Content/Documents/Orde.... $5.7 billion settlement, about $500 million in attorneys' fees, or less than 10% of the fund. $160 million worth of time invested by the attorneys to get to that point.

> And you can't make any kind of cost argument because a billion dollar case isn't anymore complex than a million dollar case.

That's not true at all. Big dollar value cases involve either large harms to relatively fewer people, or relatively small harms to large numbers of people. The former kind of case often involves complex subject matter, such as financial transactions, medicines, etc. The latter kind of case often involves a very diverse class and complex issues of causation and damages. Consider the TicketMaster lawsuit: the basic theory of damages is that class members would not have purchased the tickets had they known that TicketMaster was marking up things like UPS charges. Well, clearly lots of class members would have purchased the tickets anyway. Coming up with a realistic damages model in that scenario is difficult. Furthermore, in big consumer class actions like that you've got class members in fifty states with fifty different sets of laws.

Is it weird to also observe that the opposition in a billion dollar case will be significantly more expensive to overcome than in a million dollar case? It seems obvious to me that billion-dollar cases would be more expensive to pursue.
Definitely. E.g. for a $1 million case, the defense likely won't even hire an expert. For a $1 billion case, you'll be responding to thousands of pages of expert reports prepared by half a dozen PhDs in various specialties (and deposing them, fighting over the admissibility of their opinions and the reliability of their methods, etc.). Not to mention that you'll get buried in discovery, etc.
>Attorneys' fees in a class action have to be approved by the court, and for large class actions the percentage fee tends to be lower than what a privately-retained lawyer would receive.

>$5.7 billion settlement, about $500 million in attorneys' fees, or less than 10% of the fund. $160 million worth of time invested by the attorneys to get to that point.

How often to private retained attorneys get $320 million in pure profit. Additionally the 'time invested' already has income for all of the involved lawyers.

This is contingency work. The winning cases have to pay for the losing cases. When they lose, the lawyers invest $160MM worth of very real payroll and consulting fees and get nothing.
Still, class attorneis will settle faster and for less. That often drives total comp and remedies a order of magnitude more than fees percents, like in the recent antipoaching litigation.
To be fair, class action suits aren't really about recovering damages for the class members. Or at least, not entirely.

That was exactly what they were supposed to be about. The way it usually works out, however, is that the lawyers don't really negotiate on the same side of the table as the class and the class members end up with very little. The lawyers, however, get their fees.

That's why everybody gets pissed about it.

There are other legal remedies to force a change of behavior. If the lawyer wants to use my name (as a class member) for leverage in the suit, he or she should be representing me. The class action is something that is supposed to be for the class members' advantage- working as a group for legal remedy. The tradeoff is you don't get as much legal remedy as you may have had you footed the entire bill and risk of a lawsuit yourself. But some of the negotiated remedies are, indeed, a joke.

> If the lawyer wants to use my name (as a class member) for leverage in the suit, he or she should be representing me

If you're paying them they're representing you. If they spend a single client's or their own time building a case, they're not representing you. They are representing your class. If you want to be represented, opt out and hire a lawyer.

>That was exactly what they were supposed to be about.

No, they really aren't, because as the parent says class actions are appropriate where the harm to each individual class member is small, but the small harm is spread out to many people. You as an individual were not harmed much, so you as an individual would not collect much even if you went it alone and recovered 100%. Litigation doesn't (generally) yield more than the harm you suffered.

Besides, if you want a lawyer to represent your interests alone, then you are free to not join the class and pursue your own individual case with the lawyer(s) of your choosing.

>pursue your own individual case with the lawyer(s) of your choosing

Fewer people than most realize are actually able to do this. Good lawyers don't generally take contingency cases, and if the case is even remotely involved, fees quickly reach to six figures.

Perhaps worse is the stress. Once initiated, you have virtually no control over the process, and it can take over your life. The motions and counter-motions, delays and hearings will wear you down. If the adversary is much better-funded, then they can make it nearly unbearable.

The legal system is not what most people imagine, especially those who flippantly threaten to sue. You have to go through an action (or be close to someone who is) to really get that. Engaging is stressful and costly and, unless you're a combative type with deep pockets who just loves to fight, you'll likely feel like you lost, no matter the outcome.

This, as much as anything, is why class actions are so prevalent.

