Post Equifax Breach: Still dazed /confused about your next steps? Then read this.

Post Equifax breach news, many consumers are smart to take steps to protect their financial health. (Image credit: Joe Heller/HellerToon.com)

If you’re like many clients with whom I’ve talked since the Equifax data breach news first surfaced, you are still processing how all of this may affect you and your family now and for the long term. Before diving into the steps, pat yourself on the back for your gumption for tackling your share of the unwieldy mess that Equifax has handed half this country. Also, while you take steps to protect your financial health, please remain on high alert for vultures. Most of you are likely exercising healthy skepticism when you see ads, unsolicited emails, bogus news stories, etc. that tell you that you need to sign up with them or click on a link. (Yes – this even happened on Equifax’s consumer site post-breach.) But note that the breach has brought out many bad actors to the fore, who are salivating at the thought of preying on the fear borne out of the Equifax debacle(s). *DISCLAIMER: NOTHING ON THIS PAGE OR WEBSITE CREATES AN ATTORNEY-CLIENT RELATIONSHIP.  Please contact an attorney, if you seek counsel. I’m providing these steps as general guidance and NOT as your attorney. Feel free to email me, if you want to seek legal representation.

Step 1: Assume that your information was breached. The likelihood is great that your personally identifiable information (PII) is included in the 145+ millions of individual files compromised because of the Equifax breach.

Step 2:  Place a freeze (a.k.a. “credit freeze” or “security freeze”). No – it’s not difficult or “cumbersome” (as former Equifax CEO, Smith, claimed in hearings earlier this month). It’s not an absolute protection, but will serve as a significant barrier for fraudsters to use your PII. And yes – there is typically a charge (if you reside in Washington State, for example, unless you’re an ID theft victim already). For “how to’s,” see the second bullet point.

  • Please remember your children. While they probably don’t yet have a credit file (although some of my clients were surprised to find that their minors do have credit files), you want to protect against many ways that they can experience identity theft.  If your child has a credit file, then you as a parent may request a security freeze.  If your child doesn’t have a credit file, then the credit reporting agency (e.g., TransUnion, Equifax, etc.) is required to create a record for the child and is prohibited from releasing any PII about the child until the freeze is lifted.  Prepare to provide proof that you are a parent and have authority as a legal guardian to act on behalf of the child. You’ll also need to provide proof of your child’s identification.
  • How to freeze credit reports – You can call, if you’re not keen on entering your PII online (who can blame you?) You do need to contact each one of credit reporting agencies:

Experian — 1‑888‑397‑3742 or visit this page of Experian’s site

TransUnion — 1-888-909-8872 or visit this page of TransUnion’s site

Equifax — 1-800-349-9960 or visit this page of Equifax’s site

  • NOTE: If you can show that you’re a victim of a data breach (hello, Equifax breach victims), you can request a free freeze with Equifax and TransUnion if you go online. But, I remain extremely cautious around any of these CRAs for good reason.

Step 3: 

  • Get a free annual credit report and scour it for anything that looks out of place.  Beware of bogus websites that entice you with offers of free credit reports in exchange for your PII. Don’t do it. Go to AnnualCreditReport.com and no where else.

Step 4: Address potential/existing fraudulently opened utilities, pay TV or phone accounts. Again, it sounds incredible, but fraudsters have found that this is one of the best ways to use stolen PII.

Time to think about the ways that bad actors can use your stolen PII. Please don’t dismiss these possibilities because my clients have experienced all of these forms of ID fraud.

  • Contact the National Consumer Telecom and Utilities Exchange and request your NCTUE Data Report. Again , scour it for anything that looks out of place.www.nctue.com or 1-866-349-5185 (The NCTUE data report is a record of all telecommunication, pay TV and utility accounts reported by exchange members, including information about your account history, unpaid accounts and customer service applications.)
    NOTE: If the service provider doesn’t resolve the problem, file a complaint with the Federal Communications Commission at 1-888-225-5322 or TTY 1-888-835-5322.  Or, if you have an data privacy attorney, s/he can do this on your behalf.

