
Tell HN: We'll pay for you to sue Equifax - evashang
YC16 company Legalist is paying for you to sue Equifax in small claims court. We&#x27;ll get you a complaint, filing fees, instructions.<p>http:&#x2F;&#x2F;www.businesswire.com&#x2F;news&#x2F;home&#x2F;20170914005511&#x2F;en&#x2F;Legalist-Pay-Data-Breach-Victims-Sue-Equifax<p>https:&#x2F;&#x2F;www.legalist.com&#x2F;equifax&#x2F;
======
ABCLAW
For individuals considering this, note that champerty arrangements are illegal
in certain jurisdictions.

If you get hit for that, you're on the hook, not them. That's explicit in
their ToS. Have fun, kiddos.

~~~
xie_alan
IANAL, but isn't champerty permitted (or not prohibited) in almost every
state? I don't think there's any remotely recent precedent for state-level
champerty statutes (the few that still exist) being enforced in a commercial
litigation context, and I think this situation is one in which the plaintiffs
(Equifax data breach victims) are already planning to file suit, thus not
rising to the level of "champerty and maintenance" being applied to frivolous
litigation that such statutes aim to prevent.

~~~
ABCLAW
>IANAL, but isn't champerty permitted (or not prohibited) in almost every
state?

Nope.

Third party lending as a broad policy trend has certainly opened up over time,
but some states still have the restriction, others have reformed it, others
call it a different thing and some have abolished it.

Is the risk substantial in your specific case? Maybe not. Maybe it is. Just
know there's a risk there and you're the one eating it.

------
DeathRabbit
OK, on the site under the reg info it says to "Verify" you were part of the
breach by using Equifax's verification site. Hasn't it already been
established that this site is giving (at best) inconsistent results? So if
their of-dubious-use tool says I wasn't impacted I have no recourse?

Also, the amounts available in small claims court seems like peanuts compared
to my data being "out there" permanently. This is just a general observation--
I'm not impugning Legalist with this statement at all. I guess it may seem
like small potatoes weighed against the risks, it's not like everyone impacted
by this could get appropriate remuneration for the potential lifelong BS
caused by this.

~~~
k3oni
What do you think will come out of the class-action lawsuits and how much do
you think people will get per capita after the lawyers are paid?

I have a feeling that in small courts you can at least get more than that. PA
for example has a max of $12k claim amount.

~~~
DeathRabbit
Oh, yes, totally agree that the class action suits will result in a sweet $15
check or something. I guess my poorly phrased lament was just in reflection
that even the max payout in small claims doesn't seem like a great result
given that this stuff is out there permanently. I read some stats that
indicated an average of 330 hours for a person to work through fraud on their
credit reports or otherwise clean up an ID theft event.

~~~
jlgaddis
Note that you don't have to file in _small-claims court_. Small-claims court
was established as a convenient, easier way to handle dispute of (relatively)
smaller amounts.

If you feel that Equifax has caused you, say, USD $100k in damages, you can
certainly file a "regular" civil suit against them and ask for that amount.

------
smsm42
AFAIK small claims court are pretty informal, and most do not allow one to be
represented (as opposed to advised, which is allowed) by a lawyer. So I
imagine you come to the court, and the judge asks you "OK, tell me why you are
suing Equifax", and you, being true to the promise to tell the truth and
fearing perjury, answer "I've read an ad from a law firm which promised me
that I can sue them for free and get money from it, so that's the reason I am
here in the court today - just trying to grab some money from this
opportunity". I would be surprised if the judge would be overly sympathetic.
[1]

And since judges probably have seen pretty much everything under the sun, they
probably would get the gist of it even if you don't answer in these exact
words. And I am not sure judges would also be sympathetic to "auto-lawsuit"
setups where you are allowed t generate lawsuit by filling a form without
anybody actually ensuring there's a case. And Legalist seems to be advertising
"automatic" support - i.e. without even considering if you actually have the
case or not. It's basically automatic lawsuit generator. I don't think it'd
make judges happy.

Lawsuit financing may be a great idea - I actually like this approach - but
turning it into opportunistic money-grabbing mill is probably makes more harm
than good.

[1] If you don't believe people really answer like that, check this out:
[https://wlflegalpulse.com/2017/08/18/food-court-follies-
frau...](https://wlflegalpulse.com/2017/08/18/food-court-follies-fraud-suits-
fall-apart-after-plaintiffs-candid-admissions-during-discovery/)