Believe it or not, they really are supposed to be about this. Here's a writeup [1] speaking about the Supreme Court's ruling on the matter:

"Purpose? According to the U.S. Supreme Court, the “principal purpose” of class actions is “the efficiency and economy of litigation.” [4]The Court has also noted other justifications for class actions, including:

    the protection of the defendant from inconsistent obligations;
    the protection of the interests of absentees;
    the provision of a convenient and economical means of disposing of similar lawsuits; and
    the facilitation of the spreading of litigation costs among numerous litigants with similar claims.[5]

In other words, people whose claims might be too insignificant to litigate alone can band together. The class action device can eliminate redundancy in the judicial system, streamline litigation, and in some cases, create significant institutional change. "

[1] https://apps.americanbar.org/litigation/litigationnews/pract...

> That was exactly what they were supposed to be about. The way it usually works out, however, is that the lawyers don't really negotiate on the same side of the table as the class and the class members end up with very little. The lawyers, however, get their fees.

The lawyers are getting their fees to pay for the service of causing class-action suits to happen. Even if the remedies for a class member are a joke, the amount the company pays is, supposedly, not a joke (and yes, a good amount of that is probably paying those lawyers), and that's supposed to be a deterrent for other companies who are thinking of making the same mistakes.

Whether this works out in practice is debatable, but the current system is coherent in theory.

> They may be imperfect, but they're a hell of a lot better than the alternative and have had a profound positive impact on our society.

No, it isn't better than the alternative. The alternative is to have regulators selected and overseen by elected officials regulate the behavior of companies. We instead of a system of regulation by self appointed ad hoc lawyer-regulators negotiating settlements they think will get past the judge overseeing their case and allow them to collect a fee.

The latter is perhaps better than nothing, but it isn't better than the alternative which happens to be in place in the rest of the developed world.

Regulators selected and overseen by elected officials aren't a foolproof solution either. Sometimes you end up with Scott Pruitt [1] running the EPA, whose objectives are apparently a) denying that climate change exists, and b) dismantling any environmental protections that businesses find inconvenient.

The self-appointed lawyer regulators at least have an incentive to do their jobs: they get a bunch of money.

[1] https://en.wikipedia.org/wiki/Scott_Pruitt

He didn't say foolproof; he said better.
That was his point. Pruitt is not better.
Yes because regulation is working out really well

That is why I have plenty of competition for Internet Access and Net Neutrality is vigorously enforced

That is why the FTC routinely issues fines for False Advertisers for all the false claims that are made daily in ads

That is why there are plenty of bankers in jail for crashing the economy in 2007,

Government regulation is grand

So vote for people who actually want to competently regulate, and work to encourage others to do the same.

Paraphrasing, we are currently getting the regulation we deserve - good and hard.

If you believe democracy is for people. Then you are mistaken. Democracy simply means more than one entity fighting for power. Usually both of them have their own agendas and only give a shit when it’s time to vote. And we all know lying, backstabbing and spreading propaganda on Facebook and media channels is a much better way to win voters than doing what’s good for them.

The system was always a plutocracy and will always be.

> It might seem unfair at first glance, but it enables the class to access the legal system and justice where it otherwise would not.

The fact that it requires so much expertise and money to "access the legal system" in this way is in itself incredibly unfair and unjust. It's a completely broken system.

Yeah, but how can that be solved? The law is very complex in any advanced country (I'd argue necessarily so), and requires specialists to navigate it.
You mean, with a coupon book good for 2 free credit reports... except with ridiculous fine print that will prevent 99% of people from using said coupons...
... 2 free credit reports with the purchase of 3 or more credit reports at the usual price
> I said it elsewhere, but I think the right response is to opt out of the class, and sue for $1000 in small claims court. If ~15% of the class does this, they are out of business, and lawyers don't get a dime of the $1000.

IANAL, but can't you only sue for actual damages not hypothetical damages? According to this [1] your identity with SSN is only worth $30 on the black market. To get $1000 out of them you'd probably need to have your identity actually stolen and prove it was stolen from Equifax.

[1] http://www.bankrate.com/finance/credit/what-your-identity-is...

Stress is a damage and mental health is valuable.
The tests for stress/mental health damages are very stringent.
The damage is not the cost of getting a new SSN, but the cost of verifying that your info is safe (still safe?). This is why companies routinely list the _cost_ of dealing with hacking incidents (scrub all the servers, pay people overtime, etc). I think it's fair to assign costs similarly for equifax.
Info monitoring is what, like $29.99 a month?

Perhaps reasonably ask for 3 years of monitoring, so $980

But those aren't actual costs incurred yet.

