Consumers Seeking Class Action Remedies for Equifax Breach

EquifaxEquifax, one of the three major credit reporting bureaus in the United States, has acknowledged that a breach of its stored data, including the theft of Social Security and credit card numbers, has potentially affected more than 145 million Americans. The breach is the largest theft of Social Security numbers in history.

The Federal Trade Commission reports that the data breach lasted from mid-May through July 2017. The hackers gained access to names, Social Security numbers, birth dates, and addresses of consumers in the Equifax database. In some cases, hackers were able to obtain driver’s license numbers. Additional information provided by people who were disputing their credit reports was stolen from about 182,000 people.

The hackers stole credit card numbers belonging to about 209,000 people. While those consumers are directly at risk of having their credit cards used in unauthorized transactions, the personally identifying information stolen from millions of consumers exposes them to identity theft. The kind of personally identifying information that hackers stole makes it possible to apply for credit or engage in other financial transactions in the consumer’s name.

Recommended Action

A number of financial experts have recommended action that consumers can take in response to the data breach. The FTC suggests that consumers begin by finding out whether their data has been stolen. Consumers might be able to do that by entering their Social Security numbers in a page provided by Equifax.

Keep in mind that tests of the Equifax tool have caused some people to question its reliability. In fact, Equifax recently took part of its website offline after discovering that “code on the site redirected users to a malicious URL urging them to download malware.” Equifax denied that it had been hacked again, blaming “a third-party vendor that Equifax uses to collect website performance data.”

All consumers, whether or not they might have been affected by the theft, can obtain one year of free credit monitoring from Equifax’s Trusted ID program. Since it is not clear that Equifax has identified every potential victim of the data breach, enrolling in that service might be useful for anyone who has ever obtained credit. The enrollment period ends on January 31, 2018.

Be aware, however, that a condition of enrollment buried in the fine print prohibits members of the Trusted ID program from joining class action litigation against the Trusted ID program. That could deprive consumers of a valuable remedy if another hacker steals information from the Trusted ID program.

Other recommended actions include:

  • Ordering a copy of your credit report from each of the three reporting agencies. You can obtain one free copy of your credit report each year from each agency. If you stagger your requests, ordering a report from one agency today, from the second agency in four months, and from the third agency four months after that, you can get a snapshot of your credit three times a year at no cost.
  • Placing a freeze on your credit. You do that through the credit reporting bureaus. A credit freeze prevents anyone from opening a new credit account in your name.
  • Creating a fraud alert. You can also do that through the credit reporting bureaus. A fraud alert lasts for 90 days but it can be renewed. The fraud alert requires creditors to verify your identity before opening a new account.

Those short-term solutions require an expenditure of time and, in some cases, money. Some members of Congress want credit reporting bureaus to give consumers free copies of their reports upon request (not just annually) and to freeze credit without a fee.

A proposed long-term solution that some members of Congress are advocating would prevent credit reporting bureaus from using Social Security numbers to identify people. Another bill would require credit bureaus to obtain federal certification of their data management practices to assure that they are protecting their data from hackers.

Lobbyists for the credit bureaus are making the familiar complaint that they already “subject to enough regulation.” Consumers who are now at risk of identity theft because Equifax did not safeguard their data might disagree that credit reporting bureaus are adequate regulated.

Class Action Lawsuits

More than 50 class action lawsuits have been filed against Equifax. Additional lawsuits are probably on the horizon.

Class action lawsuits have advantages and disadvantages. They are a useful tool for obtaining remedies when large numbers of people suffered relatively small harms as the result of a corporation’s negligence or misconduct. In this case, the failure of Equifax to safeguard its data may cause consumers to pay for a credit freeze, a credit monitoring service, and/or a fraud alert. Those costs would not justify the expense of an individual lawsuit, but when millions of consumers band together in a class action lawsuit, they can each obtain a remedy without shouldering the burden of financing the litigation.

Unfortunately, most consumers at this point only know that they are at risk of identity theft or fraud as a result of stolen data. They do not know when or if the data breach will actually result in the misuse of that data.

Consumers who are actually harmed by credit card fraud may suffer a greater loss than typical class members. In that case, a class action remedy might not be adequate. As a general rule, however, when consumers are notified of a class action settlement, they are bound by the settlement unless they opt out. Whether to opt out is a decision that consumers cannot intelligently make without knowing whether the compensation they receive from the class action will be adequate.

It will take time for the class actions lawsuits to make progress. They will probably be consolidated in a single judicial district. It will take some time to investigate potential losses. The court will probably be asked to certify a class (a requirement for class action lawsuits to proceed if they do not settle quickly). If the case is settled, the court will need to schedule a settlement hearing. Class members will then be given the option to participate in the settlement or to opt out.

By the time a settlement is reached (and there is good reason to believe that the cases will settle, given the potential liability that Equifax faces), consumers might have more information about whether they will suffer substantial harm because of the data loss. Consumers who experience identity theft or credit card fraud should ask a lawyer whether they might recover a more significant recovery by opting out of the lawsuit and pursuing their own remedy. Consumers who want to gamble that they will not be seriously affected by the data theft might prefer to file a claim and participate in the class action remedy that is negotiated for class members. Unless and until the class action lawsuits settle and the terms of the settlement are finalized, potential class members will not need to (and will not be in a position to) decide how to proceed.


Photo Credit: By Equifax [Public domain], via Wikimedia Commons

comments powered by Disqus

Find the Right Lawyer for Your Legal Issue!

Fast, Free and Confidential

Find the Right Lawyer for Your Legal Issue!

Fast, Free and Confidential