Step 5: Guard against the real possibility that someone has or might have already created fake checking accounts. Order a free copy of your ChexSystems report, which compiles information about all of your checking accounts.

  • Get your report from ChexSystems via 1-800-428-9623  or ChexSystems’ website consumerdebit.com.
  • (If you find that individuals have already opened fraudulent checking accounts with your PII, you’ll need to contact every financial institution where a new account was opened. Ask them to close the accounts in writing.) Write down who you contacted and when. Keep copies of any letters you send.

Step 6: If you receive government benefits, contact that government agency and provide a written request for a report and a fraud alert. 

Lather, rinse, and repeat. Please consider this part of your regular regimen to preserve financial good health. The aforementioned are not a “once and done” list of actions.

Finally, a word about “identity theft protection” services like LifeLock, TrustedId, ProtectMyId, AllClear, blah blah blah. Instead of going with any of these services/products, watch this entertaining yet informative clip from John Oliver’s show. There was a time not too long ago, when I would have said go for it if you don’t want to do it yourself. But, I’ve since revised my opinion and would advise you to take charge of your own identity and PII, by doing all of the above on your own. Why trust some third party who only stands to profit from identity theft and data breaches.

Would you trust Equifax’s “Discounted” Offers?

Equifax visitors, who wanted to determine if they were affected by breach, were led to this page. Clicking on Free or Discounted Credit Report is how Equifax visitors would get served 3rd party malware.

That ain’t workin’ that’s the way you do it 
Money for nothin’ and chicks for free… ~ Dire Straits (“Money for Nothing”)

We’ve all heard Dire Strait’s old song “Money for Nothing” and that’s what monetizing web traffic is like for website owners. Publishers like NYTimes do it to stay alive as do behemoths like Amazon to generate additional revenue. So can we blame Equifax for wanting to make some do-re-mi off the tens of millions of new website visitors coming to their site? (cue the crickets…)

Equifax visitors, who wanted to determine if they were affected by breach, were led to the page above. Clicking on Free or Discounted Credit Report is how Equifax visitors would get served 3rd party malware. Not Equifax’s system, sure – but it’s definitely because they wanted to monetize that traffic. For those reporting Equifax’s line about “not our system that was hacked,” is similar to casting blame on Apache Struts for its issue. Let’s put on our thinking caps, shall we?

Want to understand the latest Equifax breach?

If you click on “Other Ways to Obtain a Free or Discounted Credit Report” on Equifax’s site, the above is what appears today.

The Equifax breach news of the day seems unbelievable. After all the beating that the company and its ex-CEO has taken, you’d expect that it would have its act together by now. Right? Not so fast… On closer inspection, today’s news is predictable-–once you understand that problems will continue for Equifax as long as it has the same corporate mindset that led to the mammoth breaches of May-July 2017.

A closer look at the latest hack…

The problem starts from the fact that Equifax apparently uses a 3rd party, FireClick, as its provider for hosted application service. The purpose of using FireClick is to collect and store Web analytics re usage and data for its clients, like Equifax.

BTW: If you try to visit FireClick’s site right now, don’t bother. It’s apparently a defunct company still listed as a wholly owned subsidiary of Digital River:

FireClick’s site was down the last time I checked.

The issue stems from how Digital River/FireClick integrated its ad network, including bad adware (i.e., Adware.Eorezo) in tracking, collecting and reporting Equifax’s site activity. To boil this down to the most basic terms:

  1. The unsuspecting consumers visit Equifax’s site
  2. When wanting to get details on Equifax’s Credit Report Assistance,

    Equifax visitors, who wanted to determine if they were affected by breach, were led to this page. The “Free or Discounted Credit Report” is where its greed got them into hot water on Oct. 12, 2017.

