How Much Will Equifax Pay?

A law that protects consumers’ data was written before the age of hacking.
Illustration: 731

When a credit card is lost or stolen—or if the number gets exposed in a data theft—federal law makes it a pretty painless experience for consumers. Credit card holders are on the hook for no more than $50 if any fraudulent charges are made; debit card users have similar caps on losses as long as a problem is reported promptly. The account number is changed, a new card is sent in the mail, and life goes on.

Contrast that with the confusing mess consumers were left to sort out when hackers broke into credit reporting company Equifax Inc. and stole the personal identification information, including Social Security numbers, of almost half the American population. The incident left 145.5 million people facing a lifetime of higher risk for identity theft. Equifax offered free credit monitoring from its own service for a year. But the question of monetary compensation is still up in the air.

It’s likely to be worked out in class-action litigation. Because the Equifax breach affected such a huge number of people and compromised some of their most sensitive data—thieves can use Social Security numbers to open accounts in someone’s name—legal experts predict a fierce fight, with plaintiffs likely to demand settlement figures in the billions of dollars. “You’re talking about the biggest breach in history,” says Nathan Taylor, a cybersecurity lawyer with Morrison Foerster in Washington, who represents companies involved in high-profile data breaches.

If history is a guide, as Taylor predicts it will be, the final recovery may end up being rather less—perhaps $1 a head once legal fees are paid. Health insurer Anthem Inc. set that benchmark in June when it agreed to pay a record $115 million over a breach that affected 78.8 million people and also compromised Social Security numbers. Even if Equifax were to settle for more than $200 million, with almost twice as many victims as in the Anthem case, that could still be less than the company’s profit for the most recent two quarters. Equifax declined to comment on pending litigation but said it’s focused on helping consumers “to navigate this situation and providing the best customer support possible.”

Serious settlement talks aren’t likely before both sides have investigated the evidence and tried out some of their legal arguments in court. Plaintiffs’ attorneys are likely to say this breach stands apart from earlier ones. “If anybody who’s collecting data should have state-of-the-art security practices, it’s these guys,” says Tina Wolfson, an attorney with Ahdoot & Wolfson in Los Angeles who filed two of the 240 consumer class actions against Equifax. When consumer lawyers try to negotiate a deal, however, they may find that a once-promising line of legal attack has been closed to them. The federal law that’s meant to hold companies such as Equifax and its rivals Experian Plc and TransUnion LLC accountable predates the internet and wasn’t created with mass data breaches in mind.

The 1970 Fair Credit Reporting Act, signed by President Richard Nixon, says credit reporting companies may not furnish consumer data to unauthorized third parties and offers a remedy of as much as $1,000 for every affected consumer. It doesn’t require proof of identity theft or any out-of-pocket losses. In theory, that could be helpful to plaintiffs, because a big hurdle in data breach cases is showing how much consumers were harmed. Although lost data can leave many people at risk and forced to take precautions, it may prove harder to link it to identity thefts.

But courts have repeatedly found that the FCRA doesn’t apply to data breaches because of the wording in the statute. That word “furnish” led a Los Angeles judge in December to dismiss FCRA-based claims against Experian after a 2015 data breach for failing to protect 15 million consumers whose personal information was hacked. “Although victims of theft might be the ‘source’ of the stolen goods, saying that the victims are furnishing their goods to a thief is counterintuitive,” the judge wrote.

For Anita Taff-Rice, a California lawyer who specializes in technology and privacy, it’s maddening that companies that were never asked by consumers to gather their data could escape liability for such massive failures under the very law enacted to regulate them. Yet she agrees it’s a stretch to bend the “antiquated language” of the FCRA to fit a world in which hackers prey on the “modern reality of everything being interconnected by the internet.”

Taff-Rice says the public would be better off if credit bureaus faced some kind of automatic liability when consumer data fall into the wrong hands. That’s similar to what the Fair Credit Billing Act does in limiting a consumer’s liability for credit card fraud to $50. “If you have a requirement like this, I believe the credit reporting bureaus will do substantially more to protect your information,” Taff-Rice says. To Francis Creighton, president of the Consumer Data Industry Association, that’s a nonstarter because it singles out the credit bureaus his trade group represents. “This isn’t just a credit bureau problem, it’s a national problem of how we deal with breaches,” he says.

Wolfson, who is also one of the lead lawyers for consumers in the Experian case, notes that the December ruling didn’t bar her clients from pursuing remedies under various state-level cybersecurity statutes and the common law of negligence. (Experian declined to comment on pending litigation.) Wolfson also says that in future cases, a judge may be convinced that FCRA penalties do apply when credit bureaus fail to safeguard information from hackers if the circumstances are egregious enough. “It’s applying an old law to new facts, but laws are written to adapt to changing times,” she says.

A decision on whether the FCRA claims can move forward in the Equifax litigation is months away. Taylor doubts a judge will throw them out early in such a big case. “The company isn’t going to completely avoid litigation because of something that people would characterize as a technicality,” he says. —With Edvard Pettersson

    BOTTOM LINE - A federal law makes credit agencies liable if they don’t keep data private. But lawyers might find it hard to apply it to cases of theft.
    Before it's here, it's on the Bloomberg Terminal.