I took Equifax to small claims. When that didn't pay up, I appealed and removed to higher courts. I continued doing this until it wasn't worth it for me. I think I cost Equifax a total of at least $20K USD. They had to keep flying lawyers back and forth from Atlanta to where I lived and put them in hotels.
I think I got them to spend more than I would have received in any settlement.
Fun note, my judge in small claims dismissed my case but said the following before dismissing it, "Mr. tuxxy, I would not trust Equifax with my dog's vaccination records. I'm absolutely appalled in the lack of protections Equifax provides for the personal data of Americans, however I'm afraid I don't see a case for negligence..."
She lectured Equifax's lawyers a bit on what a shitty offer credit monitoring was for the loss of my PII for a bit, then sent us out.
I trolled their legal team a bit near the end and tried to settle for $3.50 after mediation failed, but I wanted them to refer to the $3.50 as "tree-fiddy" in the settlement, but they refused. Oh well...
I can write about it on my personal website. Maybe I'll submit it here some time. I'm afraid it's not that interesting other than the emails of me trolling them.
I wish more people took them to court. It was not difficult to do and is quite an effective form of direct action because they have to spend quite a bit of money to fight it.
I second this! I'm sure there's lots of people on HN who would find this really useful. There's so little corporate accountability that individual legal action might actually prove significant. And as far as applying economic pressure, a ton of small-claims cases could prove more costly than a single class-action suit (and hence provide more deterrence).
Thirded. It could really have an effect to write about it and give this more attention, with perhaps a call to action to do likewise (and why that might be good).
Whenever I have worked somewhere and someone has complained and got no where, as soon as they lawyer up it goes to the top of the pile, 200% vip treatment!
"In choosing the $3.50 figure, I wanted to ensure it was a number that was inconsequential to a legitimate user of the service. That's about what a latte costs at my local coffee shop so spending a few bucks a month to search through billions of records seems like a pretty damn good deal, especially when that rate limit enables 57.6k requests per day."
>The actors I've seen taking advantage of it are highly unlikely to front up with a credit card and provide what amounts to personally identifiable data (i.e. make a credit card payment) in order to mass enumerate the API.
Unless they just steal a credit card. Not unlikely, given who we're talking about here.
That's ridiculous, they were hacked through Struts CVE-2018-11776 that was discovered a month before the hack, if appointed security officer was monitoring CVE lists for their software, this would be patched.
Moreover, their DLP system was offline for the period of hack due to certificate expiration.
IANAL, but there was a clear case of negligence.
-- ed:
There were winning cases against equifax. the payout was awarded for the damages - 3 years of credit counceling and monitoring, something in $6k range.
Since software is involved, it is basically impossible for any court to ever judge a company guilty of negligence. There are no standards for software. No licensed engineers they could fail to hire, no industry mandated practices they could fail to follow, nothing. Even when Toyota's outrageous negligence killed dozens of people in their 'unintended acceleration' scandal, the actual negligence claims failed. That's very bad, because it is exactly those negligence claims that provide the best motivators to corporate executives when building critical infrastructure. A guilty verdict for negligence when building a bridge or road or similar can easily result in executives in real prison cells. But if a computer is involved, they know they don't need to worry. Their main worry then becomes the potential punitive damages awarded by juries, but that's just a monetary penalty and even those usually aren't larger than what it would cost for them to do things like hire experienced software engineers, give those engineers control over product scheduling, provide them with the tools they need, etc.
I don't understand how Facebook got a $5B fine, yet Equifax gets a ~$650m fine. The data breached in the Equifax case seems to cause far more direct harm, and affected many more Americans. It feels like the 10x difference should go the other way.
Can someone more educated in how these fines work teach me about how these numbers are calculated?
in addition to demonstrating harm, regulators really hate it if you defy them. Repeat offenses carry a significant penalty as you're seen to be thumbing your nose at them.
That's what's frustrating about most of Elon's crap. Don't test the patience of the SEC with _tweeting_. Put your phone away and save that social capital for when you actually need it.
FB is more strategic but still repeatedly misleads congress, the FCC, etc. After a while, they're sick of being made to look a fool. Notice that FB isn't getting the "trust us" benefit of the doubt with Libra (nor should they.)