  3. The visitors are prompted to complete a form on a separate page—NOT on the original Equifax website. This is where the third party ad network comes into play. This is why Equifax is crying, “Not our system!”
  4. Of course, most unsuspecting visitors will proceed to fill this out and then get a prompt to download Adobe Flash Player.
  5. Once downloading this malware, voila! The website visitor’s machine is the happy new home of the newly acquired malicious program(s) (e.g., spyware, ransomware, etc.)

As with the earlier Equifax breaches, one can always point to a third party (Apache struts for the May – July 2017 breaches). But the brutal fact is that the buck needs to stop with Equifax. For those naysayers who want to say that class actions don’t help, I will direct them to the Anthem Data Breach settlement terms, which requires Anthem to spend tens of millions of dollars and subject itself to security audits for years. As a class action attorney, you can bet that one of my major goals is to have Equifax (and hopefully all credit reporting agencies) subjected to external, rigorous security standards. And, as with my other data breach cases, I will fight for my clients tooth and nail (they’ll speak to you, if you are still incredulous).

A key takeway for consumers for now (& especially for my many Equifax clients) – you are wise to steer clear of websites that Equifax and its competitors direct you to for now.

P.S.  Check out Digital River’s site below. Yep – they claim that they are the “Industry Leading (sic) Fraud Prevention.” #Irony

Digital River (owns FireClick) claims that it is the “Industry Leading (sic) Fraud Prevention”.

Equifax ex-CEO’s Pants On Fire as He Lies About “Lock” vs. “Freeze”

Over the past few weeks, so many tragic headlines have gripped all of us. This includes the rising death toll and long-term devastation in Puerto Rico. Then, we continue to reel from the horrifying mass-shooting in Las Vegas. All the while, the stock market continues to rise to new highs and the GOP wants to pass a law to strip consumers’ rights to sue. That said, all of us need to stay informed about the many maneuvers that undermine consumer rights. I hope that some of you were listening closely to the words of the former Equifax CEO, Richard Smith. With his feigned concern for consumers, he continues to mislead and confuse. There are so many ways he has done so before the House Financial Services Committee. But I want to focus on one point, where he continues to show that lawmakers and the public should not trust anything he says.

Smith keeps insisting that a “lock” is preferable for customers because, he claims, a lock is very “user-friendly” and less cumbersome. But note: Locks are not the same as freezes. While activating and deactivating a security freeze takes more time. But note that state law governs security freezes, which translates to that consumers are not financially liability when executing a freeze on their credit files. So, if a consumer experiences fraud after activating a security freeze, then the consumer is in the clear. However, if you opt for a credit lock, which Smith promotes repeatedly in his testimony, it is unclear who is liable if/when fraud occurs.

A credit lock seems like an attractive choice, as  you can do this by using an app with no PIN. And, it is typically instantaneous. But interestingly, only two credit monitoring bureaus—TransUnion and Experian—offers instant credit locks. Ironically, Equifax says its lock product included in TrustedID Premier requires 24 to 48 hours to process a customer’s request: the same as for a freeze. Also realize that you can’t lock and freeze at the same time. You need to choose one over the other.

Contrary to ex-CEO Smith’s testimony, don’t find comfort in the deceptively simple route of “locking” your credit. Why? Because we represent a number of clients who

have experienced identity theft on a jaw dropping level, after already having locked their files.

DISCLAIMER: By reading this blog post, there is no attorney-client relationship formed. Anything in this article should not be construed as an attorney’s advice. Please seek the advice and counsel of an attorney directly, if you are a victim of identity theft. We welcome your inquiries and will discuss your possible case with you at no cost. Email us at Equifax@Stritmatter.com and visit our Equifax page.

“When they see just a fraction of who you are…”

For full article, click here.

This is not on the topic of data privacy, but I wanted to give a plug to an important book by Caroline Frederickson, former labor law attorney and aide to Senator Tom Daschle. The wonderful folks at Washington State Association for Justice had me review Ms. Frederickson’s book, Under the Bus: How Working Women Are Being Run Over. I just had a chance to start going through my mail, and found that they had featured my review on the cover page of this month’s Trial News.

