At this point, data security and privacy is a meaningless concept. Odds are my info was in that one, but it almost doesn't matter - my info was stolen when OPM was hacked, too. Equifax will do what they always do: pay lip service to "taking it seriously" and then do nothing. Why should they do otherwise? Nothing'll happen to them.
Legal question for you. I heard someone on Twitter saying that the individual has no recourse here, because Equifax has arbitration clauses. That seems odd to me, because who the hell even signs a contract with Equifax? Is it somehow included in credit applications by third parties (e.g. mortgage and credit card companies)? Doesn't quite seem fair to me, since I doubt very many individuals have ever had a chance to vet and sign a direct contract with them, Experion, or TransUnion.
I'm not an expert on this, so take everything I'm about to say with a grain of salt. I'm nonetheless pretty sure that, as always, people on Twitter are off base. It's not about anything like an arbitration clause, and more the simple fact that there's no legal mechanism that creates liability in this situation. Traditional negligence wouldn't apply, and I'm not aware of anything else that would create any kind of liability. Negligence In general, if you want to sue someone for negligence, they're off the hook if the harm actually resulted from a third party's actions, even if the defendant's negligence allowed the third party to cause the harm. This is known as a superseding intervening cause. Such a cause has to be reasonably unforeseeable by the defendant for them to be off the hook, of course. In other words, a third-party's act wouldn't let Equifax off the hook if that act was foreseeable. Note that the specific cause doesn't have to be foreseeable, just the type of harm. This is best illustrated in the infamous Flaming Rat Case that most of us read in law school. The short version is that a guy was cleaning a vending machine with gasoline(!), in a room with an open flame. A rat had apparently taken up residence in the vending machine, and said rat then made a run for it once gasoline started raining down. Unfortunately, the rat's choice of refuge was the heater. It of course caught on fire, then ran back to the original vending machine, which blew up and killed the guy cleaning it. His estate sued the employer for negligence. For our purposes, the important thing is that the appellate court ruled that while the specific facts of the case were doubtless not foreseeable, the general idea that using gasoline near an open flame could result in an explosion was. So that's the general framework. And of course, it would sound like Equifax would be liable, since I don't think it'd be that hard to get a jury to conclude that someone hacking a company like Equifax is foreseeable. But as always, there are exceptions. One of those, and AFAIK all jurisdictions in the US have this to some degree, is that an unlawful or intentionally tortious act is per se not foreseeable. The public policy behind this, as I understand it, is to not allow an intentional actor to get off the hook; it's basically a moral judgment that negligence isn't as "bad" as an intentional act, and we want the person who acts intentionally to be the whole who's punished instead. So for example, someone who spills gasoline in a parking lot may be liable if someone else slips in it, or a spark then ignites it and burns someone. That's all foreseeable. However, if someone comes along and deliberately lights the pool of gasoline for the purposes of hurting someone, the original spiller wouldn't be liable. Turning now to Equifax, this is basically why they're in the clear. Even if they were negligent in terms of data security, someone coming along and stealing from them is an intentional and wrongful act, so Equifax isn't then liable. You'd be left trying to hunt down wherever hacked them. It's a stupid and unjust result, but is a prime example of the law not catching up with technology. Anything Else Since negligence (which is common law, i.e. judge-made) doesn't apply, the only way to make a company liable would be for Congress (or a state legislature) to pass a law creating such liability. HIPAA is a good example of this, since it creates penalties for improperly handling information. That this law was necessary further shows that without a specific statute, there wouldn't be any liability. To my knowledge there aren't any laws about securing the kind of information held by Equifax (or any of the other thousand companies who've been hacked for that matter). Bruce Schneier wrote an essay about this very fact back in 2003, and it's only become more relevant. Corporations can lobby Congress to continue to allow them to be off the hook, and there's no incentive for Congress to do otherwise since We the People are apparently content with the status quo.
Sharing, sure. But you're not agreeing to a hold harmless or arbitration clause. On further reading, it seems that there isn't a blanket arbitration, Equifax has said they will only allow you to see whether your days was compromised if you enter into one. Gray, legally speaking, but who's gonna test that?
There already is a class action suit filed in Oregon against Equifax for this breach, on behalf of 142 million people. So it's being tested. The key to any legal issue is to simply move it to a more friendly court. Consumer rights are MUCH more protected in the 9th Circuit, while RI and DE courts think businesses can do no wrong, for example. "Trust" has been argued to be a commutative property, as well. You trust A, A trusts B, so therefore you trust B. So even if YOU don't personally sign their agreement, you can still be affected by it in disturbing ways.
This is kind of why I sometimes bitterly laugh at privacy/crypto folks. You can take all the precautions you want personally, but massive organizations have TONS of data on you, and they don't take security as seriously as you do.Odds are my info was in that one, but it almost doesn't matter - my info was stolen when OPM was hacked, too.
Yep. In this day and age, the only thing private is the thing you never write down.