Yes. The other most significant aggregator of data, Google, is by no means a saint in this space, but I think they would get a bit more "trust us" points than Facebook. Their settlement over childrens' privacy on the youtube platform is a salient example here. To my view, the rapid emergence of children vloggers turning it into a career and causing COPPA issues is probably something they should have twigged to earlier, but it doesn't smack of the blatant & extreme exploitation & carelessness of user data seen by Facebook. That said, Google is probably only one decent sized data scandal away from that territory, and hopefully takes FB's fine and increased scrutiny as instructive in being more careful themselves.
That's one way of looking at it. The other way is that companies should feel about equal pain relative to their sizes. Otherwise, big companies are able to gain an unfair advantage by just ignoring laws for which they can afford the fines.
> The other way is that companies should feel about equal pain relative to their sizes. Otherwise, big companies are able to gain an unfair advantage by just ignoring laws for which they can afford the fines.
Which doesn't make any sense and just gives them the incentive to play the same games they do in avoiding taxes.
The first reason it doesn't make sense is that the penalty should have some relation to the damages. If you cause $500 damage to someone else without their consent, screw you. But if the fine for that is $5000 per victim, it's a deterrent no matter how big you are, because $5000 is more than $500 (and provides a fair margin for the probability of not getting caught), and if the company is getting more than $500 in value from doing it then it could have just offered to pay the victim $501 to consent to allowing it, which implies that they're not.
Meanwhile if you don't think large corporations can move numbers around on a spreadsheet to minimize what they owe, you haven't been paying attention. And we sure as heck don't need a system where Equifax gets to put its risky business in one entity that has inconsequential revenues and then suffer a $10 total fine when it screws up this bad because whatever penalty percentage of almost nothing rounds to zero.
Say companies A and B each cause $500 in damages. Company A makes $600 from that act, while Company B makes $6,000. A fine of $5,000 is way over the top for Company A, but Company B can just write it off as the cost of doing business.
As I've said elsewhere, I'm not advocating one particular method of coming up with this number. I'm just saying that the fine should depend on the company, not be a flat number based on damages caused.
If the cost of damages (including a punitive 2x or whatever) is really and truly $500, and Company B is willing to make their victims whole at that cost...I'm 100% sure there's a problem that needs solving.
What you are talking about is called punitive damages. Punitive damages exist exactly for the purpose of causing financial pain to companies in order to give them actual incentive to change their behavior (since if it is profitable to kill people, companies will make killing people a standard operating practice, we have multiple proofs of this). No other type of damage is levied as punishment. Other types of damages are driven by actual recovery of damages.
Percentage of profits would be a terrible way to fine. Imagining how that could be messed with isn’t hard. Mysteriously there would be no profit and the follow few years worth of expenses would be pre-paid, spent or otherwise brought forward.
Sure, I don't really have any opinion on the best way to measure the size of a company. I'm just espousing the principle of scaling the fine to their ability to pay.
%of profits it fraught with ways to hide profits. Even gross revenue can be gamed, albeit with less efficacy. More practical is something like X dollars per infraction, with the ability for regulating bodies to exert some professional judgement that lets them determine if the culprit's infractions were severe enough to let the per-infraction cost put them out of business all together.
Because fines like this are often more about sending a message to the entire industry than simply about reimbursing damage. It's saying, "make sure you take security seriously, or you're risking us taking X% of your revenue/value".
If you don't do it this way, you end up in a situation similar to speeding tickets: well-off people don't care at all (and are even probably more annoyed about having their drive interrupted than the actual fine), but it can mean a poor person has to skip meals to recover. If the goal is discouraging a certain type of behavior overall, it has to hurt violators comparably, no matter their wealth.
> It's saying, "make sure you take security seriously, or you're risking us taking X% of your revenue/value".
I would believe that if these companies didn't just keep doing what they were doing anyway. Losing a percentage of revenue or profit for one year does nothing to deter them! We need to reinstate the corporate death penalty. Equifax deserves to die for its negligence, IMO.
I agree with you; the fines are much too small. But the point is that they're too small for both Equifax and Facebook. Facebook's stock even went up because it was only a $5B fine!
The only way things will change is if the fines hurt more, but it needs to hurt the huge companies just as much as the small ones, otherwise it ends up just being another factor that helps keep the already-dominant companies at the top.
Do you really believe that Facebook's stock went up because they "only" got a $5B fine?
Facebook's stock went up because they had a pending fine, and the value of the fine was announced, reducing uncertainty. Put another way, would you buy a car that has an unknown repair bill for the same price as a car you know how much it's going to cost to fix?
