Legal Implications of the Equifax Data Breach

Episode Notes

Transcript

Lawyer 2 Lawyer – Law News and Legal Topics

Legal Implications of the Equifax Data Breach

09/29/2017

[Music]

Ben Meiselas: One of the issues that makes the data breach just so significant, I mean we’ve dealt with Yahoo data breach, we’ve dealt with other data breach but here the sole purpose of experience was to keep this data sacrosanct, this personal private data that it obtained through third-party and it utterly failed the public, the business structure of Equifax or a security agency is by definition to secure and keep safe personal information and when that purpose fails there is no second change.

Intro: Welcome to the award-winning podcast Lawyer 2 Lawyer with J. Craig Williams and Robert Ambrogi, bringing you the latest legal news and observations with the leading experts in the legal profession. You are listening to Legal Talk Network.

[Music]

J. Craig Williams: Welcome to Lawyer 2 Lawyer on the Legal Talk Network. I am Craig Williams coming to you from Southern California. I write a legal blog called ‘May it please the court.’

Bob Ambrogi: This is Bob Ambrogi coming to you from out of Massachusetts, where I write a blog called LawSites. I also co-host another Legal Talk Network Show called Law Technology Now along with Monica Bay.

J. Craig Williams: And Bob before we introduce today’s topic we would like to thank our sponsors Clio and Litera.

Clio is cloud-based practice management software that makes it easy for you to manage your law firm from intake to invoice. Try it for free at  HYPERLINK “http://www.clio.com” clio.com.

And Litéra, Litéra is the authority on document creation, collaboration and control. It can increase your productivity, collaborate securely and ensure protection of your vital information. You can learn more at  HYPERLINK “http://www.litera.com” www.litera.com.

Bob Ambrogi: The credit reporting agency Equifax experienced a massive data breach recently exposing the personal and financial data of a 143 million US consumers including Social Security numbers, names, birth dates, addresses, even license numbers.

Originally Equifax reported that the breach occurred sometime from mid-May through July but now reports have surfaced that there could have been breaches as far back as March 2017.

J. Craig Williams: Well Bob today on Lawyer 2 Lawyer, we’re going to discuss this Equifax Breach, what went wrong, the litigation, the potential impact and what customers need to do now if they’ve discovered that there are victims of this breach.

Bob Ambrogi: To help us do that today we have two guests who’ve given a lot of thought to this issue. Let me first introduce a returning guest Andrew Rossow. Drew is an Associate Attorney at Gregory M. Gantt Co. Law firm in Dayton Ohio, where in addition to their general practice, Drew’s passion lies in the areas of cyberspace, law and technology law. Welcome back to Lawyer 2 Lawyer Drew.

Andrew Rossow: Thank you so much for having me. It’s good to be back.

J. Craig Williams: Our next guest is Attorney Ben Meiselas. He is an Associate at Geragos & Geragos, APC. His practice includes personal injury law, civil rights, class actions and complex business disputes. The Geragos Law Firm is leading the class action lawsuit against Equifax. Welcome to the show Ben.

Ben Meiselas: Thanks for having me.

Bob Ambrogi: So Drew give us — just for anybody who hasn’t heard about this. If there’s anybody out there who hasn’t. What happened here?

Andrew Rossow: Sure well for those who haven’t heard Equifax is one of the major three credit bureau agencies in the country that monitors consumers’ identity and private information. Apparently, what happened, is that there was a breach that was going on from between May, June, and July of this past year that was announced to the public only in September and as of recently, as you mentioned, we just found out that the breach may have gone back as far as early as March and what investigation has uncovered thus far is that there was an exploitation of a website program called Apache Struts, which is a framework for web servers that help companies including a lot of fortune 500 corporations to take in and serve up data. And at some point whatever criminal hacker or organization that caused this breach somehow found some sort of vulnerability in this program.

Bob Ambrogi: Wasn’t this a vulnerability that was known to Equifax before it was hacked?

Andrew Rossow: Yes it was and I believe from what reports have said that there was a patch done on some of these possible vulnerabilities as early as the beginning of March and about two to three months later is when the problems started, allegedly.

