Equifax Data Breach: Justice?
Featured guests include:
Christian Hague and Jassamyn West, Consumers
Hague and West filed each filed small-claims suits against Equifax following the breach. They had very different experiences in court, but both prevailed.
Read about Jessamyn West’s experience taking Equifax to small claims court:
Read about Christian Haigh’s experience taking Equifax to small claims court:
Litt is the Director of Consumer Campaigns at U.S. PIRG and has worked extensively for stronger privacy protections and corporate accountability in the wake of the Equifax data breach. Twitter: @MikeLittUSA
EP 5. Can’t Fix Stupid
WALDEN: I thank the Chairman. We’re here to do today what it appears Equifax failed to do over the last several months - and that’s put consumers first…. Our job is to get answers for the more than…
SCHAKOWSKY: ...145.5 million American victims as of yesterday...
WALDEN: ...who’ve had their personal information compromised and now fear they could be victims of fraud at any time.
SCHAKOWSKY: This particular breach occurred when hackers exploited a known vulnerability….
WALDEN: ...the vulnerability that the hackers used to get into the Equifax system was discovered in early March.
SCHAKOWSKY: It was months later before Equifax first discovered the breach…
WALDEN: How did this go unnoticed?
SCHAKOWSKY: The response to the breach was its own debacle.
WALDEN: Why was the consumer facing website created on a separate domain?
SCHAKOWSKY: Equifax tweeted links to the wrong URL directing victims to a fake website, the call-center was understaffed….
WALDEN: How could a major US company like Equifax which holds the most sensitive and personal data on Americans so let them down?
DINGELL: Most people had no idea that Equifax was even holding their data.
PALLONE: This is unlike other breaches at stores such as Target and Michael’s, where consumers could make a choice….
SCHAKOWSKY: Consumers don’t have a choice.
DINGELL: You can’t change your Social Security number and I can’t change my mother’s maiden name.
WALDEN: If as a sophisticated a company as, as you headed is, with so much at risk, how does this happen? And you know, we have colleagues that say we’re gonna, you know, double the fines, triple the fines, put fines in, do all these things, but - how does this happen when so much is at stake? I don’t think we can pass a law that - excuse me for saying this, but - fixes stupid. “I can’t fix stupid,” as a colleague of mine used to say.
ALIA: I’m Alia Tavakolian.
BOB: And I’m Bob Sullivan.
ALIA: And those were a bunch of our Congressional representatives in October of 2017, doing what a lot of us were doing after the Equifax breach: realizing how bad this was, putting together the pieces of what went wrong, and getting really pissed off. The only difference is they got to demand answers for their questions from Rick Smith.
BOB: This week we’re getting into the aftermath of the Equifax breach. What did people do to hold Equifax accountable then, and how can you hold them accountable now?
ALIA: Scream into your pillow, then take action. Welcome back to Breach, brought to you by Carbonite: how businesses protect their data.
ALIA: At some point, Listener, either at the time of the breach, or while listening to this podcast, I’m going to bet that you’ve had some questions you wanted to just yell at Equifax. Watching this testimony while researching the Equifax breach was the moment that really turned the tide for me. I felt a lot less alone, like I had somewhere to channel the despair-rage in my belly, as I watched former-CEO Rick Smith squirm, while one-by-one, a bunch of our elected officials used their allotted 5-minutes to run through the absurd series of facts about the Equifax breach, and ask him, essentially, “Rick. Buddy. HOW COULD YOU LET THIS HAPPEN?!”
Bob was actually there, he attended one of these hearings. And apparently it was unusual for so many politicians to be tapping into this same, collective rage.
BOB: It was, the energy around the hearing was something pretty unusual in House of Congress. In this case, the room was packed full, there was a line out the door. When Rick Smith came in, I mean, it did feel like, uh, you know, the main character from a play taking the stage. Uh, surrounded by photographers - you know those photographs you’ve taken where the person can’t even move there’s so many cameras near them. Click, click, click, click, click, click, click as the hearing began.
ALIA: So there are like multiple ones of these, right? It’s not like one big trial?
BOB: Yeah, uh, Smith had to appear before several House and Senate uh, sub-committees during the course of a, a couple of days. So he was asked these same questions over and over again and gave the same exact answers over and over again.
ALIA: You know what, something that, like, really surprised me is that there was so much bipartisan anger.
BOB: Yeah. They could all agree on the fact that they were angry at Equifax. Um, privacy itself is a pretty bipartisan issue. Conservatives like privacy, they like to be left alone, and Liberals are very interested in civil liberties and privacy is very much a civil liberty issue.
