To learn more about this topic, visit AL.Law
Peter Mougey: In May of this year, as Americans were planning their summer vacations and counting down the days before their kids got out of school, the credit reporting agency Equifax was dealing with one of the largest data breaches in American history that resulted in the personal data of more than 143 million Americans getting into the wrong hands.
To understand the data breach, let me talk to you about what a credit reporting agency like Equifax is. Equifax received credit data from credit card companies, cell phone carriers, car dealerships, and other corporations who run credit for consumers. These agencies report their data to companies like Equifax who then use it to generate a credit score. What does that mean for you? It means companies like Equifax have all of your personal data, – even though you never signed up for it.
The hackers who broke into the Equifax system accessed information such as names, Social Security numbers, birth dates, addresses, credit card numbers and the numbers of some driver’s licenses. The company said that credit card numbers for about 209 thousand U.S. customers were compromised, in addition to “personal identifying information” on about 182 thousand U.S. customers.
And even though the data breach was discovered at the end of July, get this: Nothing was revealed to the public until the first week of September.
In a perfect world, Equifax would have immediately offered to help protect the identities of the people who were compromised and do whatever it takes to make things right. But apparently they’re not that kind of company.
Instead, they offered people a chance to sign up for their credit monitoring programs – a service that they said would be free at first, but then you’d have to start paying. And to add insult to injury, if you sign up for their service, you might be effectively signing away your right to sue the company for their negligence.
The company saw the data breach as a business opportunity instead of a chance to do the right thing – a common theme we see here in corporate America.
Joining me now to discuss this is attorney Michael Bixby. Mikey, let’s start with the basics of this issue. How long did the hackers have access to the information, and what exactly did they obtain?
Michael Bixby: What’s surprising is that they could’ve had access to this data for two and a half months or maybe even longer, and the reason why they were able to exploit Equifax’s system is because Equifax failed to essentially install an update to the software that they were using that was available in March. In March of this year, they could’ve essentially fixed the problem that was exploited by the hackers, and apparently they were just asleep at the wheel and no one installed the update. By May, the hackers had access to this data, and could have had it for two, two and a half months to recover this data.
As you’ve mentioned, as many as 143 million Americans’ information could have been leaked to these hackers, and the types of information that these hackers obtained is very important. These include things like a Social Security number. They include things like full name, date of birth, addresses, even things like credit card numbers for a couple hundred thousand Americans, and information such as driver’s licenses. This information is very important. It’s private, confidential information that you don’t want other people to access.
Peter Mougey: Now, Michael, once they had the information, what do the hackers do with it?
Michael Bixby: Typically, what you’ll see happen is that the hackers themselves aren’t the people who are ultimately going to perpetrate the crime or the fraud on someone. They’ll usually sell the data to someone else who’s going to try to use it, typically for their own financial benefit. They might use it to try to obtain a loan in your name. They might actually try to use those credit card numbers to make purchases. They might try to open up a new account, whatever it is, whatever nefarious activity, where they’re trying to use your personal confidential information essentially to get themselves money or make themselves money.
It might be sold and resold and resold for years. The problem is, once the data is out, once your Social Security number is available, that information is perpetually valuable to a hacker. It’s valuable tomorrow and the next day because your Social Security number doesn’t change. You might be worried for a year or 5 years or 10 years going out in the future, and this could be used potentially to harm you and benefit somebody else.
Peter Mougey: All right. Now, we know this isn’t the first breach here with national information. Now, is Equifax responsible for stopping hacks, or is something like that considered out of their control?
Michael Bixby: Equifax is absolutely responsible for stopping hacks. The type of information that they have access to, even from non-customers, they have a very heightened duty to protect that information because of how important it is, because of what it means to the average American consumer. These have been big issues for a number of years. You can look back over the years. Target. You can name off other major retailers who have been hacked, and the type of information they have is much more specific and much more direct than a lot of other retailers have because they have access to essentially the golden ticket of information. It’s not just a credit card. It’s not just a name. It’s the combination of all those things, the Social Security numbers, all these other data points, which are invaluable to a hacker.
Peter Mougey: Now, Equifax is a huge company. They’re based out of Atlanta. Now, do they play a large role in lobbying the agencies or groups that were investigating this breach?
Michael Bixby: Absolutely. In the past year alone, before this breach happened, Equifax spent over a million dollars lobbying. You can look at the things they were lobbying about. One of those included regulations and laws that would relate to data breach, the precise situation we have here. They were lobbying against having new regulations or new laws that would essentially control them. They’ve also lobbied against things like the Consumer Financial Protection Bureau’s rule against barring class action.
They’ve been trying to get that to where they can control and they can force people into arbitrations and make them waive their right to bring a class action, which in this type of a scenario, where most consumers will be harmed on a relatively smaller scale, a few hundred dollars, maybe even a couple thousand dollars on the higher end for typical consumers, when the cost of bringing an individual lawsuit is so high, if Equifax and other financial companies, other banks … Think back to Wells Fargo and other folks who have perpetrated wrongs on the American public … if they’re able to get rid of class actions, they’re able to essentially protect and insulate themselves from liability.
Peter Mougey: The moral of that story is, if you’re going to screw somebody over, if you’re going to take, just do it a few hundred dollars at a time, so you don’t have any recourse. You can’t afford to bring an individual suit and then they bar your right to a class action. Now, I think the question that’s on everybody’s mind is, if your data was stolen, what should you do? What step you should take? What should you do to make sure that you can protect yourself? You certainly know that Equifax isn’t doing it.
Michael Bixby: Right. I think you can start … One suggestion that’s been made by many folks is that you put a freeze on your credit. This is something that can be done essentially to where, when someone’s trying to access it or use it to get access to a new account, or try to essentially steal your money or use your name for some purpose, that it’s not going to go through. It’s something that can be unfrozen. For instance, if you needed to buy a house or get a new car loan, you could contact the credit reporting agencies. That’s one thing that’s been suggested is put a freeze on your credit, and that’s going to help protect you.
The other thing you can do is there’s a possibility if you’re harmed, if your information is stolen and is used to actually … an account is opened, a false account is opened, a hacker uses your information or your data, you can look to either … Class-action lawsuits are a very, very important element of enforcing and holding companies like Equifax accountable, and there’s also the potential for a small claims lawsuit. It could be an individual lawsuit in the right circumstance, but this is perhaps best suited for the class action, where we can all band together. My data, your data, almost half of America’s data, has been compromised here, and if we band together, we can help hold Equifax responsible.
I think the last thing I would say is pay attention to what’s happening. In Congress right now, the lobbyists have gotten this issue before the Senate regarding the class action bar for banks and credit reporting agencies. The Consumer Financial Protection Bureau is saying you cannot have a class action waiver anymore. You can’t use that; that’s unfair. Pay attention as these issues are in front of Congress. Call your senator. Call your congressman.
Peter Mougey: That’s one of the best things you need to do, then, is follow up with your local congressman, your local senator, and make sure that they know the impact this is having on Main Street America.
Michael, thank you much for appearing today. I appreciate it. Please keep fighting the good fight. Thank you.