Home Mentoring HBR.org Equifax and Why It’s So Hard to Sue a Company for Losing Your Personal Information

Equifax and Why It’s So Hard to Sue a Company for Losing Your Personal Information

HBR.org 2017-09-22

sept17-22-125371800

After years of screaming headlines about data breaches, we all know the drill. A major company announces it has been hacked, a brief public outcry ensues, and then… not much happens. Down the road you might read about a government inquiry or a class-action suit being settled. People have become numb to these announcements. We assume our personal information has been compromised in some way, take reasonable precautions like canceling a credit card or instituting credit monitoring, and move on with our lives.

The Equifax breach is different. It isn’t the largest (that would be the 2016 Yahoo breach, with over one billion accounts affected), the most embarrassing (Ashley Madison, the affair website), or the one that raises the most national security concerns (North Korea’s hack of Sony). But a couple of key facts give Equifax its own watershed moment in the sordid history of data breaches: (1) Many of the 143 million people affected may not have given their sensitive information directly to Equifax; and (2) Equifax holds a special place at the core of the personal information and cybersecurity ecosystem.

Equifax finds itself in a crosshairs not seen since the 2013 Target breach; the legal and regulatory repercussions are coming at record speed. At the time of this writing, the credit bureau has been named in more than 50 class-action lawsuits (two were filed within hours of the announcement) and a lawsuit filed by the Massachusetts attorney general. It is also under investigation by the Federal Trade Commission for unfair and deceptive trade practices, the Department of Justice for insider trading, and at least 32 other state attorneys general. Both houses of Congress are demanding information; Equifax’s CEO is expected to testify in the coming weeks. And Canadian and British regulators are commencing their own probes. A long, winding legal road lies ahead.

Let’s start with the first point. Equifax is one of the three major credit bureaus in the United States. It collects personal information — often without people’s direct knowledge — from credit card companies, banks, mortgage lenders, and any other entity that extends credit. In other words, if you have ever borrowed money or been extended credit, then Equifax (along with Transunion and Experian, the other bureaus) was probably given your most sensitive personal information by a third party — information such as your date of birth, Social Security number, financial details, and credit score. The breadth of the information held, and thus potentially compromised in the recent breach, is staggering.

That consumers in most cases do not provide this sensitive information directly to Equifax will raise a number of interesting legal questions in the class-action litigation. It will make getting past the pleading (or motion to dismiss) stage even more difficult for some classes of plaintiffs. Virtually all data breach litigation has been brought by aggrieved consumers who claim they suffered harm after they gave their personally identifiable information directly to a company that got hacked. It’s likely that Equifax will argue that, in terms of protecting the data it collected, it did not have any obligations to the affected individuals, with whom it had no direct relationship, but rather that its obligations were only to its corporate customers.

And unlike in other data breaches, which have primarily led to consumer class-action suits, Equifax faces questions from its corporate customers, too. While consumer outrage has understandably generated most of the publicity, lenders and other corporations are quietly analyzing their Equifax contracts and assessing the potential damage to their own organizations. The vast scope of the breach has companies worried about the effect the incident could have on them, and about whether it could put their own customer or employee information at risk. Indeed, any company that uses personal data to authenticate the identity of customers should now be assessing whether it can sufficiently protect against impersonators in the wake of this kind of large-scale data dump.

In Equifax’s favor is the fact that some of these companies may decide that litigation that will draw them into the public fray in a way that is just not worth it. In addition, as with most other data breach litigation, it’s likely that consumer plaintiffs will have a difficult time demonstrating that any actual harm was done to them, and thus fail to meet the legal standard for standing. That idea of proving harm done has been the albatross around the neck of the plaintiffs’ bar for several years. Plaintiffs in data breaches very often can establish no more than that their data was exposed to unauthorized persons — they struggle to show that they suffered any actual financial harm from the incident, something fatal to their claims. Moreover, when the information, such as a Social Security number, could have been obtained from any number of sources, it is difficult for plaintiffs to establish that any one breach was responsible for the harm they claim to have suffered. While these standing arguments, rooted in constitutional law, cause many data breach litigations to go away quietly, the threat of contract-based claims against Equifax from corporate customers may have a greater chance of succeeding, given their direct relationships with Equifax.

To the second point, Equifax sits at the intersection of cybersecurity and the personal information ecosystem. In normal circumstances, the credit bureaus are who you call for help after you have been hacked, for credit monitoring, identity theft protection, and myriad other services. In fairness, no company is immune to criminal hacking. Putting that aside, the sheer breadth and sensitivity of the information held by Equifax — again, on a staggering 143 million people — will up the ante considerably on damage claims by the plaintiffs and regulators looking for their pound of flesh. And that’s not even counting the reputational damage that Equifax is likely to suffer. Regulators may be looking to hold Equifax to a higher standard in safeguarding information, given the business it is in. And we can be sure that plaintiffs’ lawyers will argue that the attackers, or purchasers of the data on the dark web, are capable of all kinds of mischief, and are determining how they can harness the bootleg data to commit even more lucrative crimes. The ripple effect is palpable.

So if this isn’t a breach that people are numb to, how will we respond to the pain? Lawsuits and investigations are certainly one way. But there will also be soul-searching about the use of Social Security numbers as authenticators, because it is clear by now that those numbers have been compromised. Reforming that system is unlikely. More likely is that private industry will take the lead by driving toward more-robust personal authentication mechanisms, such as biometrics, multifactor authentication, and the like. Companies need to stay ahead of the curve to avoid the painful aftermath of a large-scale breach.