ESHOO: Mr. Smith, it seems to me that you have accomplished something that no one else has been able to accomplish and that is that you have, uh, brought, uh, Republicans and Democrats together in outrage, and distress, and, uh, frustration over what’s happened, uh, because this is huge.
ALIA: This week, we’re diving into the consequences Equifax faced after the breach, and the actionable steps real people took to deal with their rage - like taking Equifax to small-claims court. But first, I want to give you some highlights from these Congressional and Senate sub-committee hearings, because they’re essentially performance art - post-modern, absurd, Dada-esque, “Can you believe this is the world we live in?!” performance art.
ALIA: Okay, here we go. First up is pointed, “on-behalf-of-constituents” anger:
LUJAN: I worry that your job today is about damage control - put a happy face on your firm’s disgraceful actions, and then depart with a golden parachute. Unfortunately, if fraudsters destroy my constituents’ savings and financial futures, there’s no golden parachute awaiting them.
ALIA: Then, an example of the many damn good questions that don’t get answered, or get totally misdirected:
MATSUI: In the context of this breach, if data that you hold is about me… do I own it? Do I own my data?
SMITH: Could you please repeat the question?
ALIA: Next, let’s sample some moments from the general absurdism category. When Senator Kennedy enquired about Equifax’s contracts with the federal government (remember we discussed that with Nick from the GAO, the US Government is a customer of Equifax) -
KENNEDY: The contract, the 7… 7 million and change contract, does that involve, uh, um, taxpayer information that you would have access to?
SMITH: Senator, it’s my understanding - and I don’t profess to be deep in this particular contract - uh, is, it is to prevent fraudulent access to the IRS, but beyond that, I…. If you want more information, we can get that for you.
KENNEDY: Well, you, you, you realize to many Americans right now, that looks like, uh, we’re giving Lindsay Lohan the keys to the minibar.
SMITH: I understand your point.
ALIA: I never thought TMZ would be relevant to our coverage of the Equifax breach, but I was wrong.
TMZ CLIP: Whoa, take that Lindsay Lo-Han!
TMZ CLIP: Lindsay Lohan’s parents are obviously super pissed about it, they’re threatening a lawsuit against him.
TMZ CLIP: ‘Cause they think it’s a cheap shot at Lindsay’s struggle with drugs and alcoholism…
ALIA: And my favorite piece of performance art -
REPORTER: We’re with Monopoly Man - actually Amanda Werner of Public Citizen - who you may have noticed at the Senate Banking Hearing was right over the shoulder of former Equifax CEO Richard Smith.
ALIA: She was right behind him, you could see her in close-ups when he responded - dressed as Mr. Moneybags, occasionally dabbing the sweat off her forehead with fake money…
AMANDA: Sure so I dressed up as the Monopoly Man today - OH -
ALIA PU: her monocle falls out -
AMANDA: that happened a lot in the hearing too.
I dressed up as the Monopoly man to call attention to Equifax and Wells Fargo’s use of forced arbitration as a get out of jail free card for their misdeeds”
BOB: Okay, and it’s funny, right, these minibar comments for example, and it’s certainly satisfying to hear somebody, like you, ask what you would ask, right? How could you let this happen? You can’t fix stupid. Right? So this is great. We heard this out loud, it’s cathartic in some ways I suppose but, but… okay so you have a big fight with somebody and you you yell about it for five minutes and sometimes that feels good, but what did it really accomplish? Did anything really change? And the answer is no. Rick Smith got up at the end of the day and flew home to not working at Equifax anymore and that was sort of the end of it. There was no actual consequences here. This was - a slap on the wrist - it might be an insult to slaps on the wrist to call this a slap on the wrist.
I mean, let’s not forget that at the time of the hearings, Rick Smith had already resigned from Equifax. So he wasn’t even CEO anymore. Which means that at these hearings, the company itself wasn’t really represented. I’ve never seen anything like this before.
ALIA: On the other hand, some representatives did use the hearings as an opportunity to bring up legislation they wanted to pass in direct response to the Equifax breach.
BOB: Yeah, it’s easy to lose sight of the fact that the point of congressional hearings is to help move legislation forward.
ALIA: Representative Shakowsky uses a few seconds of her time in these hearings to skewer Equifax for having lobbied for some legislation while they knew about the breach -
SHAKOWSKY: The same day the Equifax breach went public, the house Financial Services committee held hearing on FCRA Liability/Harmony Act - a bill to protect credit reporting agencies like Equifax from Class-Action suits, Imagine. In fact Equifax was lobbying for this bill after the breach was discovered in July, still not reported, and the 14 Republicans sponsoring this bill should ask themselves whether this is really the industry they want to be in bed with.
