
Equifax Is Said to Be Near $650M Settlement for Data Breach - el_benhameen
https://www.nytimes.com/2019/07/19/business/equifax-data-breach-settlement.html
======
tuxxy
I took Equifax to small claims. When that didn't pay up, I appealed and
removed to higher courts. I continued doing this until it wasn't worth it for
me. I think I cost Equifax a total of at least $20K USD. They had to keep
flying lawyers back and forth from Atlanta to where I lived and put them in
hotels.

I think I got them to spend more than I would have received in any settlement.

Fun note, my judge in small claims dismissed my case but said the following
before dismissing it, "Mr. tuxxy, I would not trust Equifax with my dog's
vaccination records. I'm absolutely appalled in the lack of protections
Equifax provides for the personal data of Americans, however I'm afraid I
don't see a case for negligence..."

She lectured Equifax's lawyers a bit on what a shitty offer credit monitoring
was for the loss of my PII for a bit, then sent us out.

I trolled their legal team a bit near the end and tried to settle for $3.50
after mediation failed, but I wanted them to refer to the $3.50 as "tree-
fiddy" in the settlement, but they refused. Oh well...

~~~
felipemnoa
Sounds like your story would be a good article to read.

~~~
cameronbrown
Yup. Would love to hear all the details.

~~~
tuxxy
I can write about it on my personal website. Maybe I'll submit it here some
time. I'm afraid it's not that interesting other than the emails of me
trolling them.

I wish more people took them to court. It was not difficult to do and is quite
an effective form of direct action because they have to spend quite a bit of
money to fight it.

~~~
dangoldin
That can be a helpful part of the writeup. I'm sure it would motivate a bunch
of us to actually do that.

~~~
stefco_
I second this! I'm sure there's lots of people on HN who would find this
really useful. There's so little corporate accountability that individual
legal action might actually prove significant. And as far as applying economic
pressure, a ton of small-claims cases could prove more costly than a single
class-action suit (and hence provide more deterrence).

~~~
mercer
Thirded. It could really have an effect to write about it and give this more
attention, with perhaps a call to action to do likewise (and why that might be
good).

------
FlyingLawnmower
I don't understand how Facebook got a $5B fine, yet Equifax gets a ~$650m
fine. The data breached in the Equifax case seems to cause far more direct
harm, and affected many more Americans. It feels like the 10x difference
should go the other way.

Can someone more educated in how these fines work teach me about how these
numbers are calculated?

~~~
JumpCrisscross
> _The data breached in the Equifax case seems to cause far more direct harm_

Facebook breached a consent decree with the FTC [1]. Demonstrating harm was
simple—they breached a settlement.

Equifax’s harm is potentially great. But demonstrating damages is difficult.

TL; DR Facebook is a repeat offender.

[1] [https://www.ftc.gov/news-events/press-
releases/2011/11/faceb...](https://www.ftc.gov/news-events/press-
releases/2011/11/facebook-settles-ftc-charges-it-deceived-consumers-failing-
keep)

~~~
pmiller2
> ...demonstrating damages is difficult.

I still don't see how less than $5 per person who's data was compromised
constitutes a reasonable settlement.

~~~
gtirloni
Have you got better numbers?

~~~
pmiller2
Right here:
[https://news.ycombinator.com/item?id=20484328](https://news.ycombinator.com/item?id=20484328)

------
nafizh
This is ridiculous. They just continue as if nothing happened. And who gets
the money? What about the consumers who got affected? Where is the
compensation for them?

~~~
cameronbrown
The damage to each individual is incalculable. Their company should just be
dissolved and split between everyone affected at this point. Giving them a
fine even close to the amount of economic damage they did would already be the
end of the company.

~~~
throwaway2048
Splitting the company would just mean selling the data (the only valuable
asset they have) to somebody else, whoever would pay the most.

~~~
MereInterest
Why? Breaches like Equifax happen when companies treat data, especially
personal data, as an asset rather than a liability. Treat their database as
the toxic asset that it is, and delete it as part of the bankruptcy.