J. Craig Williams: So is that something that tends to indicate that Apache is more of the issue than Equifax?

Andrew Rossow: I think it’s hard to say but it’s definitely something to consider in a situation like this where you have a program that had some vulnerabilities, patches or updates who are released to hopefully fix those vulnerabilities and then something to this magnitude happens after the fact.

(00:05:09)

Bob Ambrogi: Ben, I think — I think this incident has had a lot of people wondering why is it in the first place that Equifax has all this information about us. I mean I’ve never done business with Equifax, I’ve never authorized Equifax to have any of my information, I have never given them any of my information that I’m aware of, what’s the source of them having all this?

Ben Meiselas: And my view is that the trading in personal identity whether it’s on social media, whether it’s through credit monitoring, agencies and people monitor their credit through Equifax, Experian, TransUnion and others, LifeLock, other third parties that are used and utilized and intended to protect this information in their monitoring of it, in looking up an individual’s credit scores and credit reports, ultimately have to go to these. There is only a handful of them out there.

Experian, Equifax and TransUnion who profit off of this personal data, and one of the issues that makes this data breach just so significant, I mean we’ve dealt with Yahoo data breach, we’ve dealt with other data breach, but here the sole purpose of Experian was to keep this data sacrosanct, this personal private data that it obtained through third parties and it utterly failed the public.

J. Craig Williams: How did they get it? I mean I didn’t give permission to Equifax to have my Social Security number, so who gave it to them, and am I should be worried about whatever third-party gave it to them?

Ben Meiselas: I think you absolutely should be worried about the third parties that give it to them and the third parties include when people run your credit scores at a local level, be it at a car dealership or when you’re seeking loans from a bank and they have to run your credit scores, to when you are monitoring your credit scores from third parties if you have LifeLock.

We hear a lot of people who have LifeLock and other credit monitoring agencies who then contract with Equifax, Experian, TransUnion to monitor to make sure your credit scores are up to snuff. And a lot of the people just feel utterly and totally betrayed by Equifax, because the very issues that they were responsibly monitoring by reaching out to third-party agencies whether it be LifeLock or others that protect your credit, when you make sure that you’re able to buy a house or buy a car and making sure your credit score was ideal, they contracted with Equifax and Experian. And Equifax was a major depository for this information through third parties that you deal with on a day-to-day basis. And people feel utterly betrayed that this party that they didn’t even know had their data isn’t protecting their data.

Bob Ambrogi: Drew, what do we know about what these attackers actually got of our personal information?

Andrew Rossow: Well, as of today almost everything, the names, addresses, date of birth, Social Security numbers, credit card information and in some cases driver’s license numbers. So, almost all the type of personal information as Ben was saying, as you would expect to be kept locked up and away from the average individual or even business.

J. Craig Williams: So how are we able to protect ourselves? I mean it seems like with a number of hacks that have occurred around the world, you can’t really do anything other than require these companies to airlock their data, which is like unplugged from the internet. Is there really a solution that’s safe to protect your data unless there is an airlock?

Andrew Rossow: I think in the digital age that we’re in today, we create our own digital footprint in a sense, and anytime we go online, anytime we pick up our smartphone and browse the Internet, we put a small trace of ourselves or some personal information out there whether we realize it or not, and I think at this stage where we’re in a situation as a conglomerate of consumers is that we need to be smart, we need to better, closely monitor our bank statements, our credit reports and make sure that nothing looks fishy or we’re getting spam calls. I mean there’s a ton of different avenues that can be taken, it’s just a matter of do we know for certain if we’ve actually been personally impacted yet.

(00:10:00)

Bob Ambrogi: Well, what about, I mean we’ve heard about the fact that Equifax has set up a site where consumers can go in and check to determine if they have — if their information has been exposed, I know I think Craig has said that he has started that process but not finished it, I haven’t even started that process. But what do the two of you advice people, set-aside, we’ll talk about lawsuit and litigation in a moment, but in the short-term, in the immediate term, what do you advice people should do on the chance that their information has been exposed?