BOB: This is incredible to think that while they were running around investigating this breach they were directly advocating for a change in law, a federal law that would have limited their liability for things. Uh, I mean--
ALIA: That’s crazy!
BOB: I suppose there’s an argument that one side of the house didn’t know what the other side of the house was doing. This breach hadn’t been announced yet.
However, I I mean at a bare minimum, the optics of this are just terrible.
ALIA: It does not look good.
ALIA: Representative Shakowsky then brought up the bill she’s sponsoring - the night before the hearing she re-introduced the “Secure & Protect Americans Data Act” along with others in the Energy & Commerce committee.
SHAKOWSKY: Our bill would establish 1) strong data security standards… 2) require prompt breach notification which we didn’t get and 3) provide appropriate relief for breached victims.”
ALIA: This bill has been introduced, but I don’t see any other movement on it. There were a few other acts introduced after the Equifax breach -
One that I find particularly interesting is the “Data Breach Prevention and Compensation Act”,
sponsored by Sen. Elizabeth Warren and Sen. Mark Warner. It was introduced in January of 2018.
ALIA: This bill would do several things: It would establish an Office of Cybersecurity at the FTC specifically tasked with inspecting and supervising the cybersecurity at Credit Reporting Agencies.
BOB: This is really important because whenever the FTC sues anybody, they make part of it ongoing auditing to make sure that that company that lost data or whatnot is behaving properly.
ALIA: It would also impose mandatory penalties for breaches of consumer data - starting with a base penalty of $100 for each consumer who had one piece of personal identifying information (or PII) compromised and another $50 for each additional PII compromised per consumer.
BOB: So they lost your name? 100 bucks. Your email? Another 50. Your passport photo? Another 50. And so on.
ALIA: If this legislation had been in effect, Equifax would have had to pay at least $1.5 billion to Americans for failing to protect their data.
ALIA: Another facet of this bill: it would increase penalties for things like failing to notify the FTC in a timely way in case of a breach, or having really inadequate cybersecurity.
BOB: People have been waiting for this for a long time. There really is a difference between a company that gets hacked by a nation-state despite all good efforts and real investments in security, and a company that leaves the backdoor wide open and fails to install a certificate on software for 19 months, right? So, there would be, you know, cases of severity where the FTC could actually increase the penalties if you were really terrible about this. That makes a lot of sense.
ALIA: These are real consequences! Like: HUGE disincentives for pulling an Equifax. Imagine how much more carefully a company would guard the dozens of pieces of PII they had on each of us, if they had to pay 50 dollars for each data point they lost.
Seriously: imagine it. They’d for sure figure out a system for patching servers if they had to pay 50 bucks for each name and birthday in that server!
Imagining it was the fun part.
Realistically, our colleague Mike Litt (who wrote about this proposed legislation after the Equifax breach) says this particular legislation does not appear to have traction to move out of the Senate Banking Committee.
BOB: Aka: dead on arrival.
ALIA: But I can imagine it, Bob. It’s beautiful. I mean, maybe my privacy would not have been murdered with this kind of legislation. Or it would’ve been murdered but I’d at least get cash for it.
ALIA: Mike also talked to us about some legislation that DID pass, that some argue is the “one good thing” that came out of the Equifax breach. This legislation extended mandatory fraud alerts from 90 days to 1 year, which is nice, but here’s the best part: it federally mandated free credit freezes.
BOB: Remember back at the time of the breach, in most states Equifax was allowed to charge a fee to freeze your credit. Now there’s a law saying they’re free! For people in every state! - -- But even that “win” is...complicated.
ALIA: Let’s back up before it gets sad. So before the breach, Mike’s colleagues at US PIRG had already been working to get free credit freeze laws passed in states like California -
MIKE: Then because in response to the Equifax breach, you had a whole bunch of states passed their own laws to make freezes free. Think we got up to 23 states where freezes were free.
ALIA: Love that momentum! So a bunch of states pass their own laws after the Equifax breach is announced in September 2017, then this act is passed the following January: the “Economic Growth, Regulatory Relief and Consumer Protection Act”. Then they’re free in every state!
BOB: So companies like Equifax no longer had the chance to make money off you when you had your credit frozen.
ALIA: A huge win!
BOB: Sort of.
ALIA: Because… the “Economic Growth, Regulatory Relief and Consumer Protection Act” also had a bunch of other things attached to it, not just free credit freezes, and was part of a larger bill that rolled back Wall Street reforms that were put in place 10 years ago after one of the worst economic crashes in our history. US PIRG nicknamed it the #BankLobbyistAct.
