Dear Equifax – Your actions and conduct tell us that that the only thing you really care about is making more money. You would love for us to forget your negligent handling and safeguarding of consumer and business customer data. Over the weekend, one of the main topics of conversation that I kept hearing was about the Equifax data breach and Equifax’s absurd response to the breach. People were infuriated because–not only did Equifax screw them for failing to protect their sensitive data– but Equifax is now screwing them again for its abysmal response to one of the country’s most horrendous data breaches of its kind. Post breach, Equifax rubbed salt into the wounds of the many millions whose Personally Identifiable Information (PII) was compromised by promoting its own identity theft services. Yes – you got that right: Equifax has the nerve to profit from its own negligence.
Many of the folks who complained to me about Equifax didn’t realize that I was about to file a class action lawsuit. What they couldn’t understand was how this this multi billion dollar company could be so negligent and reckless with their valuable Personally Identifiable Information. After all, shouldn’t this company have done more given that it has over a $12 billion market cap and that it is specifically in the business with its use, collection, and brokering of “trusted unique data, innovative analytics, technology and industry expertise to power organizations and individuals around the world by transforming knowledge into insights that help make more informed business and personal decisions.” (Equifax’s own description of itself). They just knew that I had already sued Anthem for their massive healthcare data breach, and they were dying to know what I might do about Equifax’s data breach
My short reply to all of these incredibly frustrated consumers and business owners: Equifax’s actions seem to tell us that they care more about making more money and not much else. Why else would they send millions of panic stricken people to their breach incident site, which didn’t even have the proper security in place. If any diligent and skeptical visitor researched the site, one would have found that it wasn’t even registered to Equifax until some time late yesterday.
Of all companies, Equifax should have made the security of its database its top priority. But rather, it seems more interested in giving a free 12-month trial of their credit monitoring service. BTW: If you agree to this service, know that you’ll waive your right to sue them. Read more about it in the attached Class Action complaint, which I filed earlier this a.m..
Do you think that a “free” 12 month trial offer for credit monitoring and “identity theft insurance” is enough, after all that Equifax has done to allow bad actors to access your detailed PII? I hope not. If you are interested in joining other consumers and business owners to hold one of the country’s largest credit reporting bureaus accountable for its negligence and deceptive business practices, please contact my firm, Stritmatter Kessler.
Corporations love to demonize class action lawyers. Guess why? You can likely figure this out on your own, but I’ll spell it out here: Because a class action lawsuit is one of the most powerful tools that consumers have to make corporations accountable for their negligence. But the media doesn’t like to focus on the topic of class actions much because it’s not easy to digest via 10-second sound bites. Thus, witness another week of breathtaking, frenzied stories about the Trump administration. Reporters and talking heads gravitated to discussions about the abrupt departure of Flynn and Trump’s 77 minute presser. Meanwhile, a majority in the House worked in concert to destroy consumers’ most powerful tool to hold corporations accountable. That’s right, this past Wednesday the House Judiciary Committee voted on party lines to gut consumer protection class actions.
Interestingly, the corporate lobbyists’ anti-class-action talking points are eerily similar to the proposed “Fairness in Class Action Litigation Act of 2017,” introduced last week in the House of Representatives. Coincidence? Of course, not.
Most of the proposed procedural rule changes in Representative Bob Goodlatte’s are directly traceable to the business lobby’s anti-class-action talking points. Goodlatte – a Virginia Republican and chair of the House Judiciary Committee is seizing on the corporate-friendly climate. He’s expanded last year’s proposed changes in a similarly named bill that was approved in the House but died in the Senate. If Congress adopts Goodlatte’s bill in anything like its current form, class actions will lose much of its potency.
The bill will make class actions much more difficult to survive the most critical milestone–certification. And, for those class actions that would survive, the bill would make those automatically appealable. Moreover, the bill seeks to strip away attorneys’ fees so that fewer plaintiffs attorneys will pursue these.
Most consumers think that class actions are big, nebulous things that have little to do with their lives. But if you talk to regular people such like my class action clients, you’ll realize that the Congress needs to stop trying to striking fatal blows to this important vehicle for justice. Like my clients, consumers throughout this country need class action attorneys to fight for them because they can’t or don’t want to spend thousands of dollars and countless hours to fight a giant corporation. My class action clients are like your neighbors, your relatives, your colleagues, and your friends. They are Republicans, Democrats, and Independents. But, for them and for me, these lawsuits are not about politics. It’s about trying to hold a massive company accountable, when an individual consumer is wronged.