That's retail and the pricing seems highly inflated. Does anyone actually buy these services at that price point?

Credit real time monitoring should be an entitlement for those whose data is being collected.

My SSN won't change for my lifetime, so really they need to pay that cost of monitoring. Equifax, you owe me $23,392.20. It's in your interest to pay upfront to avoid the cost of inflation.
> My SSN won't change for my lifetime

This breach, I suspect, makes that less likely to be true. After all, one of the few reasons a new SSN can be issued to someone who has one is “A victim of identity theft continues to be disadvantaged by using the original number”.

https://faq.ssa.gov/link/portal/34011/34019/Article/3789/Can...

It would be interesting to see how they define "continues to" and "disadvantaged by" here. It sounds like it may be implying that multiple occurrences of issues need to happen and just knowing that your data's been breached, but not yet abused, could be insufficient qualifications for "disadvantaged by".
Punitive damages.
There are no "punitive damages" in U.S. Small Claims Courts. Only "actual" (out of pocket) damages.
You can, however, put whatever amount you want (up to the small claims limit) in the initial paperwork. It would get reduced to actual damages if you won. But...big companies often try to settle with you before the actual court appearance. By padding it, you set an expectation that might help. They are likely to settle if the amount is less than the cost to have someone appear.
Sort of / not really.

I guess treble damages are not called "punitive" but they're also not "actual".

https://en.wikipedia.org/wiki/Treble_damages

The GP was talking about Small Claims specifically -- I don't see anything on the linked page that refutes that. In fact, it seems like this applies very narrowly and only where specified by statute.
It was the best I could find. My understanding is that here in CA, if your landlord does not refund your deposit (or properly itemize legitimate expenses against said deposit) you can sue in small claims court and recover 3x damages, up to the small claims court maximum of $7500.

That said, I've never tried it, so it's possible my understanding is wrong.

Isn't Equifax protected from the class action by a few levels of arbitration clauses?
Arbitration clauses agreed to by who? Do most individuals have any relationship with the credit reporting agencies beyond having their private information siphoned up behind their back? (and trying to keep a handle on that, so that their "credit score" remains favorable?)
I never signed anything with Equifax, but they still have my information. I'm sure the great majority of the ~140M records they have are in a similar position.
Yeah, they ought to apply fraud alert status automatically to everyone who was compromised. Every credit application for the next five years requires they contact you personally for new applications.

Doesn't help for all the other issues this will cause, though.

You can sue for anything. They'll have to show up to respond, or you win by default regardless of whether your case is valid or not.

This would cost them a fortune.

I cannot believe that is how the court system works in any jurisdiction... are you commenting on the US?
They should be driven out of business. Their #1 commodity, the only reason they exist and they don't spend the time or money to protect it?
In small claims court, would you not have to show $1000 worth of damages?
Yes, and it's possible using simply arithmetic and market rates! Given that freezing your credit ratings is a necessary precaution after this damage inflicted by their negligently unpartitioned database, we can calculate:

1 legally guaranteed free credit report / year * ($5 freeze before + $5 unfreeze after) * 3 agencies * 33 more years of healthy remaining life God willing = $990 right there.

Move apartments or change jobs just once in that interval, and it will bring you up to a round thousand. Bam.

Actual, not theoretical.
How hard is it to sue in small claims court?
Are you kidding? This is a 100% instant dismissal if it even gets to a judge. The allegations are groundless...the plaintiffs have no knowledge of Equifax's security systems in order to have any sort of standing to make any claims regarding the quality of it.

The sad truth is you can do everything right to the best of your ability and still get hacked. So just the fact that they were hacked isn't sufficient evidence that they were negligent.

But then you would have to show $1000 of actual personal damage, which I doubt few if any can, unless you're thinking Equifax will just settle these one after another. But they're just as capable of multiplying out how many of these will have to happen before the losses devastate them like you just did and at some point will actually show up and make you prove your case.
(comment deleted)
This is the genius of small-claims court. Equifax has to either send a representative (which would cost them more than $1000), or they lose by default. You don't actually have to prove anything.
It really isn't genius at all. At least in my state, either party can object to the small claims status by simply sending a letter. Then it moves over to normal court with normal lawyers. Already you are out the small claims filing fee (yes, you have to pay the court to even bring a small claims case).

Once in normal court, you would need to hire a lawyer, and they would just find some local representation. At this point, you would probably withdraw the case because it isn't worth that investment.

