In September, entrepreneur Joshua Browder’s Do Not Pay chatbot website added a new skill: allowing people to sue Equifax for its monumental data breach that exposed the personal information of 145.5 million people, which included Social Security numbers.
A few months later, the results are coming in and people are winning judgements approaching $10,000.
Yahoo Finance spoke to a few consumers who have taken on Equifax in small claims courts, a process that they found surprisingly smooth, with no need for lawyers.
“It was the easiest nine grand I ever made,” said Darrow B. of San Francisco, who just won a judgment of $9,100.
The Do Not Pay chatbot, which started as a way to fight parking tickets, lets users more easily fill out the forms required for these simple lawsuits by automatically populating things such as Equifax’s address for each of the 50 states. Under the “damages” section, it simply says Equifax was negligent and the breach resulted in “significant damages.” The details get ironed out in court.
“You go down to small claims court, you hand them the papers, they tell if everything’s OK, then you choose a court date that works for you,” she said. “Then you show up and the judge basically says what happened. It took about an hour at the court.”
According to F. Paul Bland, an attorney and executive director for Public Justice, suing in small claims court is fine even if there’s a pending class action case, of which dozens have emerged against Equifax.
The luck of the draw
According to public records, about a dozen people in San Francisco have sued Equifax, many of whom used the app. But they haven’t always won — it depends on the judge.
One judge, who ruled in favor for a handful of plaintiffs against Equifax, including Darrow, seemed especially sympathetic. (With around one out of every two adults being affected, she was likely a victim of the breach as well.)
Darrow points to her ruling as a good blueprint to go from when arguing before the court. In it, the judge noted that Equifax had a duty to safeguard information, failed to heed warnings from the Department of Homeland Security, and “willfully” violated the Fair Credit Reporting Act and state regulations.
To some judges at least, demonstrating Equifax was negligent in its duty is enough for a positive judgment. The credit monitoring company was slow to disclose the breach (not everyone affected even got an email notifying them of what happened); it also pointed consumers to a useless website to see if they were affected, and then pushed them to sign up for a monitoring product that both could strip consumers of the right to sue the company and provide it with potential future revenue.
Damages can be tricky to show, but one victor, Jason Wittig, who won a $7,900 ruling in San Francisco Superior Court, said that he pointed to all the credit monitoring he would have to do to make sure his data was safe. One woman, he said, showed that she had to hire credit reporting services. In Wittig’s ruling, as in Darrow’s, the judge added up the cost of monitoring for 10 years and time spent dealing with “unauthorized access events.”
According to Wittig, this isn’t just an abstract concern. His personal information, including his phone number, seems to have been out in the open, leading to copious spam calls and emails. (In fact, he thought Yahoo Finance was a spammer and requested to be “removed from your calling list.”)
Equifax is appealing — and there’s a twist that’s in its favor
So far, no one has actually received a check from Equifax, according to the records Yahoo Finance was able to locate. The cases of Wittig, Darrow, and all the others Yahoo Finance found are all being appealed by Equifax. (An Equifax spokesperson told Yahoo Finance it would not comment on ongoing litigation.)
The appeal by Equifax could be a successful one. Some of the cases never got that far because the plaintiffs did not adequately show damages to the judge.
“The evidence does not support that any act of omission or breach of duty was a cause of any monetary loss, damage or tangible harm to the Plaintiff,” wrote one small claims judge in response to a Do Not Pay-created lawsuit.
At a glance, this looks like this plaintiff did a poor job explaining how Equifax caused them damages; small claims courts often require careful and specific documentation of alleged damages. But the one-sentence ruling could easily be about a far more ominous truth that reflects an ongoing cybersecurity dilemma: causality.
With more and more breaches and personal information available on the dark web, establishing the direct connection between the two is increasingly difficult — if not impossible. If your identity gets stolen, how can you possibly know whether the data came from an Equifax breach or another party altogether. For companies, the more breaches, the better.