~~~
xie_alan
That's for sure why people participate in class-action lawsuits against big
companies like Red Bull, but isn't the whole point that people have had their
privacy violated? I can't see a plaintiff showing up to court and not saying
something along the lines of "Equifax lost my data and I want to be
compensated."

Maybe Plaintiff John Doe isn't going to be able to exhaustively demonstrate
quantifiable material damages, but maybe the court hands out a default
judgment.

The real opportunistic money-grabbers here are Equifax...they took their own
data breach, which is basically historically unprecedented in its scale, and
used it as a way to shill one of their own credit score monitoring products.
That, IMO, is despicable. If it's easier to sue these guys for their
negligence, so be it.

~~~
smsm42
> the whole point that people have had their privacy violated?

Possibly, but lawsuits don't work that way - "I feel bad because somebody may
potentially have got my info" is not a claim you can make and get damages.
There should be legal basis. Now, I'm not a lawyer, and saying US law and
caselaw is huge and full of terrors would be an understatement. So maybe one
could find some law that justifies it. No idea. But showing up in court and
saying "but privacy, your honor!" probably don't work.

> Equifax lost my data and I want to be compensated.

And I want to be a well-hung billionaire with wings. [1] Nobody cares.

> The real opportunistic money-grabbers here are Equifax

There's a lot to be claimed against Equifax. But Equifax being crappy doesn't
automatically grant you a victory in court. You have to make a valid legal
claim. Granted, small claims courts, as I said, are less formal and allow you
more leeway, but even then I doubt that just showing up with script-generated
claim and "I feel bad, I want money" would go very well. You are welcome to
try and report of course, maybe I'm an idiot and you'd be laughing all the way
to the bank instead.

[1] if you recognized the quote, you get 20 bonus points

~~~
xie_alan
Fair points on the issues of standing — I would assume that a college-educated
person with a decent understanding of the relevant case law (gleaned from some
of the links below and other MSM articles about the data breach) could stand a
decent chance of winning in court. Your mileage may vary, but if a 5 hour time
investment could possibly yield a 4-figure settlement, I don't see a problem
with filing a case and the worst-case scenario being a loss in court. That
being said, since your chances of winning likely increase with how much effort
you put into the claim, it's not Legalist that's doing the heavy lifting for
you, which also begs the question of why you'd have them file for you in the
first place.

------
JshWright
So, "ambulance chasing" meets "webscale"?

~~~
xie_alan
Better call Saul!

~~~
failrate
Saul as a service

~~~
SimbaOnSteroids
JaaS

------
matt_wulfeck
I thought about this, but how do you _prove_ damages? Judges don't like you
wasting their time with theoretical losses. The best I could come up with is
the cost of credit monitoring ($20 a month) for life.

Does anyone have recommendations for quantifying the damages? Something the
judge won't toss out?

Also why does this make us put in the court where we will file? Doesn't it
need to be where Equifax is located, and won't it be the same for everyone?

~~~
etjossem
I am not a lawyer, this isn't legal advice backed by any level of expertise in
the law. But if I had to write a complaint for small claims right now, here's
what I'd bring up:

\--

FCRA § 604. states that "any consumer reporting agency may furnish a consumer
report under the following circumstances and no other", and lists allowable
reasons to dispense a credit report.

FCRA § 607. requires compliance, stating that an agency must "limit the
furnishing of consumer reports to the purposes listed under section 604."

FCRA § 616. imposes civil liability for willful noncompliance at a minimum of
$1000, even if that is greater than actual damages already sustained.

