People were shocked to hear that their personal identifying information (PII) and card account information (CAI) were exposed to thieves over a period of a couple of months in a data breach—not at an upscale store or a popular restaurant, but at Equifax, which keeps an enormous amount of information for tens of thousands of people. The complaint for this class action claims that the company was negligent in protecting the information and violated the requirements of the Fair Credit Reporting Act (FCRA) and Driver’s Privacy Protection Act (DPPA).
The class for this action is all persons living in Minnesota, Iowa, or Wisconsin whose PII/CAI was stolen or exposed to potential theft from Equifax by unknown third parties between May of 2017 and the present.
Since Equifax is a credit reporting agency, it maintains a great deal of PII/CAI on a large number of people, including names, addresses, dates of birth, driver’s license numbers, Social Security numbers, and credit card account information. The complaint alleges that the FCRA requires credit reporting agencies to maintain adequate procedures to protect PII and limit its dissemination. Equifax ignored individuals’ privacy rights, the complaint alleges, by “intentionally, willfully, recklessly and/or negligently” failing to do what was necessary to safeguard their information.
Data breaches like the one at Equifax, the complaint says, are the most harmful kind because it can take a long time for victims to become aware of the misuse of their information. Thieves may sell information, the complaint says, or keep it for a long time before using it.
To make it worse, the complaint charges that the data breach began sometime in May 2017 but that Equifax waited until September 7 to disclose it, allowing thieves plenty of time to use the information or sell it on the international cyber black market while the individuals involved were unaware of the theft and unable to take steps to protect themselves.
The Federal Trade Commission (FTC) estimates that the identities of perhaps 9 million Americans are stolen every year. In addition to the burden of placing “freezes” and “alerts” with agencies, closing or modifying accounts, and monitoring credit reports and accounts, the complaint alleges that victims of data breaches can be subject to serious harm—drained bank accounts, medical treatments on their insurance, charges to credit cards, or fraudulent obtaining of government benefits. In particular, the complaint claims, Social Security numbers can be difficult to change because the victim of the theft has to prove that someone else is using the original number, meaning that harm has to be done before measures can be taken.
All of these things can cause harm to victims’ financial standing, credit ratings, and good names, the complaint claims, and they can be difficult to even detect much less correct. The complaint thus alleges violations of FCRA and DPPA but also negligence and invasion of privacy.