BOB: As a whole, according to Mike, this larger Act would -
MIKE: increase the likelihood of discrimination in the marketplace, likelihood of risky banking practices, likelihood that consumers will get bad mortgages, and then even even that free national freeze actually preamps the states who have stronger credit freeze laws -
ALIA: So making a federal law for free credit freezes is great, but it replaces the local state laws. So if your state already had bad credit freeze laws, then yay for you! But if your state had good laws… they’re weaker now.
BOB: Okay, so timeout.
BOB: Equifax happens.
MIKE: Equifax happens.
BOB: Everybody's really angry.
BOB: Washington DC sweeps into action to fix consumers as a result of this and a year later, laws are weaker than they were?
MIKE: So when it comes, when it comes to credit freezes, there are some states that had stronger credit freeze laws that now have weaker credit freeze laws than they did before If there's going to be any kind of federal law, it should set the floor and not be
ALIA: I love consequences for Equifax. I hate wrapping up those consequences in the same bill with a bunch of other stuff that lets big banks take advantage of us. And I really hate the unintended consequences of replacing and weakening state laws that were helping people. It’s like one step forward, two steps back, and also that step forward broke a bunch of stuff.
ALIA: Okay. The breach happened. Legislative consequences for Equifax are: non-existent, unlikely (but fingers crossed super hard!), or complicated.
What’s a civilian, with that rage in their belly, desperate for consequences, to do? For some of us, that flicker of rage quickly died out into a wave of apathy.
For others of us that rage turned into despair (I guess we’re all doomed anyways, what can I even do )
But there were some people who decided to take action. People like Jessamyn West -
JESSAMYN: my name is Jessamyn West and I am, I say a community technologist and I live in central Vermont. My background is libraries.
ALIA: I love it.
JESSAMYN: My question, anytime I'm being recorded, is tolerance for swearing.
ALIA: Oh, high tolerance.
ALIA: And she remembers the timeline of the Equifax breach vividly. Because, as she put it-
JESSAMYN: 2017 was a shitty year for me.
ALIA: Her mother had passed away earlier that year.
JESSAMYN: And so I had spent a lot of the summer of 2017 dealing with her affairs.
ALIA: Which in addition to grief, means a lot of paperwork, and getting financial and legal things in order. Then a few months later, the Equifax breach happens:
JESSAMYN: I went to their dumb website to figure out if I had been affected and they were like, you've totally been affected. You can apply for a year's worth of free credit monitoring from basically us - And I was like, no, no, no, you kinda, you kinda burned that bridge with me. So... no?
ALIA: On top of everything else, now she has to worry about identity theft, too?
JESSAMYN: that sucks. This is bullshit. I'm not in a good mood and I would, you know, I want to, I want to try doing something else. Right.
ALIA: Suddenly she’s facing snags when it comes to verifying her identity in all this financial and legal work she’s prepping for her mom’s estate -
JESSAMYN: My sister's paperwork went through without a problem. With my paperwork, there was a problem. Like, I needed to send additional verification information to prove I was who I was. Can I link that to the equifax breach? Totally not. Do I think it had something to do with it? Maybe. Right?
ALIA: And more things like that start happening. She can’t prove it’s directly Equifax’s fault. But they’ve put her in a vulnerable position, they’re making her life harder -- she’s annoyed!
Also: the conversations she’s having about the breach with her friends, who aren’t computer-librarian-research types like her, are annoying her too - !
JESSAMYN: So I would ask them like, well did you check to see if you were affected? And they're like, mah, what can you do? Computers like they're impossible. Everything is impossible. The world is getting worse, blah. And I was like, these conversations suck.
ALIA: Another thing on Jessamyn’s mind was her late mother. She was a diligent advocate for herself as a consumer -
JESSAMYN: one of those, um, like consumer complaint people. Not not like in a, in a, in a, like what I would consider to be a shitty way, but in a like I'm not going to get fucked over by the man way
ALIA: So she taps into her mom ’s tenacious energy -
JESSAMYN: I've been wronged, this is bullshit. I want to do something about it.
ALIA: And she makes a plan:
JESSAMYN: Uh, I knew where the courthouse was. I knew it was near me. I knew it was cute and not very busy, so I said, you know, maybe it would be fun to try to file a small claims case against Equifax -
ALIA: Why not? At the very least, it’s a pain in Equifax’s neck -
JESSAMYN: Because one of the things I knew is they have to show up.