(a) In general. Any person who willfully fails to comply with any requirement
imposed under this title with respect to any consumer is liable to that
consumer in an amount equal to the sum of

 _.. <snip>.._

(B) in the case of liability of a natural person for obtaining a consumer
report under false pretenses or knowingly without a permissible purpose,
actual damages sustained by the consumer as a result of the failure or $1,000,
whichever is greater;

 _.. <snip>.._

(2) such amount of punitive damages as the court may allow;

\--

This suggests to me that you will be able to seek "actual damages sustained by
the consumer as a result of the failure or $1,000, whichever is greater", plus
any punitive damages the court awards (I do not believe this is generally done
in small claims). You would need to demonstrate that the failure to safeguard
your information was willful.

~~~
sokoloff
I think you'd also have to demonstrate that Equifax "furnished your consumer
report".

If I have $1000 in cash stolen from my house by someone not authorized to work
in the US, I'm not liable for an employer violation for not filling out an I-9
form...

~~~
etjossem
_" The term 'consumer report' means any written, oral, or other communication
of any information by a consumer reporting agency bearing on a consumer’s
credit worthiness, credit standing, credit capacity, character, general
reputation, personal characteristics, or mode of living which is used or
expected to be used or collected in whole or in part for the purpose of
serving as a factor in establishing the consumer’s eligibility for [credit]."_

It's a fairly broad definition. Per press release, Equifax made a data
communication of this info to someone who did not show a permissible purpose
under § 604.

I would argue that Equifax had months to patch CVE-2017-5638, but they did
not. Their web application continued furnishing parts of my consumer report to
anyone capable of running [https://github.com/mazen160/struts-
pwn](https://github.com/mazen160/struts-pwn).

------
justboxing
What's in this for Legalist?

From their home page:

> All legal bills covered.

> Litigation is expensive. Whether it’s attorney’s fees or that expert witness
> report you need to prove damages, litigation costs can add up. When you’re
> backed by Legalist, you don’t have to worry about unexpected legal expenses.
> Focus on growing your business, and we’ll take care of it.

I'm always skeptical of assurances like this.

~~~
evashang
Litigation finance is like a contingency arrangement - if you file the case
and the judge dismisses it, there's no risk to you. But if you do file the
case and win $1000, we'll recover alongside you.

~~~
spinlock
FYI - when you dodge the question this way, you look as bad as equifax. What
is in it for you? Do you take a percentage of the judgement?

I'll probably end up paying a lawyer to advise me on the best way to get back
at Equifax. But, I'm not going to do business with you because you're shady
and won't disclose your interest in this case.

~~~
mikestew
_What is in it for you? Do you take a percentage of the judgement?_

Just because you don't know how lawyerin' works is no excuse to be insulting.
They take a contingency, like every other friggin' lawyer on the planet. (No
financial interest, don't know the founders from Adam, yada, yada)

~~~
B1FF_PSUVM
> take a contingency, like every other friggin' lawyer on the planet.

Actually, there are countries where lawyers don't (and legally can not) take
contingency fees.

Not allowed to advertise, either.

~~~
mikestew
Admittedly that is a U. S.-centric viewpoint incorrectly extrapolated to the
world. I'm calling"literary license". Thanks for the correction.

------
eloff
I'm not a lawyer, but don't you have to prove that you've suffered material
losses to prevail in court? I'm not sure you're entitled to anything just
because you've been put at risk for identity theft.

~~~
DeathRabbit
This can be another service! You pay me some bitcoin to commit ID theft. I do
it, create havok all up in your business. Voila! Damage done, now go and sue.

Money to be made all around on this deal.