~~~
buzzerbetrayed
Then what do you sell? You can’t sell the company and distribute the money to
the affected people if you make the company worthless first.

------
scythe
When corporate fines are shown in headlines, I think they should be expressed
as a % of market capitalization or cash on hand (the latter % obviously being
much bigger). It helps the reader better understand what kind of action was
taken. Fining McDonald’s 10M and fining Mozilla 10M will have radically
different effects.

~~~
harryh
Equifax is currently worth about 16.6B. This takes into account the fine, so
without the fine they'd presumably be worth 17.25B or so. So this was a fine
of 3-4% of their market cap. Total costs associated with the breach were
probably moderately higher than that.

That being said, it's important to understand that in the US, penalties are
assessed based on the seriousness of the infraction, not on the ability of the
perpetrator to pay.

And while it might be the opinion of lots of HN commenters that the equifax
breach caused "incalculable" harms, demonstrating this level of harm in court
would be tremendously difficult.

~~~
pmiller2
> ...in the US, penalties are assessed based on the seriousness of the
> infraction, not on the ability of the perpetrator to pay.

When the penalty is less than $5 per person affected, how am I expected to
take that seriously? A penalty based on the actual seriousness of the
infraction would put the company out of business, and that's what should have
happened.

~~~
gtirloni
I agree but what's the actual seriousness of the infraction? Can the court
calculate it? How?

~~~
cameronbrown
Let's assume a piece of data is used to empty someone's bank accounts via
social engineering. Now it's possible to calculate how much that'll cost the
banks. Multiply that by the average worth of an Equifax "customer" and you'll
arrive at a nice round number which should put them out of business.

~~~
harryh
There has been zero evidence that anyone's bank account was emptied due to the
equifax breach.

------
sys_64738
My info is only worth $4.50?

~~~
zadokshi
What is the market value of your data on an open market? It might be less than
$4.5

~~~
6nf
What was the level of detail exposed for the average person affected by the
breach? Name, address, age etc?

That stuff has to be worth more than $4.5.

------
DiabloD3
I think they forgot at least three zeros in that number.

------
TomMckenny
So when will I be able to opt out of their tracking me?

~~~
frankchn
That’s the beauty of their business model — you can only opt out by opting out
of most of banking altogether.

~~~
asdff
Opting out of US banking that is. This isn't a thing elsewhere.

------
asdff
Why do we always fine companies and not the executives involved who made these
decisions directly? Fining companies ensures the fines are mitigated and
passed to the consumer ultimately, and rarely effect change, but even
Zuckerberg would be stammering and sweating if he personally was issued a 5bn
fine that he himself had to pay and couldn't have his company absorb.

------
teddyuk
How does Facebook get billions and equifax gets millions?

Equifax goes out and gathers your personal finance data without even asking,
they literally take it whether you want them to or not.

Facebook is data people choose to share freely.

This just seems like equifax should be settling with an extra zero on the end!

~~~
harryh
They do ask. It's one of the conditions in any loan you take out.

------
solarkraft
> Most of the roughly $650 million payment would go toward compensating
> consumers for costs associated with the breach

4,48$ per person.

That ought to undo the damage of all your most personal information being
public.

------
eximius
What? $2/citizen? Somehow I thought I was worth more than that.

------
koliber
That's like $3 dollars per affected adult!

------
Canada
Yeah, it should be at least $100 billion.

The damages should completely wipe out all existing shareholders, and the
company should be unable to continue as a going concern.

~~~
chias
> The damages should completely wipe out all existing shareholders

Do you own any stock in a S&P 500 index fund, such as VFINX / VFIAX, SWPPX,
FXAIX, PREIX, etc? Congratulations, you're a shareholder.

~~~
Canada
I'm well aware that the shareholders are very diverse and detached. All the
more reason to impose a reasonable damages: $1000 per person. Let the market
price that into companies that hold such vast amounts of sensitive data.