Ben Meiselas: Here’s what I think one of the issues though with the Equifax security site though is any person, technological, professional will tell you that the very site they created further exposed people to what’s called phishing with the ph to, that allows hackers to potentially even access your data if it wasn’t part of the hack, because the name itself provided very little security protection. Equifax Security 2017, hackers are very easily able to create variations or gradations of that name, and you may be checking the wrong website to begin with. So there’s been a lot of outreach.

Bob Ambrogi: So there could be dummy sites out there and people could be getting attracted to dummy sites and giving over their personal information is what you’re saying?

Ben Meiselas: Correct, and even though some of the other credit reporting agencies are charging fees. I’m recommending to my clients at this point just stay away from Equifax. I mean just stay away from them, even if it’s free.

You can’t trust this company right now, and as the news, means, for example, one of the options for people is a credit freeze. Free credit monitoring, Equifax is doing both for free, credit freeze and credit monitoring, I wouldn’t trust my data with Equifax ever again, even if you knew or if you didn’t know that you had it there in the first place. I would much rather go to one of the others.

Bob Ambrogi: But isn’t there a Catch-22 with that? I mean we don’t have any choice over the fact that they have got our data in the first place, we didn’t give it to them in the first place, they have got it regardless.

J. Craig Williams: Right, and in the follow-up — yeah, and Bob, the follow-up question to that is, what do we do to get our information out of their hands? Can we write a letter to Equifax and TransUnion and say, hey, you’re not allowed to have my information, delete it?

Andrew Rossow: I think that’s a point of — what the goal is and future litigation is. We don’t know what precedent will be set or could be set as a result of this, but I do think on a personal level that that is one of the major goals or would be one of the major goals of these lawsuits or class actions that are brought.

Bob Ambrogi: Well what is — what is the, Ben, your firm has as filed a class action I think based in Oregon if I have got that right. I know there been other — at least, at least one other, maybe a couple of other class actions filed at this point, what is your class action looking for in terms of relief here?

Ben Meiselas: And there’s probably now somewhere in the dozens of class actions and they are all being filtering through this consolidation process. But at the most basic level what we’re seeking is restitution to make people hold for the injuries that they sustained. At your most basic baseline level that’s giving individuals credit monitoring is generally one of the remedies that you have in data breach cases and determining what that can cost over a number of years.

And generally for a few years of credit monitoring from a well-respected credit monitoring agency or site that could be several hundred dollars a month, but then perhaps a subclass that we’re going to find or we already are starting to see, are individuals who not just a threat of their identity being stolen out there, but actual people who have really traceable pecuniary harm, false accounts being set-up in areas and banks that they are unaware of, because someone not only leaked the data but actually stole the data from the dark web and has been using it for a nefarious purpose.

And thirdly, in addition to monetary, as Drew mentioned through the injunctive relief powers, class action lawyers are often able to accomplish what politicians, what Congress, what our local legislature has been unable to do. In every financial controversy or crisis that we’ve had — we have had a Dodd–Frank or we’ve had a Sarbanes–Oxley.

(00:14:55)

But I think you really need to have a strong regulatory framework as well, which hopefully these class actions inspire, in which the injunctive relief can begin that discussion and hopefully a more robust discussion happens though, where proactively and preemptively, the executives of these companies are being held personally accountable and responsible for data breaches by signing under Penalty of Perjury that they’re adopting the appropriate patches and as you mentioned, and you said well, is it the fault of the Apache Struts, that it is open software, is it — is it their fault?

Well, the real issue here that made Equifax just so responsible which made their response so horrible is that the most basic IT professional would say, there is a patch out there which fixed it very simply, and you would have beat the hackers in the first place as mostly everyone else did. But this company that traded in your personal secrets waited, they did nothing, they make billions and billions of dollars every year and they didn’t make that change, but with our injunctive relief in addition to the monetary compensation, we hope that that there is affirmative relief that the court orders these credit agencies to be more transparent with their data, to let the public know what the heck is going on and make sure this never happens again. Even if that means, and this is where it’s headed bankrupting Equifax.