But suppose you kept going. Their local council is going to proxy their attempts to change venue to where they are located. Unless you had a really compelling argument, they would probably win the change of venue. Now you need to find another lawyer somewhere else, and it is probably an expensive locale like New York or LA where they have a firm on retainer. Still want to push the case? Me neither.

By all means, try the small claims route. But don't think for one second that it is a slam dunk.

That is an incredibly pro-corporate anti-individual jurisdiction. Where is this?
I didn't think my state was that unique, so I did a bit of searching and found some interesting gotchas in a few different states:

Alabama: Must file in municipality where the other party (defendant) resides

Alaska: Easy to move to regular court

Arizona: Easy to move to regular court

Delaware: Cannot be used for punitive damages (basically this)

Indiana: Easy to move to regular court (If I am reading it right)

Michigan: Easy to move to regular court

New York: Must file in municipality where the other party (defendant) resides

Oregon: Basically must file in municipality where the other party (defendant) resides. Easy to move to regular court

You would have to do that if the case were actually litigated. The cost to Equifax to defend the case would be, at the very least, several hundred dollars, thousands, more likely.
They still have the death penalty for humans in the US, why not companies?
They do, it's called corporate dissolution. Not sure what precedent there is for a class action suit that results in dissolution, but it would be a pretty good precedent to set IMO.
I love your idea. I would be game if something is happening in that direction.
If you can write up the process in detail for my state, I will give you 15% of what I win from them. If you automate it as much as possible, 20%.
Does anyone have experience with this process and could share some tips, e.g. is it likely to be successful, is it open to non-citizens, how much paperwork are we talking about?
Toyotas negligent practices with regard to software killed at least 2 people. Their developers did not even have a bug tracking system at all. They followed only 6 of 90+ industry standard recommended practices. They lied about the system using error-checking RAM when it actually did not. None of that was enough to get a court to declare them negligent. Equifax will be fully acquitted. If a computer is involved, companies can get away with literally killing people. This is court precedent.
Good. I hope they get sued into the stone age.

And then, I hope all of the other agencies take note, and start deleting their data.

Nah, they'll just create expendable shell companies to decouple the risk from the profit.
That’ll be nice for some lawyers. I’d prefer to see severe civil and/or criminal penalties for the senior management folks who allowed this to happen on their watch. Expect many more breaches of this magnitude until C-levels start to feel the consequences of their negligence.
It's a sign of how awful Equifax is that I find myself rooting for the lawfirms in this case. I really hope they win, and that they get the full $70 billion, and that it's enough to shutter Equifax permanently. What a win that would be! Also it would serve as a nice cautionary tale to companies that infosec matters. That insurance for data breaches matters.

Because right now, it's too easy for them to not care. It's us that suffer the consequences, not them. That has to change.

Yes, what a win it would be to simply transfer ownership of Equifax from one party to another in the event of bankruptcy. The business itself would continue and nothing would change.
Investors would get wiped out and many people canned. The signalling value is massive.
If you wipe out the investors, they will start demanding security before investing in a company. And, if you wipe out the stock, you also wipe out big chunks of the compensation of the CEO, CFO, CTO, etc.

Until this starts hitting important people in the wallet, nothing will change.

It seems that checking to see if you're affected by the Equifax breach waives your right to sue Equifax:

https://techcrunch.com/2017/09/07/i-called-equifax-to-find-o...

No idea how ironclad such a clause would be,k though.

At this point they will tell you if your effected and then offer to enroll you in their complimentary "TrustedID" program. If you choose to enroll, that is when you waive your right to join any class action lawsuit.
This isn't true. Just by entering in your information to check if you're affected, you'll be enrolled automatically if you were indeed affected.

Really scummy behavior.

This is not true. I checked, and it offered me the opportunity to sign up "on or after" a specific date. There is no automatic enrollment.
Sorry, I misspoke a bit there. What I was trying to point out was that

> If you choose to enroll, that is when you waive your right to join any class action lawsuit.

Isn't true. Just by using the site to check, you're waiving your right to participate in a lawsuit, as expressed in the site's Terms of Use linked at the bottom:

http://www.equifax.com/terms/

> THIS PRODUCT AGREEMENT AND TERMS OF USE ("AGREEMENT") CONTAINS THE TERMS AND CONDITIONS UPON WHICH YOU MAY PURCHASE AND USE OUR PRODUCTS THROUGH THE WWW.EQUIFAX.COM, WWW.IDENTITYPROTECTION.COM AND WWW.IDPROTECTION.COM WEBSITES AND ALL OTHER WEBSITES OWNED AND OPERATED BY EQUIFAX AND ITS AFFILIATES ("SITE").