ALIA: She got to work learning how to file - in her initial research she saw there was an automated tool, a bot she could use, but it only worked in California and New York.
JESSAMYN: Right. story of my life. Here's a new amazing tool. It's really only for people who live within 30 miles of San Francisco or Brooklyn.
ALIA: So she consulted a lawyer friend for advice, rallied help on the internet, then filed away.
JESSAMYN: in Orange County, Vermont, which is one of the smallest counties in one of the smallest states.
ALIA: Which, added perk: gave her something great to say in response to the defeatists in her life.
JESSAMYN: And then when I went out to dinner with my friends instead of like blah, blah, what can you do, computers are hard, am I right? I was like, well I filed a small claims case and it's going to be awesome.
ALIA: So she’s given a court date. Time goes by, she’s getting ready for her case, researching and getting help on the internet, and soon enough it’s time for her. Day. in. court!
JESSAMYN: So I missed the court date and I was like, fuck my life. I cannot believe I did this. And the weird thing was Equifax also missed it, so if I had shown up, I would have just won because they would have defaulted because they have to send a person.
ALIA: Oh my god. How did you feel about that?
JESSAMYN: I just literally, I was dead inside. I was just, I at first, at first I was like, I am the worst in the world because I had like a little internet cheering squad, right?
ALIA: But her internet cheering squad pulls through - someone chimes in on a forum:
JESSAMYN: Oh, you know, you could probably just reschedule. What? Yeah, you can just call the court and I called the court and they were like, oh yeah, sure. Totally. You can reschedule. What? Okay.
ALIA: And this time she makes it, and shows up prepared -
JESSAMYN: I, you know, I checked the date a million times. I'd done a ton of research, like I had a stack of papers, like this is the person who didn't patch the thing. Here’s how they left the administrator, login open for the thing, And I watched the the senate investigation. And I mean, so ridiculous, right? He got the goldenest golden parachute. ALIA: Yeah.
ALIA: So she gets to the Orange County Vermont Courthouse -
JESSAMYN: which is like a cutie poo little courthouse that kinda like you'd imagine. There's nobody else there. Uh, Equifax sent a paralegal who was very nice. He is so like, he's super friendly, he’s like I had to drive on a dirt road to get here. I'm like, yes, you're in rural Vermont.
ALIA: The judge says she can object to the fact that Equifax sent a paralegal, apparently they’re not supposed to do that, but Jessamyn doesn’t care. The judge asks her questions, how she’s been harmed, why she thinks this is Equifax’s fault. The paralegal then makes his case -
JESSAMYN: The paralegal’s just like, you know, it's all speculative damages, right? She's worried about what might happen, but that's not what small claims is for.
ALIA: She’s asking for $5,000 total, the judge says he’ll look into it and give her an answer via mail - they’re done! She and the paralegal walk back to their cars.
JESSAMYN: We’re kinda chit chatting because he's actually really nice, um, and he was like, you know, I just have to break it to you. Like I never lose. And I’m like that’s okay.
Like I don't care. I dragged you out to Vermont. I cost Equifax a ton of money just getting you here. I'm glad you're having a good time. like I'm not mad, but, you know it's bullshit. And he gave me his email address. He's like, you know, if you want to vent or anything. I was like, all right, great. Thanks. He left. I left. I went home and kind of wrote up the story.
ALIA: She eventually finds out she’s awarded $690 dollars. $90 for court fees, $600 for identity theft protection. Which makes me wonder - was it worth it?
JESSAMYN: On a purely like money per hour spent on this basis, there is no way it sort of paid for itself I guess, if that makes sense. But as far as the, the spirit of the thing, like it went exactly how I wanted. Like it changed the conversation that I got to have around Equifax. It taught a bunch of people a lot of different things about data security, data protection and data privacy. I don't mind being a vehicle for helping tell a story that I think is important and do something that is a little stuntish in order to raise awareness about this. So as far as I'm concerned, so worth it.
ALIA: It’s not so much about the dollar amount. It’s about creating consequences for a big company that, otherwise, might just get away with doing whatever they want. And
JESSAMYN: And what I hope is the next time this comes around somebody else is like, oh, remember that lady who sued Equifax? Like I could sue Quora for losing my information, which is the giant data breach that happened this week. You know, maybe, maybe that's something I can try and maybe that's something real people can do.
ALIA: And now I think it’s time for a Brain Break.
When we get back, we’ll hear from another person who took Equifax to court, and faced the literal opposite of a friendly paralegal. He was up against a legal team designed to crush him.