I highly recommend the book, and hope that everyone can read it. No – it’s not a self-help book like Lean In. Ms. Frederickson explains some lesser known, eye-opening facts about the history of some of our labor laws. If you don’t have time to read it, you can get the gist of it from my review. BTW: the title of my book review was inspired by Michelle Obama’s speech to graduates of Tuskegee University.

The Importance of Our Equifax Class Action

The Equifax data breach has sent shock waves like we’ve never seen before. Some consumers are only now starting to realize the lasting damage and harm that this breach will have on their lives. Thank you for all of your calls and emails. Please continue to send concerned family, friends, co-workers to us at Equifax@Stritmatter.com. Yes – we have heard from folks from New York, Florida, Virginia, Arizona, California, etc.– a former employee of Equifax, data privacy experts, and reporters who are trying to separate fact from fiction.

I promise to write more soon, as I continue to try to respond personally to as many emails/calls as I can. But please let me address one pesky fiction that occasionally rears its head on corporate-leaning media outlets and individual’s social media posts: A class action against Equifax will address a deep-rooted systemic problem that puts all of us at risk.  I cannot speak for all lawyers. But please think twice before rushing to judgement against those of us who are committed to advancing consumer rights. I will point to our work in the massive Anthem data breach litigation: Significantly, as a result of the Anthem settlement, they have helped all affected from the breach by holding Anthem accountable. The agreement includes a court enforced term that will hold Anthem to a more rigorous standard in its safeguarding of Personally Identifiable Information (PII). Anthem will have to spend at least $90 million annually on beefing up its cybersecurity practices for the coming years. At minimum, my clients will get awarded between $5K -$15K each. Then, there are dozens of attorneys like myself who have invested countless hours and dollars (yes – pursuing class actions costs money) and we will not want to retire anytime soon. BTW: note that federal law has a strict limit on attorneys’ fees.

Thanks to all of you who have contacted us with your stories, questions and concerns. As with our many other clients, we want to help give you a voice and make sure that you recover from this historic data breach.

Light at end of tunnel?

Privacy is a basic right that each consumer should value and want to protect.

For the last several months, I have gone mostly dark on this website. Not purposely. But I’ll admit that the absence of posts here was in large part a reaction to two events–one involving my personal life and the other involving our body politic.

All of us should not give up in the face of the breathtaking insolence of leaders beholden to corporations. I refer not only to Congress’ onslaught against consumer privacy and consumer class actions, but also to the daily (sometimes hourly) blitz on individual rights. Admittedly, it’s difficult to keep track as the battles grow more frequent.

In the end, I urge all of you to tune out the immediate noise. Please know that there are attorneys such as myself who are dedicated to the long-term fight for each consumer’s privacy rights. Always remember that our privacy rights are inextricably entwined with my fight to protect the consumer. Yes, each of us love the convenience that Google, Amazon, Apple, and other major corporations offer us. And, some of these corporations are doing a decent job to protect individual privacy rights. But each of us must remain diligent.

Please stay tuned for the following new blog posts:

  1. Think that a data breach won’t hurt you? Thank again. – I will share with you some eye opening stories of a client, whose personal data was compromised as the result of a massive healthcare data breach. To this day, she continues to deal with identity fraud.
  2. Experian rubs salt in the wounds of 143+ million breach victims  – Don’t accept offers for “free credit monitoring,” from Equifax. In addition to giving up your valuable Personal Information, you will also give you your right to sue Equifax. If you think that arbitration sounds fair enough, you are in for a rude awakening.

 

Post Spokeo: Two recent cases split on the nature of data breach injuries

In Joan Longenecker-Wells v. Benecard Services, Inc., plaintiffs were employees who learned that their personal information, including date of birth, social security number, addresses, etc. which resulted in fraudulently filed tax returns. The Third Circuit dismissed the Plaintiff’s claims, stating that their negligence claims were barred by the economic loss doctrine. The Third Circuit explains:

The District Court held that because Plaintiffs’ negligence claim sounds only in economic loss resulting from the fraudulent tax returns filed with their information, the economic loss doctrine bars their claim. We agree.