We all know that corporations are focused on maximizing profits. To maximize profits, these companies will cut corners, which often result in a harm to the consumers. When a consumer finds that they have a defective product or that their most private information has caused significant harm to them and their bank accounts, they are not sure who will go to bat for them. This is why class action attorneys play a critical role in leveling the field for the citizen who’s suffered injury because a manufacturer used shoddy material, security or processes.
Please, email/call/write your representatives and let them know that they represent your interests–not the corporations who’ve donated tens of thousands of dollars to their campaign.
For consumer class action attorneys like myself, we can continue to count our blessings for the moment. Indeed, a number of courts across the country continue to make commonsense and carefully crafted opinions that confer Art III standing for statutory damages claims.
I have much faith in the Ninth Circuit Court of Appeals. The panel just heard oral arguments, as the U.S. Supreme Court had remanded Spokeo (back on Dec. 13th). The 9th Cir.’s new challenge is to tackle the concreteness requirement with newfound gusto. Judge O’Scannlain found it difficult to move past her view that Mr. Robin’s allegations (the resulting inability to find work because of a grossly incorrect report about him) were ostensibly sufficiently concrete, tangible harm. However, Counsel for Plaintiff, William Consovoy kept focus on the issue that the Spokeo court harped on: Defendant was making this about an apparently intangible harm that has yet to run through the rigors of a concreteness test as the one that Alito pieced apart in his majority opinion…
Well, hang tight, as the panel will render its decision in the early portion of next year. From that, we’ll get more guidance about what that court thinks is needed to satisfy Art. III standing requirements…
We have some phenomenal judges, such as Judge Lucy Koh in the N.D. of CA in the 9th Circuit. She recently decided the Matera v. Google case, which laid out a clear, incredibly thoroughly reasoned opinion indicating why specific allegations are substantive violations. As such, these violations give rise to sufficiently concrete and particular injuries in fact. Stay tuned for a more detailed analysis of her 9/23/16 order. I hope to write more about that case here as I reflect on the year’s developments in privacy law.
I will also write more about this a couple of recent cases out of the E.D. Va, including my insights regarding Thomas v. FTS, which lays out some strong arguments that a statutory damages class action attorney may want to crib. A fun but rocky ride ahead of us is guaranteed…
If you haven’t heard by now, the internet was under attack thanks to insecure “internet of things” (IoT) devices. The weapon of choice was the Mirai botnet, which crippled well known sites like CNN, Netflix, Twitter, etc. to a grinding halt. But how exactly did insecure IoT devices help the largest to date cyberattack experienced in the Western hemisphere?
The source of the outage was a distributed distributed denial of service (DDoS) attack, which leveraged a network of IoT devices infected with special malware, known as a “botnet”. The botnet was orchestrated to bombard a server with traffic until it collapsed under the strain. The IoT devices included Xerox, Panasonic and Samsung printers, as well as an array of Chinese manufactured short circuit TVs, DVRs, etc.
Botnets are not new, unfortunately. But a botnet comprised of IoTs is what makes last week’s massive DDoS jaw dropping and terrifying. Why should you or anyone care, especially if technology is not in your wheelhouse? Think of finding out that your garage has served as shelter for a terrorist, who is part of a much larger cell, ready to take down half the country. The terrorist was able to get into your garage easily because you don’t secure it. Guess what? You’re one of the most vulnerable targets if the attack goes down.
Now, bring this back to the IoT framework. Many households are moving toward an connected, IoT world–from refrigerators, thermostats, security systems and security cameras. When everything goes smoothly, we forget how much rely on our IoT devices. It’s only when they’re compromised do we then realize that we may have a big problem.
The crux of the data security challenge that faces us all is that the Mirai botnet revealed how vulnerable we are because of insecure IoTs. The Mirai attack exploited 100,000 connected devices or “malicious endpoints,” which resulted in an epoch attack of 1.2 terabytes/second. Your DVR or short-circuit camera may have served as an unwitting accomplice in the now legendary DDoS attack.
Usually, when I hear about thousands of employees getting fired, my heart goes out to them. But when I learned about the recent firing of 5300 Wells Fargo employees, I wondered whether losing a job was a harsh enough consequence for unauthorized use of consumers’ personal information. After all, these WF employees opened up accounts that resulted in NSF/overdraft fines, fines from third party vendors (who may have billed via autopay), etc.
According to the CFPB, “Wells Fargo employees secretly opened unauthorized accounts to hit sales targets and receive bonuses.” A client had approached me several months ago, wondering why her accounts were multiplying without her recollection of signing any paperwork. Today’s CFPB press release clears up the mystery. Below is an excerpt.