But first, let’s check back in with Kelly. We haven’t heard from her on a while. She’s on a quest to find *every* “credit report card” that exists on my friend Scott - and I think she has results!
KELLY: Hey guys. It’s been a while. This is Kelly, in the culmination of our credit report adventure. So since it’s been so long, I’ll give you the TLDR on what’s been going on:
In diving into the credit world, we learned there are more than just the Big 3 Credit Reporting Agencies with info on us. There’s actually a whole bunch of these other reports from groups called Specialty Credit Reporting Agencies. We wanted to understand the scale of this thing, and let someone dive into ALL of their reports, (you know like Scrooge McDuck but with credit data). And Alia’s friend Scott agreed to be our guinea pig!
KELLY: While the Big 3 have strict rules they have to follow regarding letting you request your credit report, Specialty Credit Reporting Agencies have fewer regulations.
For instance, they don’t *have* to have a website, which makes it so hard to find them that we had to get a credit lawyer, Joel Winston, to make us a list.
But Specialty Credit Reporting Agencies still have some rules they have to follow. Basically (If you can find and catch them) they have to respond to your request within 15 days.
KELLY: But turns out there’s HUNDREDS of these agencies. Joel told us it’d be way too much to mail that many forms. So, we mailed the most relevant 45 report requests on Scott’s behalf, waited 30 days to account for stragglers, and now we’ve got mail!
KELLY: Our valiant credit volunteer, Scott, came into our studio with piles of mail in hand, excited to finally figure out what these agencies are saying about him!
KELLY: Okay, so there’s a lot of stacks here….it’s gigantic…..
KELLY: All in all, we heard back from 30 companies out of the 45 we sent!
Of those 30, 11 responded but didn’t give us a report. Some said they “couldn’t find a report” on Scott:
SCOTT: The the agency said that they didn’t have information on me or….
KELLY: Which according to Joel either means they don’t have info on him, or they have info, but just haven’t been asked by a company to establish a file on him
SCOTT:...unable to locate any record of PeopleFax having ever established a file on the above named individual within the last two years…
KELLY: Or they had excuses for why we didn’t do it right, so they didn’t have to tell us the info they have on Scott:
KELLY: Um returning said form for your signature since we do not accept electronic signatures...interesting
KELLY: So our aspirational Scrooge McDuck pool of reports went from hundreds, to 45, to 19 reports, here in Scott’s hands, that he had no idea existed before this.
KELLY: Okay so these are the actual reports right?
SCOTT: I have not looked at any of these, though, as far as what’s in them--
KELLY: We dove in! Scott expected there to be information out there on him, but was shocked at how specific it got -
SCOTT: It literally says how many hours I worked each pay period. <Kelly laughter> And then what I was paid for that and what--gross and what I was paid net. This is probably the most irksome thing I’ve seen yet.
KELLY: And they had information that he thought was supposed to be a secret -
SCOTT: It does have my account number here and my routing number, I hope that this is not the same report that a third party would get.
KELLY PU: While there’s a lot of creepy, but accurate info out there, Scott was shocked at how inaccurate other reports were:
SCOTT: It has four addresses. One of which is my brother’s. I’ve never lived there.
KELLY: And when we thought we’d seen it all…..
SCOTT: No data... I kinda wanted there to be so we could have sort of that wow moment.
KELLY: We came across some new information on Scott….
SCOTT: So it shows here that I have been convicted of a felony. I pled guilty, uh in Las Vegas of course, uh for trafficking in controlled substance. <Kelly gasps>
KELLY: How was your time in prison, Scott?
SCOTT: You know, it was rough.
KELLY: Oh my gosh.
SCOTT: Now that takes the cake as the most violating thing that I’ve seen.
SCOTT: I promise I’ve never committed a felony, guys.
KELLY: We believe you.
KELLY: But would a potential employer believe him, if they got that report?
SCOTT: Rather than asking me about it, just dismiss me as an applicant and then I never know why.
KELLY: Their mess up costs them nothing, but could cost Scott everything.
SCOTT: Now I’m gonna contact backgroundchecks.com and say hey can you take this off my record so it doesn’t come up.
KELLY: Good thing we have a super knowledgeable credit lawyer at our disposal. Next week we’ll talk about what we can do when these companies screw up.
Stay tuned for the last episode of Breach season 2!
ALIA: We’re back. I’m Alia.
BOB: And I’m Bob.
ALIA: This is the aftermath of the Equifax breach, a little revolution taking place in small claims courts across the country. Bob, I spoke with another person who took Equifax to small claims court, only he had a very different experience than Jessamyn - Christian Haigh:
CHRISTIAN: I'm Christian Haigh and I'm based in San Francisco.