"You don't get to exist if you screw up that badly" is a great way to send a message to an industry. Sorry, but Equifax is in a position to be a gatekeeper for data of people who haven't asked or given direct permission for them to have it. They should have gotten the death penalty as a corporation and their remaining data should have been seized.
Well, that's the thing. FB didn't necessarily case $5B in damages, they broke the consent agreement. Actual damages might be, relative to the fine, minimal. It's hard to say how much monetary damage Equifax actually caused, but I thin it's not unreasonable for a primary tenet of setting fine levels the hurt, but aren't so punitive the the company must shutdown unless the activity was so egregious that a return to legitimate business may not even be possible or practical. Sort of like, in banking, the difference between leveling lots of fines on WellsFargo for their shenanigans but lettings Lehman Brothers just fail and go bankrupt. (I know, opinions differ on how these things should have gone down, and on whether Equifax should have been forced to wind down and parcel of its services to other entities. I'm just trying to explain why actual damages isn't always the sole consideration.)
corporations are not people. They don't "learn lessons". They respond to incentives. If this breach didn't cost them dearly, but they still reaped any reward from having had the breach (e.g., saved money on security, and opt to pay the fine instead when they are breached), they will do it again in the future.
A fine is meant to deter as well as punish. If the fine is too small, it won't deter. And certainly if less than the profits earned, it can't punish, nor deter.
Corporations don't learn lessons, but people do. You want managers arguing for budget to prioritize security, or lawyers arguing for legal stuff, to be able to use this as a compelling example.
Losing $650 million is perhaps not quite as compelling a story as losing billions, or a smoking hole where a company used to be (as in Enron and Arthur Andersen). But it's a pretty big chunk of change. I have no experience making such arguments, but it seems plausible that it will be remembered for a while at Equifax and their competitors, at least?
I'm doubtful that people respond to such incentives rationally. It probably has more to do with how well the storyteller tells the story. And whether the thing they're selling actually works well for improving security seems pretty hit-and-miss, too.
The FB fine was due to violating a previously existing consent decree with the FTC due to previous violations. The "2nd offense" nature of the offense probably contributed significantly to the higher number.
Probably because FB is politically charged, disliked by both parties, consumers and the wider industry. The fine represents the public's anger at large.
Let's be even more honest: if they did know what Equifax is, what they do, and how long they've been doing it, they would certainly hate them more than Facebook.
Looks like you got downvoted a bit on this, but it's an excellent point. I fully think FB deserved what they got, and would not have balked at more. But Equifax, even with a fine higher than FB's relative to market cap, still seems to have gotten off lighter.
IIRC you had to agree not to join class action suits to take advantage. Seems like a pretty self-serving tactic given that we're the ones who have to deal with their idiocy.
I got one of those letters. It seemed like a cruel joke to me. "We're sorry that we leaked all your personal data. But we have a great opportunity for you today! Send us some more personal data, and we'll monitor your file or something. For free! Trust us, it's gonna be great!"
I would imagine that Equifax was able to prove that they at least met the prudent man rule.
The prudent man rule which requires senior executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. This rule, developed in the realm of fiscal responsibility, now applies to information security as well.
The intent was to patch the system but they experienced some sort of issue that prevented the timely action. From what I understand, you only have to show the courts that we tried to do the right thing and had the right intention.
Plus they aren't involved in any election scandals which certainly helps....
The one positive thing that came out of all this is that you can lock down your credit for free and open it again for free when you need to . Basically no one could ever open an account or credit card in your name if the offering party tries to run a credit report.
Assuming I buy your argument, to me, it just implies that the prudent man rule is inadequate here. Intent doesn't secure my data. As far as I'm concerned, they can intend in one hand and shit in the other and see which one fills up first. When the consequences of failure are the compromise of the financial lives of virtually every American adult, you need to be more than prudent about it.
Yes, intent minus execution equals some level of incompetence. Which (I guess?) is better than never having the intent to begin with, but it's sort of a distinction without a difference. "I wanted to fix my brakes but the brake shop was closed, that's why I got into a car crash" isn't really an endearing argument to the other parties involved or the regulators (Police in this case) that deal with the fallout.
Plus they aren't involved in any election scandals which certainly helps....
Yes, plus their perceived censoring of right-leaning content (real or imagined).
