The cost of pursuing each claim individually would usually be sufficiently high as to make pursuing a claim unviable. The behavior would remain uncorrected, and the injured parties would receive neither compensation nor the knowledge that the behavior has been altered or eliminated. Nobody wins in that situation.
And while it's almost inevitable that discussions about class action suits will involve complaints about the lawyers fees, that's not really fair. Mass tort litigation is complex and involves significant investments of time and resources on the part of the attorneys involved. Especially if they actually make it to trial. It might seem unfair at first glance, but it enables the class to access the legal system and justice where it otherwise would not. They may be imperfect, but they're a hell of a lot better than the alternative and have had a profound positive impact on our society.
That was exactly what they were supposed to be about. The way it usually works out, however, is that the lawyers don't really negotiate on the same side of the table as the class and the class members end up with very little. The lawyers, however, get their fees.
That's why everybody gets pissed about it.
There are other legal remedies to force a change of behavior. If the lawyer wants to use my name (as a class member) for leverage in the suit, he or she should be representing me. The class action is something that is supposed to be for the class members' advantage- working as a group for legal remedy. The tradeoff is you don't get as much legal remedy as you may have had you footed the entire bill and risk of a lawsuit yourself. But some of the negotiated remedies are, indeed, a joke.
No, they really aren't, because as the parent says class actions are appropriate where the harm to each individual class member is small, but the small harm is spread out to many people. You as an individual were not harmed much, so you as an individual would not collect much even if you went it alone and recovered 100%. Litigation doesn't (generally) yield more than the harm you suffered.
Besides, if you want a lawyer to represent your interests alone, then you are free to not join the class and pursue your own individual case with the lawyer(s) of your choosing.
According to the U.S. Supreme Court, the “principal purpose” of class actions is “the efficiency and economy of litigation.” The Court has also noted other justifications for class actions, including:
the protection of the defendant from inconsistent obligations;
the protection of the interests of absentees;
the provision of a convenient and economical means of disposing of similar lawsuits; and
the facilitation of the spreading of litigation costs among numerous litigants with similar claims.
Fewer people than most realize are actually able to do this. Good lawyers don't generally take contingency cases, and if the case is even remotely involved, fees quickly reach to six figures.
Perhaps worse is the stress. Once initiated, you have virtually no control over the process, and it can take over your life. The motions and counter-motions, delays and hearings will wear you down. If the adversary is much better-funded, then they can make it nearly unbearable.
The legal system is not what most people imagine, especially those who flippantly threaten to sue. You have to go through an action (or be close to someone who is) to really get that. Engaging is stressful and costly and, unless you're a combative type with deep pockets who just loves to fight, you'll likely feel like you lost, no matter the outcome.
This, as much as anything, is why class actions are so prevalent.
If you're paying them they're representing you. If they spend a single client's or their own time building a case, they're not representing you. They are representing your class. If you want to be represented, opt out and hire a lawyer.
The lawyers are getting their fees to pay for the service of causing class-action suits to happen. Even if the remedies for a class member are a joke, the amount the company pays is, supposedly, not a joke (and yes, a good amount of that is probably paying those lawyers), and that's supposed to be a deterrent for other companies who are thinking of making the same mistakes.
Whether this works out in practice is debatable, but the current system is coherent in theory.
No, it isn't better than the alternative. The alternative is to have regulators selected and overseen by elected officials regulate the behavior of companies. We instead of a system of regulation by self appointed ad hoc lawyer-regulators negotiating settlements they think will get past the judge overseeing their case and allow them to collect a fee.
The latter is perhaps better than nothing, but it isn't better than the alternative which happens to be in place in the rest of the developed world.
The self-appointed lawyer regulators at least have an incentive to do their jobs: they get a bunch of money.
That is why I have plenty of competition for Internet Access and Net Neutrality is vigorously enforced
That is why the FTC routinely issues fines for False Advertisers for all the false claims that are made daily in ads
That is why there are plenty of bankers in jail for crashing the economy in 2007,
Government regulation is grand
Paraphrasing, we are currently getting the regulation we deserve - good and hard.
The system was always a plutocracy and will always be.
Of course it's fair. It's not like the members of the class get to shop around for cheaper lawyers. The class gets shit either way, they just have to decide if they hate the company more than the lawyers that charge the obscene percentages. And you can't make any kind of cost argument because a billion dollar case isn't anymore complex than a million dollar case. The whole point of it being a class is that it impacted everyone the same so the dollar figures don't change the complexity.
This case is typical: https://www.paymentcardsettlement.com/Content/Documents/Orde.... $5.7 billion settlement, about $500 million in attorneys' fees, or less than 10% of the fund. $160 million worth of time invested by the attorneys to get to that point.
> And you can't make any kind of cost argument because a billion dollar case isn't anymore complex than a million dollar case.