ALIA: He works at a company called Legalist which is a litigation finance company - essentially they help plaintiffs who can’t afford their legal fees get their day in court. So he’s all about people having their day in court. His day in court started similar to Jessamyn’s, though his courthouse is slightly less “cutie poo” -
CHRISTIAN: The San Francisco Superior Court.
ALIA: He fills out the form, pays the $90 fee, shows up at the courthouse: and it’s him against an Equifax representative. They’re here to basically argue two things - damages and liabilities. Damages are costs that he incurred as a result of the breach. And liability is proving the connection between those damages and the Equifax breach itself. (That these costs wouldn’t have happened without this breach.)
CHRISTIAN: And so the liability was fairly straightforward to prove.
ALIA: In fact, the Equifax rep didn’t even dispute the fact that they were liable -
CHRISTIAN: What they did dispute was whether there were any damages.
ALIA: To prove he’d incurred costs because of the breach, Christian does something smart. He brought in his receipt for Lifelock, which he had bought for $30 per month -
CHRISTIAN: And then I made the argument that I would not only have to pay for $30 a month this month, but I'd have to pay for it for the rest of my life.
ALIA: Which totals to $8,000. So the Equifax representative responds -
CHRISTIAN: Sure, you know, we admit liability, but there are no damages and the fact that he pays for Lifelock, I mean, that's his choice.
ALIA: Because they’d so graciously offered their own free credit monitoring after the breach -
ALIA: And what did you think about that?
CHRISTIAN: Well, I mean I had already had my data entrusted to them once. And they had messed up a severely,
ALIA: So he wasn’t about to trust their negligent nonsense this time. The judge sees things his way, and he’s awarded the $8,000! Then -
CHRISTIAN: After that Equifax, then appealed the judgment
ALIA: So he has to go back and do it all over again! Now in the State of California you can’t bring lawyers to small claims court - But when a small claims court case is *appealed* you CAN bring attorneys -
CHRISTIAN: And so guess what. Equifax brought three attorneys.
ALIA: The Vice President of the Legal Department, their General Counsel, and a lawyer from one of the top hundred law firms in the country.
CHRISTIAN: It was essentially a legal team that was designed to crush me. They send three attorneys who will probably um be charging thousands of dollars an hour just to stop me from, um getting the award of $8,000
ALIA: And these big-whig lawyers cross-examine Christian -
CHRISTIAN: And they used some fairly odd tactics that were designed to put me off guard.
ALIA: Christian said they were doing this weird tactic where they’d make a big to-do about shuffling around all the papers and saying there were just too many, they couldn’t tell which page represented which exhibit, that kind of thing. He felt they were really aggressive, and says they attempted to confuse everything. But it was clear these big-whig lawyers didn’t know how to operate in a small-claims setting.
CHRISTIAN: They were asking that, um things that I said should be stricken from the record. Even though there wasn't a record being taken during the case.
ALIA: That's really funny,
CHRISTIAN: Right. It was just really strange and you sort of mention it and then they're like, wait, what?
ALIA: They just didn't know. They'd never been to this kind of rodeo before.
ALIA: The lawyers eventually have some success arguing against him on a technicality - (they quibble over something Christian didn’t completely fill out on the form) - the judge doesn’t award him his full $8000 - but he still proves that he had damages -
CHRISTIAN: --and was awarded $5,400 ultimately.
ALIA: Equifax - congrats. You got that $2,600 back. Which would probably pay for - I don’t know, a couple meals for the lawyers? If they like nice foods and wines and beverages?
BOB: One hour of three lawyers?
ALIA: Whoa. Yeah. But for Christian, like Jessamyn, all of this was in service of proving a really important point: This is a Fortune 500 Company with hundreds of millions of people’s data in their hands.
CHRISTIAN: These people are not too big that you can't have justice. And so what I wanted to do was to share my story and have my day in court so that then I could share with other people how they could also have their day in court.
ALIA: Both Jessamyn and Christian have written about their experiences in small claims court. We’ll post links in our show notes, if you want to follow in their footsteps and learn from their processes.
CHRISTIAN: The only way that you make sure that you don’t get your story heard is to not do anything.
ALIA: Listening to all this I’m really inspired. Like, getting to tell your own story is incredibly therapeutic. Elected officials making Rick Smith answer their questions (even when he doesn’t have super great answers) is really cathartic. And people like Jessamyn and Christian going to small claims court and standing in front of a judge, like David and Goliath, and saying - hey this giant company, Equifax, they don’t get to do this to me! And I’ve incurred damages because of them -look, look here! …Like that seems really validating.
