A number of proposed class actions are rapidly accruing against the credit report company, Equifax, after personal information of its 143 million U.S. consumers had been compromised by a cybersecurity breach. In a bombshell news story that hit the media earlier this month, Equifax announced that hackers perpetuated the data breach and an investigation is ongoing.
As one of the three biggest credit-reporting companies in the country, Equifax stores data belonging to more than 820 million consumers and 91 million businesses, as well as employee data submitted by more than 7,100 employers. It is estimated that the data breach has potentially disclosed information on nearly 44% of the U.S. population, which does not include the other possible victims from the U.K. and Canada.
The hackers may have gained access to a variety of personal information such as customers’ names, Social Security numbers, birthdates, addresses, credit card numbers, and driver’s license identification numbers. Although Equifax first became aware of the breach on July 29th, the company did not publicly disclose the cyberattack until September 7th.
Considered one of the worst data breaches on record, it is no wonder that the lawsuits have been rapidly rolling in. Less than 24 hours after Equifax made its big reveal, a proposed class-action lawsuit was filed in a federal court in Portland, Oregon. The suit alleges that Equifax made money at the cost of its customers’ protections. The complaint states: “In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect [the plaintiffs’] information from authorized access by hackers.”
The lawsuit is seeking up to $70 billion in damages, slating this to be the largest class action in U.S. history. At least 23 other proposed class actions have been filed, with the number estimated to increase as more information is disclosed. The lawsuits name either Equifax or their subsidiary, Equifax Information Services as defendants and alleged a variety of legal claims such as security negligence and failure to timely warn customers about the breach.
While consumers will undoubtedly be solicited by attorneys to join the class action, potential victims of the data breach can also seek damages through alternative means. A chatbot (a computer program that engages in conversation with the user) called DoNotPay can be used to file negligence suits against Equifax in small claims court. The bot was launched this past July and originally invented to help individuals with parking tickets. Plaintiffs are still responsible for serving the lawsuit and appearing in court, but the chatbot makes the process less arduous, as it automatically fills out the number of required forms to file in small claims court.
While not likely to replace lawyers any time soon, the bot does seek the maximum amount of damages allowed within the court’s jurisdiction, which vary widely state to state ($2,500 in Rhode Island, $25,000 in Tennessee, for example).
After Equifax made its announcement, its customers were obviously panicked that their personal information was stolen. In response, Equifax set up a website, Equifaxsecurity2017.com, where the customers can check if their data has been compromised. The company also offers a free year of credit monitoring, through TrustedID, a company owned by Equifax, to customers that were victims of the attack. One lawsuit filed in California federal court alleges that Equifax’s offer to register its customers was done in the hope of “baiting consumers into signing up for its services” and turning “its failure to protect consumers’ sensitive data into a clandestine money-making opportunity.”
Another problem with customers using Equifax’s website to check on the status of their information is the terms of service that they must agree to prior to signing in. As part of the terms of the site, customers agree to an arbitration clause and waive the right to join any class action lawsuits against the company. Some reports have indicated that these terms only apply to lawsuits against TrustedID, not Equifax. However, Equifax’s own terms of services broadly states that any customers who use “all other websites owned and operated by Equifax and its affiliates” from joining a class action.
Adding yet another facet to the confusion, a clause in the company’s terms of service exempts claims that fall under the Fair Credit Reporting Act from the arbitration clause. Legal scholars and consumer protection experts have already begun opining as to the enforceability of these arbitration clauses. As Ira Rheingold, executive director of the National Association of Consumer Advocates, states: “It seems to be pretty outrageous to say, ‘Hey, I’m looking at your website to look up whether or not I’m a victim, and therefore when I look to see if I’ve been harmed by you, just by looking I’ve now found myself to not go to court,’ I think that may be a bridge too far, even for our courts.”
How Did This Happen? Experts Weigh In On Equifax’s Technology
It is unclear what exactly caused this massive data breach and the question will certainly be explored in-depth as more lawsuits unfold and the experts weigh in. But a brief look into Equifax’s history may offer some clues.
In 2016, Equifax’s W-2 Express website suffered a data breach that caused the exposure of 430,000 names, addresses, social security numbers, and other kinds of personal information of the retail firm, Kroger. The $5 million class-action lawsuit was eventually dismissed on the contingency that Equifax cease use of a potentially hazardous security measure that required client employees to access their data with a PIN number consisting of the last four digits of their social security number and their four-digit birth year, numbers that could be easily accessible to a hacker.
In May 2017, it was reported that hackers had, in fact, gathered personal information on the employees to reset their PIN numbers, access their accounts, and steal tax data. The attack occurred from April 17, 2016 until March 29, 2017. Earlier this year, Equifax also disclosed that credit information of a number of customers was leaked on the online portal of its partner, LifeLock. Another breach occurred between April 2013 and January 2014, which Equifax reported to the New Hampshire attorney general, after an IP address operator was able to access credit reports through the company’s identity verification.
Throughout Equifax’s history of data breaches, cybersecurity experts have uncovered faults and vulnerabilities in the company’s security measures. Back in 2016, a researcher discovered a cross-site scripting (also referred to as XSS) on Equifax’s website, which allows hackers to send out links, which when clicked by the customer, exposes their username and password.
In light of the recent data breach, other experts have researched Equifax and discovered the company is running a number of old technologies on its website, including a source code that links to Netscape, the defunct web browser that was discontinued in 2008. Another cybersecurity engineer reported that Equifax was using out-of-date Java software that contributed to the security breach.
Massive, precedent-setting class action lawsuits are not the only consequence of the Equifax security breach. The $17 billion company will likely be the focus of a Congressional inquiry, as the House Judiciary Committee and the House Financial Services Committee may call for an investigative hearing. New York Attorney General Eric Schneiderman has also launched a formal investigation. The Consumer Financial Protection Bureau is looking into the breach as well. As Equifax’s stock prices plunge and the number of lawsuits increase, the questions surrounding the biggest security breach in U.S. history will continue to grow.