That's not true at all. Big dollar value cases involve either large harms to relatively fewer people, or relatively small harms to large numbers of people. The former kind of case often involves complex subject matter, such as financial transactions, medicines, etc. The latter kind of case often involves a very diverse class and complex issues of causation and damages. Consider the TicketMaster lawsuit: the basic theory of damages is that class members would not have purchased the tickets had they known that TicketMaster was marking up things like UPS charges. Well, clearly lots of class members would have purchased the tickets anyway. Coming up with a realistic damages model in that scenario is difficult. Furthermore, in big consumer class actions like that you've got class members in fifty states with fifty different sets of laws.
>$5.7 billion settlement, about $500 million in attorneys' fees, or less than 10% of the fund. $160 million worth of time invested by the attorneys to get to that point.
How often to private retained attorneys get $320 million in pure profit. Additionally the 'time invested' already has income for all of the involved lawyers.
The fact that it requires so much expertise and money to "access the legal system" in this way is in itself incredibly unfair and unjust. It's a completely broken system.
The real damages here are going to be to the banks and credit card companies that will have to absorb the costs of all the fraud.
As to the Ticket Master case, you can read the complaint yourself and see if $5 or so per class member settlement value was reasonable: http://www.ticketfeelitigation.com/docs/Fourth_Amended_Compl.... The theory was that TicketMaster didn't disclose that it was marking up fees for things like UPS delivery and order processing, and that if customers had known they wouldn't have ordered the tickets. That's a weak damages theory, because customers don't care about line items they care about the bottom line. Either they'll pay $X for the tickets or they won't. Unsurprisingly, that weak damages theory lead to a small per-class-member settlement.
Are credit card companies now in the habit of reimbursing consumers for the considerable time and headache required to sort out fraudulent charges caused by insecure data storage practices in the credit reporting agencies that the credit card companies contract with?
There are numerous reports of identity fraud causing a significant amount of trouble for the consumers involved, and as far as I know, not a one of them has ever received a letter beginning, "We're sorry for the time and trouble you went through to clear this up", with an attached check.
The hassle will be convincing all those companies that you do not in fact owe them thousands, and there is no automatic protections for these types of harms.
It's not a "habit", it's the law. It doesn't matter how the fraudulent charges came to be. If a person disputes a charge and has evidence to show it's fraudulent, then by law the credit card company has to investigate, and deal with it.
It also makes business sense. CC companies make a ton of money with legal transactions, and an anti-consumer, pro-fraud reputation would cost them customers.
> There are numerous reports of identity fraud causing a significant amount of trouble for the consumers involved, and as far as I know, not a one of them has ever received a letter beginning, "We're sorry for the time and trouble you went through to clear this up", with an attached check.
Why would the bank or credit card company send a check? Presumably they're not the one who committed the crime, so why should they cover the damages?
I've had my identity stolen, and it was a PITA to clear up, but the bank and credit companies were reasonable about it, IMO. In a case like this, where it's easy to point at the Equifax breach and say, "See? This is how they got my info.", it's probably even easier to clear up, though I'm sure it's still a hassle.
I'm not sure how much I'd want someone to pay me for an hour of my time. Clearing up identity theft can take many hours. Those are hours I can spend bugging the missus, or even bugging you folks.
I am clearly not to blame for their data exfiltration. Who is going to pay me for my time? What is my time worth to them?
This is all theoretical. My credit has been frozen for a long time. It has been that way since the OPM hack. However, for the sake of expression, I point out that my time is pretty valuable to me. Those who steal my time are worse than those who would steal my property. I can insure my property, I can not replace my time.
Last month my auto registration sticker didn't show up in the mail after renewing it. A trip to the county clerk, then the sheriff's office to file a report, then back to the clerk to get another sticker took almost two hours. Stopping by the local bank to change my address after the online system locked my account for two incorrect password attempts took 90 minutes. 6 phone calls after a cancelled auto insurance policy made an auto draft the next month. My coworker has a pile of kids, two with medical issues, it seems like his wife has a part time job dealing with medical billing issues.
Most of these rambling examples aren't the fault of the organizing institution (unlike the Equifax leak at hand), but in the end individuals are bound by those institutions' organizational practices in their pursuit of normalcy. I don't know how it could be implemented or enforced, but at a certain point it feels like individuals should be compensated for suffering organizational incompetence or negligence.
Which gets me to my response:
Cherish that time. I don't care about longevity, I care about maximum value. I may be content to die today, but I'm not content wasting time on something that is forced on me.
I don't regret much, but I do regret my time that was wasted by others. As I look back, I see do many situations where I could have disallowed that while still getting the same eventual outcome.
For instance, in a past life I may call up to question a charge on my cable bill. Now that I have more money, I don't waste my time on such nonsense. If the cable company wants to charge me an extra $20 for no reason, they can do so, because it's not worth my time to call them up and get shuffled between departments for 2 hours.
But the time it takes on the phone to talk to an agent, review your records for legit vs illegit charges, etc. are not reimbursed, which is what they were on about.
> Why would the bank or credit card company send a check?