Wells Fargo’s violations include:
- Opening deposit accounts and transferring funds without authorization: According to the bank’s own analysis, employees opened roughly 1.5 million deposit accounts that may not have been authorized by consumers. Employees then transferred funds from consumers’ authorized accounts to temporarily fund the new, unauthorized accounts. This widespread practice gave the employees credit for opening the new accounts, allowing them to earn additional compensation and to meet the bank’s sales goals. Consumers, in turn, were sometimes harmed because the bank charged them for insufficient funds or overdraft fees because the money was not in their original accounts.
- Applying for credit card accounts without authorization: According to the bank’s own analysis, Wells Fargo employees applied for roughly 565,000 credit card accounts that may not have been authorized by consumers. On those unauthorized credit cards, many consumers incurred annual fees, as well as associated finance or interest charges and other fees.
- Issuing and activating debit cards without authorization: Wells Fargo employees requested and issued debit cards without consumers’ knowledge or consent, going so far as to create PINs without telling consumers.
- Creating phony email addresses to enroll consumers in online-banking services: Wells Fargo employees created phony email addresses not belonging to consumers to enroll them in online-banking services without their knowledge or consent.
For anyone wondering how the CFPB helps consumers, this action against Wells Fargo’s deceptive acts should help illuminate the importance of this agency’s work.
In Joan Longenecker-Wells v. Benecard Services, Inc., plaintiffs were employees who learned that their personal information, including date of birth, social security number, addresses, etc. which resulted in fraudulently filed tax returns. The Third Circuit dismissed the Plaintiff’s claims, stating that their negligence claims were barred by the economic loss doctrine. The Third Circuit explains:
The District Court held that because Plaintiffs’ negligence claim sounds only in economic loss resulting from the fraudulent tax returns filed with their information, the economic loss doctrine bars their claim. We agree.
Food for thought. Eh? Can we say that a plaintiff, who experiences this grave injustice of losing the benefit of a 5 figure tax return is only sustaining economic loss. I would think that the experience is emotionally draining if not traumatic to know that a fraudster has exploited your key identifying data to extract money that was owed to you.
In contrast, we have Taylor v. Spherion Staffing LLC, et al. No. 3:15-cv-2299 (N.D. Ohio 2015), Ernst v. Dish Network, LLC, et al. No. 1:12-cv-8794 (S.D.N.Y May 27, 2016); Hillson et al. v. Kelly Services, No. 2:15-cv-10803 (E.D. Mich. June 8, 2016). These cases settled and involved allegations of statutory violations. Keep in mind that Spokeo left open the possibility that a statutory violation may involve a sufficient risk of harm to satisfy the concreteness requirement. Thus, settlement may have presented a more attractive alternative than extended litigation about the sufficiency of alleged harms.
Note: This blog post is republished from my Privacy Law Diva blog.
Today, January 28, 2016, is Data Privacy Day. Big deal? It actually is: The first Data Privacy Day that occurred in the United States and Canada was in 2008, which was observed as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the Jan. 28, 1981 signing of Convention 108, which was the first legally binding international treaty dealing with privacy and data protection.
Now led by the National Cyber Security Alliance (NCSA), Data Privacy Day has become the signature event promoting privacy awareness. Without committed defenders of privacy, like the Electronics Frontier Foundation, we would not have seen a complaint filed with the FTC against Google for unauthorized collection of school aged children’s information, when they are using Google Apps and Chromebooks in their schools. Google’s unauthorized collection of personal information from school children via Chromebooks and Google Apps for Education (GAFE)—caught the attention of Senator Al Franken, a ranking member of the Senate Judiciary Subcommittee on Privacy, Technology and the Law. Franken responded by writing a letter to Google CEO Sundar Pichai asking for information about GAFE’s privacy practices.
The first step to ensure that our student privacy campaign succeeds, is to educate ourselves as parents. This way, we can direct our energy and knowledge effectively. On this Data Privacy Day, take the time to check out the resources that the Electronic Frontier Foundation compiled to regain control of your children’s privacy. Please spread the word about student privacy by sharing these and similar resources with other parents!
I can’t emphasize enough how important it is that parents understand their and their children’s rights. We live in a world where parents may be asked by schools to waive those rights before their youngsters are permitted to use technology in the classroom. Third parties will too often encourage parents to give schools consent to release their children’s information to those very third parties.
Interested in becoming part of the “privacy defender team?” There are many ways in which you can get involved.
- Create a culture of privacy at your organization.
- Own your personal online presence.
- Share your privacy knowledge with your local communities.
- Attend a Data Privacy Day event.
- Become a Data Privacy Day Champion.
NOTE: This blog post is republished from my PrivacyLawDiva blog post.