But between the election stuff and their attempt to setup a currency whose monetary policy would be governed by a group of wealthy corps and partly based in another country regulated by a foreign body... these are things that touch on the sovereignty of the US, and no government wants internal competition on that front.
This is ridiculous. They just continue as if nothing happened. And who gets the money? What about the consumers who got affected? Where is the compensation for them?
The damage to each individual is incalculable. Their company should just be dissolved and split between everyone affected at this point. Giving them a fine even close to the amount of economic damage they did would already be the end of the company.
Why? Breaches like Equifax happen when companies treat data, especially personal data, as an asset rather than a liability. Treat their database as the toxic asset that it is, and delete it as part of the bankruptcy.
They've already shown themselves to be terrible stewards of that data. If it was sold due to their bankruptcy then whoever buys it is going to be much more careful about losing any of it.
When corporate fines are shown in headlines, I think they should be expressed as a % of market capitalization or cash on hand (the latter % obviously being much bigger). It helps the reader better understand what kind of action was taken. Fining McDonald’s 10M and fining Mozilla 10M will have radically different effects.
Equifax is currently worth about 16.6B. This takes into account the fine, so without the fine they'd presumably be worth 17.25B or so. So this was a fine of 3-4% of their market cap. Total costs associated with the breach were probably moderately higher than that.
That being said, it's important to understand that in the US, penalties are assessed based on the seriousness of the infraction, not on the ability of the perpetrator to pay.
And while it might be the opinion of lots of HN commenters that the equifax breach caused "incalculable" harms, demonstrating this level of harm in court would be tremendously difficult.
> ...in the US, penalties are assessed based on the seriousness of the infraction, not on the ability of the perpetrator to pay.
When the penalty is less than $5 per person affected, how am I expected to take that seriously? A penalty based on the actual seriousness of the infraction would put the company out of business, and that's what should have happened.
Let's assume a piece of data is used to empty someone's bank accounts via social engineering. Now it's possible to calculate how much that'll cost the banks. Multiply that by the average worth of an Equifax "customer" and you'll arrive at a nice round number which should put them out of business.
Sure they can. Ask Equifax’s lawyers how much it would take for them introduce their SSNs and credit reports into the record. Divide by the number of attorneys and multiply by 145 million people affected.
That being said, it's important to understand that in the US, penalties are assessed based on the seriousness of the infraction, not on the ability of the perpetrator to pay.
It's not about ability, it's about whether the fine is a suitable punishment and deterrent.
That being said, it's important to understand that in the US, penalties are assessed based on the seriousness of the infraction, not on whether the fine is a suitable punishment and deterrent.
Agreed — % of market cap is the only meaningful comparison.
% of revenue doesn’t work because some companies are high-revenue low-profit (supermarkets), others are low-revenue high-profit (luxury goods). % of profit doesn’t work because profit is fairly arbitrary (if a company reinvests everything, then zero profits). Cash on hand is even more arbitrary.
But % of market cap tells us exactly the impact on owners, it’s literally the amount their stock is going down and they’re therefore being penalized.
With GDPR now in place here in the UK you can write to an organisation and ask them to delete all your data.
It would appear Equifax is above this new law...
> Please note that given the importance of complete and accurate credit records, for purposes including for responsible lending, it will usually be appropriate to continue processing credit report data -in particular, to protect the rights of another natural or legal person, or because it’s an important public interest of the union or member state.
Why do we always fine companies and not the executives involved who made these decisions directly? Fining companies ensures the fines are mitigated and passed to the consumer ultimately, and rarely effect change, but even Zuckerberg would be stammering and sweating if he personally was issued a 5bn fine that he himself had to pay and couldn't have his company absorb.
I'm well aware that the shareholders are very diverse and detached. All the more reason to impose a reasonable damages: $1000 per person. Let the market price that into companies that hold such vast amounts of sensitive data.
I think I got them to spend more than I would have received in any settlement.
Fun note, my judge in small claims dismissed my case but said the following before dismissing it, "Mr. tuxxy, I would not trust Equifax with my dog's vaccination records. I'm absolutely appalled in the lack of protections Equifax provides for the personal data of Americans, however I'm afraid I don't see a case for negligence..."
She lectured Equifax's lawyers a bit on what a shitty offer credit monitoring was for the loss of my PII for a bit, then sent us out.
I trolled their legal team a bit near the end and tried to settle for $3.50 after mediation failed, but I wanted them to refer to the $3.50 as "tree-fiddy" in the settlement, but they refused. Oh well...