J. Craig Williams: Is this a situation where this information is now so — should be kept so sacrosanct that we basically need to establish a government Fort Knox for this information, and then let only people access it through government, can we take this out of private sector hands if that’s in fact an appropriate remedy, and is it a remedy?

Andrew Rossow: And I think that Equifax has so utterly failed in the challenge that they’ve been given, which is their entire business model of protecting this data. In terms of the level of government intrusion, I think that that’s up for debate whether it should be entirely helped within a government agency, but there really needs to be proactively, prophylactically, which does not exist a regulatory framework that’s established with a great degree of oversight preemptively to try to avoid this ever happening ever again, and one of the recommendations that I’ve made and I’ve been tweeting about and telling people about is, it starts with motivating the executives who make millions and millions of dollars from these corporations that trade in personal data, personally responsible for not coming up with and not developing and not having the most up-to-date security protections that are there, it’s just entirely unacceptable that you are not adopting, downloading within your IT departments basic updates that anyone with the most basic degree in IT could do.

Bob Ambrogi: We are going to take a short break right now, stay with us, we’ll be right back for further discussion of the Equifax Breach.

[Music]

Bob Ambrogi: Documents are the currency of business. They represent you in every business interaction. Executives need to know what changes have occurred in documents, what metadata risks exist and how to encrypt, share and collaborate securely.

Litéra simplifies the document creation and collaboration process to protect you from risk and loss of reputation. Litéra offers better solutions for document lifecycle management so you can focus on doing what really matters;  HYPERLINK “http://www.litera.com” www.litera.com.

[Music]

Bob Ambrogi: Imagine what you could do with an extra 8 hours per week. That’s how much time legal professionals save with Clio, the world’s leading practice management software. With intuitive time tracking, billing, and matter management Clio streamlines everything you do to run your practice, from intake to invoice. Try Clio for free, and get a 10% discount for your first six months when you sign-up at their website  HYPERLINK “http://www.clio.com” clio.com, with the code L2L10.

[Music]

Bob Ambrogi: Welcome back to Lawyer 2 Lawyer. My co-host J. Craig Williams and I are talking about the Equifax Breach with two guests, Drew Rossow, an attorney with the firm of Gregory M. Gantt Company in Dayton, Ohio and Ben Meiselas, Associate at Geragos & Geragos in Los Angeles.

And Drew, I was just thinking in our last segment as we’re talking about better ways to protect this data whether by Equifax or by the government or anybody else, there has been so much talk about Blockchain in the legal profession lately, could Blockchain be a remedy here? Could Blockchain be a more secure way to store and keep track of some of this very sensitive data?

(00:20:06)

Andrew Rossow: Absolutely, and as you said it is kind of a newer type of concept in terms of encryption and a more secure way of transmitting information, and I think in a situation like this to add on to what Ben was saying before our break, is that this is one of the situations where there really is no second chance. The business structure of Equifax or a security agency is by definition to secure and keep safe personal information, and when that purpose fails there is no second chance. You have to look for alternatives.

How we go about that, I’m not sure, but I think Blockchain is definitely a strong possibility, and if you look at some of these other criminal cases over the years, I know I recently just did a piece over the Silk Road case that took place I think back in 2011, where there was a huge amount of information going through Tor and the Dark Web, but the key was the Blockchain and that it was so difficult to decrypt the type of information that was being sent, that it just takes so much effort. And I think that’s definitely an option in this case.

J. Craig Williams: And before the break we were also talking about what needs to happen to some of the executives in this situation and there’s been some rumors that I’ve seen that the CIO or one of the executives that were in-charge of this situation had a music degree. And then, immediately after the breach occurred, we have executives that have been alleged to have dropped a couple million dollars in corporate stocks. What’s going on and what needs to happen?

