Nearly half the US woke up Friday to find out their Social Security number might have been stolen, thanks to hackers who breached the database of a top credit monitoring service.
Equifax is one of three major credit monitoring companies, which victims of data breaches typically turn to for protection. Now it’s lost the Social Security numbers, names, addresses and birth dates of up to 143 million people in the US alone. Folks in Canada and the UK have also been affected.
About 209,000 people had their credit card information stolen as well. The Federal Trade Commission has advised people to monitor their accounts closely, and to place a fraud alert on all their files. The massive number of victims means a lot of questions.
Don’t fret though. We’ve put together a guide for those who think they might’ve been nailed by the breach, and we’ll break down some of your legal options.
Which means, yes, you can sue them, either in a class action lawsuit or on your own.
Equifax didn’t respond to requests for clarification on the terms, which the company adjusted Wednesday, a day before it announced the massive breach.
“This agreement would only cover breaches committed by TrustedID, in its future monitoring,” Rohback said.
“We have to assume that they’re going to enforce that provision,” Fuller said.
Peter Vogel, an attorney who also works for the American Arbitration Association, says Equifax’s clause might not stand up in court. That’s because the agreement is relatively hidden, Vogel said.
“The courts generally require that there be a click agreement,” Vogel said. There isn’t a click agreement for Equifax’s terms of service. “You could make an argument that the arbitration provision won’t apply.”
That arbitration clause sounds suspicious
It should. In July, the Consumer Financial Protection Bureau decided to ban companies from using arbitration clauses, pointing out that it prevented a mass amount of people from taking legal action.
New York’s attorney general Eric Schneiderman wrote in a tweet that the arbitration clause was “unenforceable,” and that his staff has demanded that Equifax remove it.
Is there any way out of this clause?
Equifax’s terms of service includes an escape clause for the arbitration.
According to the fine print, you have to write an opt-out notice within 30 days of agreeing to use their products, and send it to this address:
Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out
P.O. Box 105496
Atlanta, GA 30348
The letter must include your name, address, and Equifax User ID, along with a statement that you “do not wish to resolve disputes with Equifax through arbitration.”
So no one is suing Equifax yet?
Actually, there are two class-action lawsuits filed so far.
Fuller is representing two Oregon residents who filed a class-action suit on Thursday, claiming that Equifax failed to adequately protect the personal information of 143 million people. You can join the case by signing up on www.equifaxcase.com. The plaintiffs are seeking $70 billion in damages from Equifax over the breach.
Despite the massive payout, if successful, each victim would only receive $489, and that’s before legal fees. That’s how much your social security number, name, address and birthdate would be worth.
“It could be the largest class-action lawsuit ever filed,” Fuller said. “It involves almost half the country.”
He’s gotten so many calls about the lawsuit that he started having to redirect people to their local attorney general’s office.
In Equifax’s home state in Georgia, two plaintiffs filed another class-action lawsuit against the company. The lawsuit claims that Equifax could have prevented the data breach, and failed to notify victims in a “timely manner.”
They are being represented by John Yanchunis, the lead counsel representing victims affected by Yahoo’s record-breaking breach, and has also represented data breach victims from Target and Home Depot’s hacks.
“Equifax contains one of the largest databases of consumer information and they should have been better prepared for any attempt to penetrate its systems,” Yanchunis said in a statement.
Is our government doing anything about this?
On Friday morning, House representative Ted Lieu (D-California) sent a letter to the House Judiciary Committee chair asking them to investigate the breach, and why it had taken more than six weeks for the company to go public with the announcement.
Lieu is requesting that Congress call representatives from Equifax, TransUnion and Experian — the “Big Three” credit monitoring agencies — to testify on Capitol Hill about the breach and details on their cybersecurity.
Sen. Mark Warner (D-Virginia), the vice chair of the Senate Intelligence committee, criticized Equifax over its “profoundly troubling” breach and suggested new data protection policies for Congress to pass.
Equifax is also working with the FBI on the investigation.
In New York, the state attorney general’s office also announced a formal investigation into Equifax’s breach.
Three Equifax executives, including its chief financial officer, sold shares in the company just three days after the breach was first discovered. The Securities and Exchange Commission did not comment on if it was investigating insider trading.
CNET Magazine: Check out a sample of the stories in CNET’s newsstand edition.
Logging Out: Welcome to the crossroads of online life and the afterlife.
Updated at 12:45 p.m. PT: To include new details from Equifax’s website.