Today, according to WA State AG Bob Ferguson, about 330,000 Washington residents are among the 15 million people affected by the cyberattack on T-Mobile US data at credit-services company Experian. If you are a Washington State resident and victim of the T-Mobile/Experian data breach, please contact Catherine@Stritmatter.com. We are currently investigating a class action lawsuit against Experian.
WA AG Ferguson urges T-Mobile customers “…to take immediate steps to determine whether you have been a victim of ID theft, and to protect your information going forward,” he said in a statement offering advice to affected consumers.
According to T-Mobile and the credit-reporting company Experian, the breach compromised data that was used by T-Mobile to run credit checks of individuals who applied for T-Mobile services from Sept. 1, 2013, through Sept. 16, 2015. Unauthorized access was gained to Experian’s servers, exposing data including name, address, birthdate, Social Security number, other ID numbers (such as driver’s license, military ID, or passport numbers), and additional information used in T-Mobile’s credit assessment. An estimated 15 million consumers nationwide may have had their data compromised. Experian plans to notify affected consumers.
The Attorney General’s Office offers affected consumers the following advice to guard against identity theft.
- Monitor your credit reports. You are entitled to one free credit report every 12 months from each of the three nationwide credit bureaus (Equifax, Experian and Trans Union). You can request one free report from a different bureau every four months to monitor throughout the year.
- Consider placing a “fraud alert” with each of the three credit bureaus. An alert does not block potential new credit, but places a comment on your history. Creditors should contact you prior to opening a new account.
- Consider placing a “security freeze” with each of the three credit bureaus to prohibit the release of any information from your reports. A security freeze can help prevent identity theft since most businesses will not open credit accounts without checking a consumer’s credit history first. This increases the likelihood that if an ID thief tries to open a new account under your name, they will be denied.
- Beware of unsolicited calls or emails offering credit monitoring or identity theft services. Consumers should never provide their Social Security number, credit card numbers or other personal information in response to unsolicited emails or calls.
If you find unexplained activity on your credit reports, or if you believe you are the victim of identity theft, check these resources for information on steps you can take to protect yourself.
- Review the Attorney General’s ID theft website.
- Review the Federal Trade Commission’s ID theft website.
EARLIER THIS YEAR, news of massive data breaches of Premera and Anthem felt like a one-two punch to many of us focused on protecting consumers. I got a lot of questions from clients and other attorneys, including “What can I do to protect my identity?” and “Should I sign up for any of those ID theft guards like LifeLock?” My responses to these questions are not simple. We can learn to guard against ID theft by remaining vigilant about our credit reports, credit card statements, bank statements, and the like. Sure, if one wants to delegate this responsibility to a third-party, then be prepared for disappointment.
The story of LifeLock’s last several years is a great example of why it’s not wise to leave the security of our ID to a turn-key operator. Some are astounded to find that the company claiming to provide ID theft guard solutions to consumers and businesses have failed in some key respects according to the FTC.
Customers of ID theft-protection firm Lifelock who expected the company to monitor their identities after their data was stolen in a breach were in for a surprise. It turns out Lifelock failed to properly secure their data. Ugh.
According to a complaint filed in court in late July 2015 by the Federal Trade Commission, Lifelock has failed to adhere to a 2010 order and settlement that required the company to establish and maintain a comprehensive security program to protect sensitive personal data users entrust to the company as part of its identity-theft protection service.
Wow. What a strange twist of irony: After all, Lifelock touts its self as the solution to companies that experience data breaches and urges them to offer a complimentary Lifelock subscription to people whose data has been compromised in a breach. To properly monitor victims’ credit accounts to protect them against ID theft, Lifelock requires a wealth of sensitive data, including names and addresses, birth dates, Social Security numbers, and bank card information.
Protecting that data should be a primary concern to Lifelock, particularly in light of the fact that many of its customers have already been victims of a breach. But the FTC found in 2010 that the company had failed to provide “reasonable and appropriate security to prevent unauthorized access to personal information stored on its corporate network,” either in transit through its network, stored in a database, or transmitted over the internet.
Lifelock had been ordered to remedy that situation, but according to the complaint filed today, it has failed to do so. The complaint is currently sealed, but the previous finding from 2010 provides insight into the company’s security failures.
Lifelock’s CEO was himself a victim of data breach at least 13 times, btw. Call it karma.
NOTE: If you were/are an Amerigroup/Anthem insured in the State of Washington and received notice of a data breach, we want to talk to you. Please contact me via email at Catherine@Stritmatter.com. Participating in a class action lawsuit against a company who neglected to safeguard your personal information will not affect your ability to qualify for “free” id protection services offered by Anthem.