Ben Meiselas: You have corporate executives here that are totally and utterly devoid of accepting responsibility here. As I’ve said, both from a legal standpoint and a public relations standpoint and a human decency standpoint, this is a company that’s done every single thing wrong from the moment, from withholding information from the public for months and now it’s clear many, many, many months that there was this breach that took place from having originally what was clear to anybody in the legal community what they were doing was having these arbitration clauses that they were trying to bind consumers who were seeking the “free credit protection monitoring” from Equifax into arbitration so that they couldn’t sue, then later clarifying after there was public outrage from Attorney Generals and Senators across the nation that they clarified that in fact, they are not going to be compelling these arbitrations which was a big important win to the corporate executives selling and dumping stock before it was announced to the public.

I mean, this is a company that’s handled everything very poorly. We haven’t seen on the news or TV really the Equifax CEO Richard Smith going out there and accepting — really accepting responsibility, really communicating and directing the consumers, and you have a board that just seem to have this business as usual mentality and really doesn’t understand how this has affected people.

And in our view these individuals need to resign. They need to be or they need to be fired. They are all going to be going for a congressional hearing soon. And I think I’m very interested to watch how they do but these individuals shouldn’t be really working for this company anymore. They should be out, there should be a responsible team that’s put in.

And if this was I think in a foreign country where sometimes they permit the workers and people of the public to be on these boards and not just a bunch of other millionaires and billionaires to stay on these boards, and I think you would have the company itself calling for a criminal investigation of itself.

J. Craig Williams: What at this point does Joe Consumer and Jane Consumer need to do to protect themselves?

Andrew Rossow: I think that the first step is, as Ben had mentioned earlier is really stay away from Equifax. The tool that they set up, whatever intentions the company had was setting it up. You can’t trust it right now, and there’s no reason to trust it, but I know annual credit report is offering their annual credit check, consumers can go to the  HYPERLINK “http://www.identitytheft.gov” identitytheft.gov website to find out possible solutions. As we mentioned before credit freezes, monitoring bank statements, even putting a fraud alert on your account or even filing taxes early.

(00:25:07)

I mean there’s a bunch of different ways to go about it, but at the same time, there’s really not enough information on the table yet to really know for sure, what exactly to do other than just be diligent.

J. Craig Williams: Is the greater danger to our existing accounts or to people who have this information setting up, identity theft, stealing our information, creating new accounts in our name. Should we be going around and changing all of our passwords and whatever to our existing accounts or is that not so much a threat?

Drew Rossow: It never hurts to change passwords, and I have one of those random password generators for most of my accounts. I can’t remember half of them, but I have them written down and it can’t hurt. But at the same time, if you’re looking or talking about a credit freeze where it doesn’t prevent charges to existing accounts but it does prevent new creditors or new activities coming out against those accounts, then yes. But, at the same time, what consumers can do is just change your accounts, make sure that your email contacts are stable, make sure the messages you’re receiving are the typical nature that you would be receiving.

I had a friend call me yesterday, ironically, and say, hey, I got called by a law firm that says, I’m getting sued for about $3,000 for a payday loan that I took out in 2009 but I’ve never taken out a loan in my life. What do I do? And whether that’s a result of the breach or a result of personal information being out there on the web, it’s hard to say.

J. Craig Williams: The FBI is investigating this, Ben, could there be criminal charges here against Equifax or executives there?

Ben Meiselas: I think that that’s a distinct possibility and I think that they’ve lawyered up both in terms of the civil litigation and their exposure civilly and also criminally also with the SEC. But absolutely, the question is going to be, is this a case of just mere negligence? And I think that it’s almost stipulated in at this point that they were negligent, but does it go beyond that, and I think increasingly day by day, we’re uncovering, we the public, the class-action attorneys, the politicians who are digging not Equifax, who’s being transparent, but each day, we’re seeing, no, this was reckless. This was punitive. I mean, you knew that you had all of the sensitive data and you didn’t even have qualified individuals at the highest levels or at any level, handling this data.

And when there was a simple, a patch that could have addressed this issue, you were too busy doing whatever else was you were doing, making money and watching the stock price that you didn’t care about your core business model and did you just so recklessly throw this information out there and expose people. And so, there’s a real possibility that this could rise to the level of a criminal negligence or recklessness, something greater than just a mere civil liability.

