Within hours of Equifax — one of the nation’s three major credit bureaus — confirming that the records of some 143 million people had been compromised in a data breach, the company now faces a lawsuit accusing it of failing to protect its stockpile of sensitive consumer information. Meanwhile, some critics are saying that Equifax’s response to the breach may be causing more harm than good.
The potential class action complaint [PDF] was filed Thursday afternoon at a federal court in Oregon with two of that state’s residents as the named plaintiffs. It aims to represent others who may be “harmed by Equifax’s failure to adequately protect their credit and personal information.”
As a credit bureau, Equifax has a large amount of potentially sensitive data about hundreds of millions of Americans — personal information like addresses, phone numbers, driver’s licenses, and Social Security numbers; along with financial information on credit card accounts, loans, lines of credit, and more.
The plaintiffs say that, with this much data at its disposal, Equifax has a legal duty “to use reasonable care to protect their credit and personal information from unauthorized access by third parties.”
The lawsuit alleges that the breach resulted from negligence on the part of Equifax, claiming the company deliberately did not invest adequately in protecting consumer data.
In addition to any potential harm that may come from the thieves’ misuse of the purloined data, the plaintiffs contend that Equifax should be expected to reimburse affected consumers for going out-of-pocket for services like third-party credit monitoring. Consumers should not have to “bear the expense caused by Equifax’s negligent failure to safeguard their credit and personal information from cyber-attackers,” reads the complaint.
We’ve reached out to Equifax for comment regarding this lawsuit but have not yet heard back.
This action is only the first of what will likely be dozens of similar lawsuits filed all over the country in the weeks to come. Aside from the $19.95 that one of the Oregon plaintiffs has already spent on an outside credit monitoring service, the complaint does not allege any actual damage done to the affected consumers. However, the type of information stolen in this breach could very easily lead to ID theft, credit fraud, and other harm.
This issue of potential harm is one that the court system has been debating in recent years. For instance, federal courts have disagreed on whether customers of health insurer CareFirst should be allowed to sue over a data breach where there is little evidence that the stolen information has been misused.
There will also likely be lawsuits, and possibly law enforcement investigations, involving reports that three top Equifax executives — including the company’s Chief Financial Officer — sold large chunks of Equifax stock, totaling around $1.8 million, shortly after the breach was discovered but before it was made public. The Oregon complaint does not mention these transactions.
Doing More Harm?
When it confirmed the data breach, Equifax launched a site — EquifaxSecurity2017.com — containing information and a way for people to enroll in TrustedID credit monitoring service, but there are a handful of problems that are only making the waters murkier.
First, Equifax fails to clearly point out that TrustedID is actually an Equifax product. Consumers could be forgiven for not having much trust in a company that just admitted it failed to secure the data of 143 million Americans.
Second, signing up for TrustedID appears to lock you into the cruddy Equifax terms of service, which include a forced arbitration clause. What does that mean? It means that by signing up for TrustedID, you could inadvertently be signing away your right to sue Equifax in a court of law. Instead, you’d have to enter into private arbitration with the company. We’ve asked Equifax to clarify the scope of this arbitration clause but have not yet heard back.
Third, as Ars Technica points out, there are several technical issues with the EquifaxSecurity2017 site — like the fact that it’s running on a system that lacks the proper security you’d expect for a site where you’re asking users to enter sensitive data (just so they can find out if their sensitive data is being misused). Additionally, the EquifaxSecurity2017 URL isn’t registered to Equifax, but through a third party company.
“[I]t’s format looks like precisely the kind of thing a criminal operation might use to steal people’s details,” writes Ars’ Dan Goodin. “It’s no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.”