Holding Equifax Accountable: Your Potential Causes of Action After the Breach

The Equifax breach has released personal information of nearly half of the population of the United States. 143 million people out of 323 million total have had their personal or financial data exposed. The full repercussions of this breach likely have not been realized and will not be for years to come. This information could lead to identity theft and credit fraud over a decade down the line, a situation one would struggle to link to the original breach.

The breach itself has been all over the news, so many are likely already familiar with the details. However, for those who are not, the Equifax hack has seen the potential theft of social security numbers, addresses, driver’s license numbers, birth dates, and more. Over 200,000 credit card numbers and nearly 200,000 credit dispute details have also been absconded with.

The scale of this breach, accompanied by how dangerous the information that was accessed could be when it comes to identity theft or credit fraud has naturally led to many expressing outrage and fear over the situation. This is only made worse by the fact that it can be very hard to know whether you are among those whose information was accessed or even if you’ve been the victim of fraud using your information. To add to this, Equifax will not necessarily be warning you if you are among those targeted. While they will be notifying the approximately 200,000 whose credit cards were targeted and the 200,000 whose credit dispute documents were accessed, you otherwise are unlikely to be hearing from them.

Some initial steps you can take to protect yourself can include requesting a free credit report (you’re allowed one free request from each of the big three credit reporting companies every year), setting up a credit freeze or fraud alert systems.

However, with so many harmed, many want to know how they can hold Equifax responsible and recover from any harm. Data breach is complicated topic of law that can see substantial variations from state to state. However, there are causes of action which could be available to you based on Equifax’s actions. There are also an enormous number of existing lawsuits and investigations brought to bear of the credit reporting giant. This week we’re going to have two articles looking at how Equifax can and is being held accountable. These articles will deal with both the most common causes of action that you could bring against Equifax–as well as the strengths and weaknesses of those causes of action–and the lawsuits and investigations Equifax is already facing. Today we’ll start with the causes of action you may bring against Equifax, starting with your ability to bring a lawsuit against Equifax in the first place.

Does an Arbitration Clause Prevent Me From Suing?

Early on, as the initial news of the breach broke, it nearly simultaneously broke that signing up for Equifax credit protection services could bar you from suing due to an arbitration clause–a clause requiring legal action against Equifax to be resolved through arbitration as opposed to in the courts. There were also concerns that the Equifax terms of service could prevent class action lawsuits against them altogether. This is no longer an issue.

Equifax itself has said, in the face of extreme criticism, that these terms will not bar lawsuits. The terms have been removed altogether at this point and company has made it clear that the terms do not apply to actions stemming from their data breach. The issue has also led to the Consumer Financial Protection Bureau announcing that it would take steps to prevent arbitration clauses such as these, but Congress has killed these efforts. The vote was finalized just days ago in a very close vote, the deciding vote to break a 50-50 split was cast by Vice-President Pence.

With the ability to bring a real lawsuit available to you, let’s look at the most common causes of action the breach might make available to you–violations of the Federal Credit Reporting Act (FCRA) and negligence.

What is the Federal Credit Reporting Act?

Credit reporting agencies such as Equifax handle an enormous amount of sensitive data. This is why the FCRA was passed in order to require these companies to ensure the accuracy of the data they keep, make that data available to those it relates to, and–most importantly here–keep that data private. A credit reporting agency must only make your information available to those who have a legitimate business purpose for accessing it, such as an employer considering whether to hire somebody or a bank considering whether to offer a loan. They also must correct any inaccuracies in their information if you notify them of an issue. The FCRA further requires that reporting agencies use reasonable procedures (basically industry standard) to protect private information.

Where a company like Equifax fails to do this and you are harmed by their failure, you can generally sue for FCRA violations. Exactly how this is handled can vary from state to state, so your rights may vary depending on where you live. One important trend is in exactly what constitutes a harm under the FCRA. For a long time, you needed to show identity theft caused by a data breach to sue. However, more and more, courts are treating the data breach itself as a harm allowing you to sue. This is not always the case, but is a trend in favor of those hoping to sue Equifax.

These claims can provide up to $1,000 per willful violation of the FCRA and are likely the best course for those who have not experienced–or would have trouble proving–actual fraud or identity theft due to the breach.

Can Be Found Equifax Negligent?

Negligence is, without getting into too deep of an explanation, the breach of a duty where that breach is the actual cause of a harm. There is a duty of reasonable care, the care a reasonable person would take, which everybody owes to everybody under the law. However, certain situations can create additional duties. Equifax certainly had a duty, created by statute, to protect the data of consumers. They knew in July that that there was an issue, but simply allowed consumers to continue accessing and using their website before finally notifying the public of the issue in September. Equifax did not even patch the vulnerability in their website framework for months after it was discovered.

While not a 100% slam dunk, this certainly looks like a breached duty. This means that much of any negligence action against Equifax would boil down to a discussion of causation and damages. Were you actually financially harmed and was the cause of this harm the Equifax breach. For instance, if you could prove that your credit card information was stolen in the breach and then used for rampant credit card fraud you’d likely have a strong case for negligence.

However, that sort of causation and damages can be very tricky to prove. The breach is extremely recent and the sort of information that was stolen could be sold years from now, making it extremely hard to link to Equifax’s breach. What’s more, compared to the sheer number of people affected by the breach, the number who have suffered financial damages due to loss of information is relatively small.

Equifax Breach Has Already Led to an Enormous Number of Lawsuits

As we’ll see later this week, these two causes of action are tip of the iceberg when it comes to Equifax’s problems. While these are the most common causes of action, Equifax’s headaches already range from securities fraud to Federal Trade Commission investigations.

We’ll discuss these lawsuits in the next article. However, they have one important thing in common. They all are holding Equifax accountable for protecting consumer privacy and personal data. If you’ve suspect you’ve been impacted by the breach, it is worth consulting a lawyer to know whether you have a viable cause of action against Equifax. While Congress has refused to prevent companies from limiting their liability in situations such as this in the future, in the immediate present it is worth pursuing a case if you have been harmed by Equifax’s handling of your information. If you have a smaller claim, there are also–as we’ll see later this week–a tremendous number of ongoing class action lawsuits against Equifax which you may wish to join.