Bob Ambrogi: Is there any reason to trust the other credit agencies or are we looking at something that’s have a rampant issue within this industry?

Ben Meiselas: I think you have every right to be suspicious of anyone and as Drew mentioned at the beginning, most of the major Fortune 500 corporations are or were using this open source code for their overall digital framework that they were using. It wasn’t just unique there. So everyone has the right to be suspicious, but at this point, until there’s greater regulatory action I think that deals with everybody else, I think at this point, we certainly know as Drew said and as I said, we would not trust Equifax right now, their platform, their executives, their leadership, that’s for sure.

And at some point life has to go on, and in this digital age, your data is going to have to be handled by somebody else other than yourself. I mean, you no longer can literally bury data or personal information in the backyard. I mean, this information is out there, streaming live, exchange in hands every day.

J. Craig Williams: Well, we are nearly at the end of our show and as always on this program, we like to give our guests the final word. Give them an opportunity to give their closing thoughts. So let’s do that, and Drew, let’s start with you.

(00:30:06)

Drew Rossow: Well, I want to thank you for having me back on the show and it’s a pleasure to speak with Ben and get a different take on things; especially with his involvement with the class action. But this is a scary situation and everyone should be on guard and it’s the unique situation because there’s not a lot of answers right now and it’s going to take litigation, it’s going to take depositions, and press statements to explain to the public what happened and why it happened and what is going to be done in the future in terms of how our data and information is handled.

Bob Ambrogi: Great, and how can our listeners reach out to you in case they’d like to get in touch with you?

Drew Rossow: Absolutely. Well, I do have my own CyberByte news bit series that I’ve started on my Facebook page. You can follow that at facebook.com/drossowlaw and on Twitter @RossowEsq.

J. Craig Williams: Thank you very much, and Ben, your final thoughts and your contact information?

Ben Meiselas: Sure, and thanks for having me on the show and Drew, it was great to meet you on the show and hearing your thoughts.

Class action attorneys in general, speaking as one, often get a bad reputation. It has that — or it’s been I think corroded by certain judicial branches and others by Congress and through various other regulations. The abilities to bring class actions have been eroded and I think you see here a perfect example of how class actions can be helpful in bringing positive change, both in terms of restitution, financial relief to people who are injured as well as injunctive relief and how class actions can actually spur change, and that’s what I mean, when I say “injunctive relief”, which is that affirmative compelling somebody to do something with the court order. But it shouldn’t start with the class actions.

Time and time again, I have class actions against major cable companies, against the number of corporations but I always say at some point, the class action is a reactive modality and we need proactive, prophylactic modalities that may limit the role of the class action attorney, but in the first instance, protect and prevent adverse things from happening to consumers.

And here I hope the class action really spurs this regulatory framework and that this is a shining example of the work that class action attorneys can do and in the largest class action, I think that’s ever been filed in the United States history and also spur positive change and hopefully protect and prevent things like this from happening again.

And so, my firm is called Geragos & Geragos, and you can contact me, the email address is [email protected]. The website is  HYPERLINK “http://www.geragos.com” geragos.com. Thanks for having me on the show.

Bob Ambrogi: Well, thanks for all the great work both of you are doing around this issue and appreciate it having you on the show and for your insights on this topic.

We’ve been speaking with Andrew Rossow from the firm of Gregory M. Gantt Co., and Ben Meiselas from Geragos & Geragos in Los Angeles.

J. Craig Williams: Great, and thank you gentlemen this is Craig Williams with Bob Ambrogi. Thanks for listening. You can join us next time for another great legal topic. When you want legal, think Lawyer 2 Lawyer.

[Music]

Outro: Thanks for listening to Lawyer 2 Lawyer, produced by the broadcast professionals at Legal Talk Network. Join J. Craig Williams and Robert Ambrogi for their next podcast, covering the latest legal topic.

Subscribe to the RSS feed on  HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com or in iTunes.

The views expressed by the participants of this program are their own, and do not represent the views of nor are they endorsed by Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.

[Music]

Continue Reading