I think we're talking Target writing the check. Which they didn't exactly volunteer to do, but was covered in the class action at least: https://targetbreachsettlement.com/mainpage/CommonlyAskedQue...
Fraudulent charges on a credit card are the least of my concerns. This opens us up to a lifetime of identity theft and insecure accounts of every sort. I'm not even sure how they can approach remedying the problem. Coordinate with the SSA to get 150 million people new SSNs at the least.
There is mo way to even estimate the damage as some devious ways of it harming us may not even exist yet.
Scifi story idea:
Far future. Life extension possible. The government will provide it free (if you want it) - one time only though - when you are near the end of your first life. Upon extension, this technology also turns the clock back to renew you to 20 years old.
You're 78 years old, frail, ready to kick it, but decide to do the extension. You go into the clinic. Give them your information, etc.
We're sorry, you've already been rejuvenated before. We can't help you, unless you want to pay $$$$$$ for us to go ahead with the procedure.
The solution, whatever it is, does not include anyone continuing to pretend that the SSN is now or has ever been suitable for any purposes other than for tracking government benefits managed by the SSA, and possibly also for tax filings with the IRS.
... and all of the other government benefits, programs, or mandated activities, many (all?) of which demand your SSN. Are you even sure that the credit industry, i.e. banks, originally misused SSNs? I wouldn't be surprised if they were required, by the government, to use them, precisely because it is the closest thing to an official "unique identifier".
Some people also might be concerned with not receiving their SS benefits either, which isn't entirely far-fetched given that others might now be using it for nefarious purposes (like trying to collect their SS benefits).
I read something somewhere else (maybe on a different HN thread, maybe here?) that this was changed in 2000 for something called "red flag laws", IIRC.
So yeah - it is required.
There's no such thing as loosing your ssn because it is already public.
No one will be paid for their time wasted over ID theft resulting from this breach. That's what "made whole" would mean to me.
The extent of the potential damages here isn't limited to credit card fraud. Having your SSN leaked along with your name, date of birth, every recent address you've had, etc. opens you up to a lot of other attack vectors.
Furthermore, credit reports can often inadvertently contain information that relates to one's medical history - you can request that this information be obscured or sealed in your report if you find it, but that means that certain medical information is also within the scope of the potential leak.
The government is clearly of the opinion that they can and should prosecute people for leaking information which could cause possible harms.
I’m clearly not a lawyer, but these scenarios seem pretty similar to my untrained eye.
I've been through quite a bit of training and held my clearance for years. I was a victim of the OPM hack. Well, I guess I still am a victim. Mens rea doesn't really apply when handling classified material/data. If it is accidental AND you report it properly, it's not jail - you are so losing your job, however. You also lose your clearance. It has been a while, but I'm pretty sure you lose it forever.
This is not true at all. They simply reverse the charges. Businesses who accepted the fraudulent transaction(s) are on the hook for it. Anyone who runs a business and handles credit card processing can confirm this.
It does seem like any penalty for something like this should severely impact the ability of the company to operate though.
I suppose a $0 way to penalize them severely would be to force Equifax to allow individuals to opt out of having Equifax store information about them. Lots of people would do so without understanding that it might impact their ability to get a loan, but so what.
Maybe the USA needs everyone to have a new ssn and ban with very strict penalties is use by any one other than the state and then only for highly restricted usages as it is in the UK
While it doesn't solve the "papers please" aspect:
1. Card holds biometric data of person, plus PIN. Card is the only thing that holds this.
2. All card does is output "yes or no" if you are you.
3. You have or use a reader for authenticating who you are. The reader takes you biometric data (fingerprint scan, face scan, or something else), and has you enter your pin. It takes this info, hashes it, compares to the stored info, and outputs the "yes" or "no" answer.
Very basic thing here. 3-factor, and the data about you is never stored anywhere, and the card/reader combo does the rest. The data about you never leaves the card (in fact, it can't - it would be write only for that data).
We have all the technology to do this today. What we don't have is the will. So it won't be implemented.
I'm not saying the above is perfect - but it is 3-factor (what you are, what you have, what you know), and that is what is needed most. The information stays with the owner on the card. All transactions can only be done with the card on-hand to prove you are you. You can change the PIN at will, maybe even the biometric data - but both are write-only, and can't leave the card. The card can read in data (an image for the biometric data, and the code for the PIN), but all it does is hash that together, compare it to the stored hash, and output a yes/no.
I'm not saying the above is perfect, and I am sure I have forgotten something. But it - or something like it - is what we ultimately need. But we won't get it. Ever.
Also, notice the other subtle dependency that was introduced with the PIN only kept on the card - the PIN might as well not exist.
This is all known. The issue isn't how to design a security system. The issue is the fly by the seat of the pants lack of security with deadline driven products. Those products only appear to implement a feature set and really don't work, just appearing to work in order to achieve the release exit criteria of a minimum viable product. This gets compounded by products hardly ever revisiting their earlier phases, choosing in this case to add new web features instead of hiring a security team.