BOB: Yeah, it’s validating - but it’s more than validating, there’s actually a result, right? Small claims court is a fantastic place for people who, who want to do more than just yell and stomp their feet. They want to actually take action and and get some money out of it.
And I think that complaining is like voting - if you don’t vote, then you take the shitty result that you get. And if you don’t complain, then companies just get away with this stuff. So I just love them and I love that they did this. These issues are not just about like an annoying bout of identity theft, or a perhaps frustrating afternoon at a small claims court. They’re really issues of how we want to make our society.
ALIA: But what about large-scale action? If these proposed laws we talked about today don’t get passed - where could a giant wave of justice for us and accountability for Equifax come from?
Next week we talk to someone who is taking things a huge step further than small claims court, and is leading a class action lawsuit -
CATHERINE: I want to fight for people to realize that data privacy - it is our life.
ALIA PU: And we’ll check in with some more experts on the great murder mystery of our privacy. Is there maybe a heartbeat? What could be a reasonable hope for our futures?
BOB: Next week on Breach.
ALIA: Brought to you by Carbonite, how businesses protect their data.
Breach is a branded podcast brought to you by Carbonite in partnership with Midroll and Spoke Media. You can find transcripts and show notes at carbonite.com/breach
If Cyber Security reporting were operating at the fictional Seattle Grace Hospital - Bob would be the esteemed Derek Sheppard, and I would be the ambitious, up-and-coming Christina Yang.
Be a McDream and head to Apple Podcasts and rate and review our show! It helps people find us!
Our show is executive produced by me Alia Tavakolian,
and produced and written by Janielle Kastner aka “Producer Jan”.
With Associate Producer Caroline Hamilton, and Production Assistant Kelly Kolff. Research from Haley Nelson.
When Bob and I are in the studio we’re recorded by Casey Holford and Jared O’Connell . Today’s episode was mixed and sound designed by Evan Arnett.
Our head of Post-Production is Will Short.
The songs you hear come from APM Music and First Com.
Our executive producer is Keith Reynolds, who’s less into Grey’s Anatomy, and more of a Scandal man himself.
Special thanks to the folks you heard today: Mike Litt, Jessamyn West, Christian Haigh, and Catherine Fleming.
And thanks to our patient Credit Report Volunteer: Scott Mosher, and Joel Winston, for his badass Credit-Report-hunting advice.
Thanks for listening!
Episode 5 of Breach Season 2 digs deeper into the aftermath of the breach. This episode examines the congressional hearing following the breach, what was done to hold Equifax accountable, and what you can do to hold them accountable now. You’ll also learn about the political theater surrounding the hearing and whether it actually accomplished anything.
You’ll hear some of the toughest (and angriest) questions from members of Congress on both sides of the aisle, more of CEO Rick Smith’s testimony, including how he avoided or redirected many of the most challenging questions, and some of the most ridiculous moments from the hearings. Additionally, you’ll hear about legislation that was proposed and passed as a result of the Equifax breach. Finally, you’ll hear from consumers like you that sued Equifax to hold them accountable.
Beyond the Breach: S2, Ep5: Small Claims
Large data breaches can be really disheartening, because it feels like there’s nothing you can do about them. In this episode of Beyond the Breach, Alia discusses two people that took Equifax to small claims court in the aftermath of the breach and how inspired she was by their actions.
- Episode 0—A new investigative podcast: Breach - Breach podcast - Trailer
- Episode 1—Caution: Falling rocks - Breach podcast - Episode 1
- Episode 2—Goodbye from Yahoo! - Breach podcast - Episode 2
- Episode 3—Good morning, dark web - Breach podcast - Episode 3
- Episode 4—Which Russia hack? Part 1 - Breach podcast - Episode 4A
- Episode 5—Which Russia hack? Part 2 - Breach podcast - Episode 4B
- Breach—Election special - Breach podcast - Special episode
- Season 2 - Coming March 4 - Breach season 2 trailer
- Equifax Data Breach: The Motherlode - Breach podcast - S2 Episode 1
- Equifax Data Breach: The Product - Breach podcast - S2 Episode 2
- Equifax Data Breach: What Went Wrong - Breach podcast - S2 Episode 3
- Equifax Data Breach: The Response - Breach podcast - S2 Episode 4
- Equifax Data Breach: Justice? - Breach podcast - S2 Episode 5
- Equifax Data Breach: Is Privacy Dead - Breach podcast - S2 Episode 6