Seriously, though, IANAL but I think you're right, I've read a couple other
statements to that effect, that you'd have a hard time suing for the
_potential_ for trouble. And would a judge require you to _prove_ an ID Theft
was the result of the Equifax breach or just one of the other, smaller
breaches?

~~~
gthtjtkt
I'd recommend one of the more privacy-oriented coins, like Monero :p

------
GavinB
I submitted my data but I'm getting an "unknown request" on the URL
[https://www.legalist.com/equifax-sent/](https://www.legalist.com/equifax-
sent/)

Also, it's unclear what court you're supposed to file in. I did some research
and, at least in New York, you're supposed to file a claim where the defendant
does business. I put my local county small claims court in (New York County
Civil Court), but I'm not sure if that was right. Maybe because Equifax is
such a big company doing business everywhere I can file in my local court?
Otherwise it looks like I would need to file in Atlanta, where their
headquarters is.

------
neekb
Pretty interesting article discussing the ability to achieve "standing" in
court related to a data breach that doesn't immediately result in a loss:

[https://www.massbar.org/publications/lawyers-
journal/2016/no...](https://www.massbar.org/publications/lawyers-
journal/2016/novemberdecember/section-review-health-law-2)

------
deskamess
Any options for previous US residents who are now out of the country?

BTW, what are you giving up when you sue Equifax and win? Does winning absolve
Equifax of any liability or need to help you in case of future identity theft?

------
xie_alan
Saw this earlier this morning:
[http://www.bbc.com/news/technology-41257576](http://www.bbc.com/news/technology-41257576)

These guys should be, at the very least, fined by the government for how
blatantly careless they were with consumers' PII. I can't believe the credit
bureau oligopoly in the United States is this technologically incompetent, but
I suppose it's not surprising given the lack of economic incentive to
innovate. Hefty fines / settlement payouts should do the trick...

------
bllguo
is the only way to find out if you're affected still that dodgy
equifaxsecurity2017.com site? What happened to those accusations of random
output?

would love to be able to use legalist but I'm not even sure if I'm a victim

~~~
inostia
Basically if you're an adult who lives in the US, you are affected.

~~~
pavel_lishin
> _Basically if you 're an adult who lives in the US, you are affected._

How do you prove this in court?

"Your honor, I gave a Dark Web hacker some bitcoin and they said I was
definitely affected."

~~~
inostia
The funny thing is, the Legalist form to apply here:
[https://www.legalist.com/equifax/#apply-
form](https://www.legalist.com/equifax/#apply-form)

points to the Equifax page here:
[https://www.equifaxsecurity2017.com/potential-
impact/](https://www.equifaxsecurity2017.com/potential-impact/)

As far as I remember, you could enter any random information into their form
and it will say you were affected. That is the proof that Legalist is asking
to provide the basis for the suit.

~~~
xie_alan
I've had friends enter information into that form and it said they weren't
affected. AFAIK the Equifax backend is complete garbage and they've been very
careful to disclaim a positive match by saying your information is
"potentially impacted." Seems like they have no idea of knowing/proving
whether someone actually has your specific information, but can check whether
your information resided at one point on the specific server/database that was
compromised?

------
radvocate
This is terrible advice. In litigation you only get one bite at the apple - if
you sue in SC court and win $100, it extinguishes your ability to sue again
for new damages. And let's face it, our real damages aren't apparent yet.

Also, SC is probably your worst option, as far as ROI goes. If you want a more
strategic sense of your legal options, check out:

[http://myradvocate.com/new-
blog/2017/9/10/5vpvo8j70gnergoci4...](http://myradvocate.com/new-
blog/2017/9/10/5vpvo8j70gnergoci432n4grj2017p)

------
devy
I am a Equifax data leak victim.

How do I know Legalist is dependable and trustworthy so that my personal
information is NOT going to be leaked by Legalist again in the future for the
second time?

And small claim court filling fee is only less than $100 (in my state it's
$35, appeal is $250 refundable). And maximum claim amount in small claim court
in my state is $3000.

Is it worthy for me to trust another 3rd party with my sensitive information
to get at most 3k (in reality it will be much less and there is also the fee
from Legalist).

I personally don't think this is a useful service AT ALL.

~~~
xie_alan
Also a victim. I personally would rather get a 4-figure settlement in small
claims court instead of a $5 check in five years from a class action.

IANAL, but it doesn't look like Legalist is handling any information that you
wouldn't be making publicly available in a court filing were you to do this
yourself. As someone who doesn't have the time or diligence to do all this
myself, I actually find this pretty useful.

