When consumers get hacked, what’s the harm? Judge tells Equifax he wants to find out, OK’s lawsuit

Just how do victims of a massive data breach prove they were harmed — and how is that harm calculated so the victims might be compensated through a lawsuit? That’s been one of the central legal questions facing the millions of consumers who have their privacy violated every year through data loss or theft. It’s far from settled law. For years, companies have argued that data breach victims can’t prove they were harmed by the incident, so they aren’t owed compensation.  ID theft victims often can’t really prove how imposters stole their data; and when critical personal information like Social Security numbers are stolen, ID theft that might happen in the future is merely “speculative.”

Those positions frustrate victims, who often spend months dealing with the fallout from a hack, and end with only a vague offer of free credit monitoring to show for it.

That might change soon. Lawsuits filed against credit bureau Equifax after its massive 2017 hacking incident might finally provide some real guidance, and perhaps offer victims real justice.

Consumers should have the chance to ask a jury whether they were genuinely harmed by the massive Equifax hack, a federal judge in Atlanta ruled this week. In the ruling, Judge Thomas Thrash Jr. denied Equifax’s motion for dismissal against plaintiffs who’ve joined together in a class action lawsuit against the firm.

The judge had harsh words for Equifax,  warning at one point “that Equifax’s cybersecurity systems remain inadequate, and another breach is imminent,” according to Law.com.

Equifax has argued that victim consumers have suffered no harm as a result of the hack, and contend that their claims amount to “speculative future harm.” According to Law.com:

Thrash disagreed. “The plaintiffs here have alleged that they have been harmed by having to take measures to combat the risk of identity theft, by identity theft that has already occurred to some members of the class, by expending time and effort to monitor their credit and identity, and that they all face a serious and imminent risk of fraud and identity theft due to the data breach,” Thrash said.

Thrash also was unimpressed by defense arguments that the plaintiffs could not demonstrate that allegations of identity theft or credit or debit card fraud could be traced back to Equifax, which was one of more than 1,500 data breaches the company’s attorneys said occurred in 2017 alone.

“The plaintiffs plausibly allege that Equifax had custody of their personally identifiable information, that Equifax’s systems were hacked, that these hackers obtained this personal information, and that as a result of this breach, they have become the victims of identity theft and other fraudulent activity,” the judge determined.

There’s still a long way to go for Equifax to be forced to pay consumers for the unnecessary time and energy they expended as the result of the hack, and any future harm that may result from it.  But at least there’s a chance the arguments will be heard in a court of law — though many companies decide to settle such cases after they lose at the motion to dismiss round. Given the sheer size of this hack, and the size of a potential settlement, perhaps this one has a chance to make it to trial. That would be positive  Digital harm is real harm, and precedent-setting case law affirming that would be good.




Don’t miss a post. Sign up for my newsletter

About Bob Sullivan 1483 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

1 Comment

  1. Hi, Just got my identity stolen. Evil doer tried to transfer a 14k balance from their credit cart to my credit card. Perpetrator had all my account info, SSN, address and phone info, age – and spoofed his phone so he was calling from my cell phone number. What’s the harm? Four hours just to work with the credit card company and Equifax. More time this week to put alerts on cards, notify bank accounts, change direct deposits, etc. Then account reviews to look for other issues. This is going to easily be a couple of weeks of effort and more spread over the rest of the year. If you do the map it will work out to 75% of your monthly salary. If Equifax and it lawyers think that is not significant – ask them to donate 75% of next months salary to charity and see how they feel… Equifax and the other two credit companies should be the gold-standard of security. They have people’s complete and total documented identity.


Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.