> No Class or Representative Arbitrations. The arbitration will be conducted as an individual arbitration. Neither You nor We consent or agree to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with arbitration on a class or representative basis.

Further detail from an actual lawyer in this comment:

https://news.ycombinator.com/item?id=15203185

How does Equifax build their database of people exactly? If it's all based on public information then they could argue that it's not really a leak. They are merely interpreting public information to build credit score.

If guess for subscribers they could get more information than publicly accessible. What fraction does it represent?

The credit card companies and lenders provide them with your information. It's not public.
It's not public data, it's data that creditors provide.
Private companies report information about you to the big agencies, and then they blend in public information. So it is a mix of public and private information.
NYS Attorney General on the arbitration/rights waiver clause: "This language is unacceptable and unenforceable. My staff has already contacted @Equifax to demand that they remove it." https://twitter.com/AGSchneiderman/status/906195350532304896

Also: "I am launching a formal investigation into the #Equifax breach. Today, I sent a letter to @Equifax seeking additional information." https://twitter.com/AGSchneiderman/status/906197644841766912

Yeah, I'm not sure the arbitration language is applicable here anyway. The claims would arise from Experian's failure to secure their data, not from use of the "Products" offered by TrustedID (namely, the website allowing me to check) or the subject matter of the Terms of Use agreement.
Their FAQ [1] now appears to explicitly say so: that the class-action waiver and arbitration agreement only apply to disputes over the credit-monitoring product itself, not over the original breach. I don't know if they have some way to still weasel out of that, but publishing that clarification on their website seems like it'd make it harder?

Do the TrustedID Terms of Use limit my options related to the cyber security incident?

The arbitration clause and class action wavier included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident.

[1] https://www.equifaxsecurity2017.com/frequently-asked-questio...

It's time for this draconian type of business service be disrupted. It's gotten too big and unregulated.

We often question monopolistic behavior with regard to market share and competition for physical goods. However we don't see this type of questioning with regard to data monopolies. Hate to say it that while I enjoy the use of Google and Facebook, they may also fall into this arena. Though with those companies at least an order of magnitude worth of effort MORE is expended on some form of heightened security, communication, and standards primary thru tertiary of their core offering.

Equifax isn't a monopoly. There are four major credit bureaus in the US. At best that's an oligopoly, but all that realistically does in this situation is provide more points of security failure.
I'd like to know how much influence the consumer credit industry had in pushing through things like the Citizens United decision. Corporations love to be people when they can influence elections and make money off poor folks, but I wonder if they're ready to take the corporate death penalty when they break the law.

A bunch of class action lawsuits might make options like Move to Amend a lot more palatable to corporations facing that kind of scrutiny. It also gives political capital to organizations working to prevent rollbacks on consumer protections implemented after the Great Recession.

If Equifax's reputation hangs on a single hack, then they probably weren't that reputable to begin with. Why should we have to live under decisions that benefit them when they no longer exist, or weren't even who we thought they were?

Maybe it's time to issue everyone private keys where the public key is your "SSN" and it is signed by N people you know to verify identity
N people you know? What if I don't have a family or friends?
If you live in a box, will anyone know you exist? :O
Bonus point task: . Get leaked info for Donald Trump . Used said info to access recent tax returns
I'd love, love, love to finally see a company earnestly held responsible for their negligent security practices but I have no hope. Doubly so with this administration. Equifax getting run into the ground would help a president.
Consider the possibility that the hackers were agents of a sovereign power, such as one who has been hurt by economic sanctions and has a history of cyber warfare. This state could decide to respond to US economic aggression by using the compromised information of hundreds of millions of Americans to engage in fraudulent activity.

This event is leading me to about how social security numbers can no longer serve the role that they have with establishing trust in identity, although they can continue to be used to uniquely identify a US citizen. This hack may push markets, and government, to widely adopt biometrics and other sensitive, personally identifiable information.

What won't happen, unfortunately, is the political will to regulate how uniquely identifiable personal information is managed and stored.

Suppose that rather than Equifax, Facebook were hacked. What kind of intelligence and reports does Facebook have on people that would eclipse that of social security numbers and credit history?

Undoubtedly Equifax will claim that the hackers were agents of a sovereign power, to escape liability. Regardless, they admitted on their own web page that there was a flaw in their web application.