------
jlgaddis
Off-topic (but somewhat related, perhaps?) question for any of you who and
submitted the form (no cheating, please!):

 _What type of SSL certificate -- DV or EV -- did the Legalist web site have,
if any?_

I'm just interested in {whether|how many of} you bothered to look before
submitting your information.

(I'm asking because I was reminded of a recent HN discussion about DV/EV
certificates and this seemed as good of a "test case" as any.)

~~~
xie_alan
I'd be interested in reading that discussion if you have it handy. I've been
looking into SSL recently for some personal sites and the easiest method has
been a combination of GitHub pages / Cloudflare. I might be mistaken, but
aren't EV certs just a cash grab by the issuing authorities?

~~~
jlgaddis
> _I 'd be interested in reading that discussion if you have it handy._

Sure. It was a discussion [0] of an article by Troy Hunt entitled "On the
Perceived Value of EV Certs, Commercial CAs, Phishing and Let's Encrypt" [1].

(There have been a few other recent discussions [2,3] that also mentioned EV
that you might be interested in.)

> _I 've been looking into SSL recently for some personal sites and the
> easiest method has been a combination of GitHub pages / Cloudflare._

That seems to be a pretty common setup (for "easy"), as well as static sites
on AWS S3, etc.

Most of my sites run WordPress on my own (physical) servers so I can't
personally comment on those methods.

> _...aren 't EV certs just a cash grab by the issuing authorities?_

That seems to be the popular opinion (at least here on HN), though I can
understand the desire to use EV over DV in certain situations.

[0]:
[https://news.ycombinator.com/item?id=14805233](https://news.ycombinator.com/item?id=14805233)

[1]: [https://www.troyhunt.com/on-the-perceived-value-ev-certs-
cas...](https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas-phishing-
lets-encrypt/)

[2]:
[https://news.ycombinator.com/item?id=14749565](https://news.ycombinator.com/item?id=14749565)

[3]:
[https://news.ycombinator.com/item?id=15221119](https://news.ycombinator.com/item?id=15221119)

------
clarkevans
The least Equifax should do is stop charging for monitoring changes, freezing
and unfreezing our records.

~~~
smsm42
Fees for freezing/unfreezing sound like a scam - it literally costs them zero
to do this (since they have already made the system for doing it) and given
the rampant fraud for which they have little protection - they should just
make it easy and free. I am generally very laissez-faire person, but this is
one of the cases where I'd probably be grudgingly ok with some regulation.

------
radvocate
This is terrible advice. In litigation you only get one bite at the apple. Do
you want to file a claim now for a few hundred dollars in SC court, or wait
until you actually have real damages to cover? If you file and win now, you're
out of luck with your future damages.

~~~
xie_alan
My knowledge of identity theft is admittedly limited to TV documentaries...but
if your identity is stolen five years from now and the fraudsters rack up
thousands of dollars in loans and bills under your name, is there a way for
you to link that crime to the Equifax hack? I could see a lawyer making the
very shaky argument that John Doe could have had their personal information
hacked elsewhere and that there's no evidence connecting the thieves to
Equifax.

------
civilian
How much is legalist recommending we take Equifax to small claims court for?
$500? 1k?

------
jdshaf
The website says: "File suit and repay Legalist only if your case is
successful."

Do I owe legalist their fee if I win, but am unable to collect from Equifax?

~~~
evashang
Legalist is repaid only in the event you recover money directly!

------
basseq
The website makes no mention of the "complaint" promised in the OP. Is this
just litigation finance, or litigation support as well?

------
spraak
From what I understand, there isn't any financial risk for someone using this?
I.e. since their payment is contingent on you winning?

------
eknight15
Got a 500 Error after applying

~~~
chaigh
Hey eknight15, I'm the CTO @ Legalist. mind shooting me the console logs?
christian @ legalist . com

~~~
eknight15
Nothing in console [https://imgur.com/a/mXUIC](https://imgur.com/a/mXUIC)

It takes me to /equifax-sent/ but title is 500 Error

~~~
sguha
I'm getting the same problem

------
yang2007chun
I get 500 too. And there is no console log at all...

~~~
chaigh
For those getting 500 errors, the issue should now be fixed!

