Americans are outraged about the Equifax data breach that exposed the personal and financial data of 143 million people.
The hack leaves half of Americans extremely vulnerable to theft, fraud, and a number of other crimes for years to come.
Now that many have taken immediate precautions to protect themselves — by requesting credit reports or monitoring and setting up credit freezes or fraud alerts — they’re left wondering what they can do to hold Equifax accountable.
“How do we sue Equifax?” wrote a reader named Jan. “This is criminal behavior on their part, but we get punished?”
The exposure of this data — which included some credit card numbers but, more significantly, people’s birthdays and Social Security numbers — coming from a company that profits from selling your confidential data should make Americans outraged, says Lauren Saunders, associate director of the National Consumer Law Center.
“People want justice,” she says. But since filing a lawsuit will be a long road, they’ll also need to push their legislators and regulators to hold Equifax accountable.
“The pendulum swinging against regulation and against protections for people, is not the right direction,” she says. “We need stronger rules to protect us when there is a problem.”
Did I sign away my rights to sue?
After the initial shock of the data breach, many consumers were further alarmed to learn that enrolling in the year-long credit protection service that Equifax offered could prevent them from suing because of a forced arbitration clause.
The company now says that’s no longer the case.
But Saunders says that while Equifax backed away from its original arbitration clauses, that could change later. “It’s impossible to predict what might happen years down the road in litigation after the public spotlight fades.”
The Consumer Financial Protection Bureau announced regulations that would forbid these kinds of arbitration clauses in July. But the House has already voted to stop the new rules from going into effect.
But outrage over the Equifax breach could change things.
“It would be an outrage if Congress blocks it,” says Saunders. “It should not be up to the wrongdoing company to decide if people get justice and access to the courts.”
So can I still sue Equifax?
There are already more than 50 class action lawsuits filed against Equifax as a result of the hack. If the response on Equifax’s website was that your data was involved in the breach, you have standing in a case, according to Jim Francis, an attorney with Francis & Mailman in Philadelphia who filed a class action on behalf of a client.
“If a consumer’s information was impermissibly provided to a third party or accessed without a lawful purpose, that is a violation of the law,” says Francis. “They don’t have to wait to find out that someone has taken it to the next level.”
There is also the issue of negligence on the part of Equifax, says Francis. “They violated their duty to protect your data,” he says. According to Equifax, the company had knowledge that there was a problem in July, but did not notify people until September. During that time, “they are allowing people to apply for credit. They are allowing them to access their website, all the while knowing that their information has been compromised and in the hands of other people.”
It will likely be toward the end of the year when the many class actions come before a multi-district litigation panel and are moved into one proceeding, according to Francis. After that, the group can be certified as a class.
If you are part of the group that has experienced the same injury, you will be notified that you are part of the class. Usually, at that point, you can also opt out. Once a class is certified, you can track the suit at the class action database maintained by Consumer Action.
What about other legal and regulatory recourse?
From a regulatory perspective, the Equifax breach is a wake-up call for American companies holding massive troves of data says Scott Vernick, a partner at Fox Rothschild who specializes in privacy and cybersecurity.
The three credit reporting agencies should be getting as much supervision as the banks and other financial institutions, Vernick says, but they don’t receive as much oversight or monitoring. But that could change as a result of this hack.
“There will be a tremendous avalanche of legal fallout as a result,” Vernick says.
State attorneys are already taking a close look at what happened. Massachusetts is the first state set to bring a lawsuit. Its attorney general, Maura Healey, announced an intent to sue Equifax claiming that the company did not “maintain the appropriate safeguards to protect consumer data,” violating state consumer protection and privacy laws. Attorneys general of New York, Pennsylvania, Connecticut and Illinois have also announced an interest in investigations.
There is a call for a Congressional investigation as well. Democratic Senator Bob Menendez, a senior member of the Senate Committee on Banking, Housing and Urban Affairs, called the breach “unconscionable” and, along with other senators, called for Congressional hearings on the matter and will soon be calling for a federal review of all credit reporting agencies.
Vernick added that because Equifax executives appeared to be dumping company stock after the breach was revealed but before it was announced to the public, the Securities and Exchange Commission may look into the event as well. Even investors in the company will have their say, because they’ll want to know if there were adequate disclosures about the event and may bring their own legal cases.
The Federal Trade Commission confirmed that it is opening an investigation into the data breach. Lawmakers have requested that the commission look at Equifax’s security lapses and its poor handling of customer service after the breach was disclosed.
Change is likely, but may not come fast enough for many consumers. Down the line, Vernick said, “I think these companies with large amounts of data are going to have to certify that they’re meeting a certain level of security.”