Biometrics would be a terrible idea. Mass surveillance, anyone?

I was not aware the citizenship of the hackers had any bearing on Equifax's liability in this case.
If it's a foreign government it's considered and "act of god", (I.e. Something out of their control) which releases a lot of liability.
to me if you store passwords in plaintext, it is criminal negligence even if God himself did the hack
> Biometrics would be a terrible idea. Mass surveillance, anyone?

What if the biometrics were stored on something you have - say a smartcard (definitely not a phone!)? Along with a PIN. Plus, these two items went into a "write only" store on the card (actually, a hashed value of both are stored).

You have a card reader (one at home - and any place you are doing a transaction to confirm identity also has one). You put in your card. Type your PIN. Present your (physical) biometric.

The reader takes the data, passes it to the card (or maybe the card has the reader and pin pad?). The card runs the hashing again, and compares the values. If all is good, it outputs a "Yes" otherwise a "No".

Remember, only the card holds the data (a hashed version) of the biometric and the PIN. That can only be written (you can do this with your terminal at home?). The only output the card has is that "yes/no" value.

All transactions of such nature would be done with this card.

I'm probably missing some steps or such - but the idea is there. That gives a 3-factor authentication system.

Don't expect it to ever be implemented.

That was the threat when the OPM got hacked a few years back -- anyone who ever had a background investigation done for a federal job now had their background info in some russian or chinese database dump. With that level of detail, you could start blackmailing some Lockheed or Raytheon employees until they leak some stealth fighter radar secrets to make the monthly false homeloan headaches go away.

I don't think the next world war will be fought with nukes, it will be an economic fight. Leak a few corporate secrets [1] to stall the economy, use the OPM dump and this Equifax dump to originate enough false loans to seize up the financial sector, then cause havok across the electrical grid [2] like you did during the annexation of Crimea just to make sure they stay down.

We've been blind to the other half of the threat of centralized information repositories... the 1984 Big Brother scenario assumes the holder of the information wants to control the citizens, but we never considered the information might have leaked to an actor who wants to destroy the citizens.

[1]: https://en.wikipedia.org/wiki/Sony_Pictures_hack [2]: https://www.wired.com/story/hackers-gain-switch-flipping-acc...

Welcome to WWIII, now in progress. The Russians are kicking our teeth in: they managed to trick us into electing Donald Trump as President...
It irks me that I can't file a "long term" (7 year) fraud alert unless I can prove with a police report that my identity has already been stolen. It's like giving people a flu shot only if they can prove with a doctors note that they currently have the flu. Hello! We're trying to prevent fraud here!

This whole industry needs to be turned upside down.

Assuming an approximately Bernoulli outcome from Equifax’s perspective, the stock market thinks there’s only a 13% chance they’ll be shuttered by this negligence.
This is an interesting point. I'm not great with math, but I'd love if you could share how you calculated that?
I'd appreciate advice from someone in the know about credit monitoring/repair services. There are so many and little credible information available about their capabilities and performance. If you have experience with this who do you recommend?

I've been caught up in the DOD breech, this Equifax incident and a couple smaller ones. I'm not interested in pinching pennies here; I want good results.

IMHO - credit monitoring has limited utility. While it can help you identify issues more quickly, it's still after the fact. For that reason, I bought the family a Zander Insurance plan. If you get hacked, they handle the fix (including outreach to the credit bureaus) and cover your expenses. This year they also added some credit/identity monitoring features and wallet replacement. I've not yet had to use them, but the service makes a lot of sense to me.

https://www.zanderins.com/idtheft2

This is like the whole country's credit card holders got affected. Is it a suggested idea to freeze your credit reporting account and not allow any issuance of new credit cards? or Like SSN Lock provided by my EVerify provided by USCIS?
I have said for years this credit controlling triopoly needs to be shut down and replace with something less disgusting. Ever tried to fix a mistake they made in your credit report? You may as well be dealing with the Spanish Inquisition. There is no penalty for Cxx's who perpetuate inept security to make more money so security is always job #99. These folks seem to have cornered the market on ineptness. I doubt any lawsuit will make them do anything different.
Organizations at the hazy nexus of the public-private spheres (e.g. public benefits corporations, regional transit authorities, FINRA, health insurance companies) appear to be endlessly prone to "disgusting" fallout like this, no?
I think suing the organizations who irresponsibly gave our data to such an unsafe organization will be more fruitful. Equifax doesn't have enough money to truly compensate, but JP Morgan, Bank of America, &c do.