Food for thought. Can we say that a plaintiff, who experiences this grave injustice of losing the benefit of a 5 figure tax return is only sustaining economic loss? The real harm and the risk of ongoing identity fraud is more than economically and emotionally harmful. We must focus on the deeper rooted issue that lies at the heart of data intrusion cases. The fundamental right to privacy that has deep roots in our history now extends to our digital privacy.

In contrast, we have Taylor v. Spherion Staffing LLC, et al. No. 3:15-cv-2299 (N.D. Ohio 2015), Ernst v. Dish Network, LLC, et al. No. 1:12-cv-8794 (S.D.N.Y May 27, 2016); Hillson et al. v. Kelly Services, No. 2:15-cv-10803 (E.D. Mich. June 8, 2016). These cases settled and involved allegations of statutory violations. Keep in mind that Spokeo left open the possibility that a statutory violation may involve a real risk of harm to satisfy the concreteness requirement. Thus, settlement may have presented a more attractive alternative than extended litigation about the sufficiency of alleged harms.

Understanding the value of Privacy is NOT “Privacy Paranoia”

We should care about Privacy because it is a fundamental aspect of living a free, autonomous existence.

We should care about Privacy because it is a fundamental aspect of living a free, autonomous existence.

Why do people not care about Privacy? Some will offhandedly claim, “I have nothing to hide.” Others will say that big data and government surveillance should not concern those who are law abiding and innocent of wrongdoing. But the problem with this response is that it reveals a lack of understanding regarding the value of privacy. Privacy is not a mere shield or wall to hide certain details about us from others. The concept is not reducible to single acts of intrusion or violation of one’s personal sphere. To think about Privacy in terms of someone peering into your window to watch you with your family is to focus on only one tiny strand of tapestry or one grain of sand in a beach.

Think of the value of Privacy this way: If you drank one glass of lead-laden water from Flint, would you see a quick path to cancer or any other potentially deadly disease? Probably not. But the problem for those in Flint was that they drank water contaminated with lead for years. The cumulative effect, the acts taken in the aggregate were what caused so many in Flint to suffer irreversible health problems.

This is the same way the Privacy violations harm each of us and our society as a whole. The information collection, aggregation, insecurity, increased accessibility and decisional inferences/interference (“decisional interference” was coined by Prof. Daniel Solove).

While nebulous, Privacy is important because it affords individuals a basic amount of autonomy and control over facts and details that make each unique. In the aggregate, “big data” seems harmless. But as we have seen, there are many ways to hack and identify personally identifiable information (PII). When the PII and/or valuable data sets of individuals get in the wrong hands, one loses control over their finances and their digital existence. One of my data breach clients suffered and continues to see fraudsters obtain lines of credit, obtain a Washington State driver’s license, and so on. Folks: This is NOT Privacy Paranoia. It is a well informed fact that we need to care about how our PII is disclosed and safeguarded.

Most people do not realize how their data is getting sold in myriad forms either legally or illegally. I will talk about this more in future posts. That private data has value in virtually every imaginable industry. If it matters to others, it certainly should matter to you. At the very least, to value your Privacy is to value control over the information that is accessible about you. If you don’t care about having that minimal amount of control, then feel free to broadcast your SSN along with all of your family’s SSNs and dates of birth.

Walmart, Home Depot and banks are suing for data breach class action lawsuits

Walmart, Home Depot and Wendy's are some of the companies filing lawsuits for data breaches.

Consumer class action lawsuits are not a company’s worst nightmare, when they experience a massive data breach. Nope. It’s the lawsuits that Walmart, Home Depot and Wendy’s are filing for data breaches that can result in more massive losses for the breached company.

Headlines about the latest data breach continue to surface on the news about as frequently as we hear about Trump’s campaign travails. Interestingly, when Walmart,Home Depot or Wendy’s sues Visa and MasterCard for their data breach issues, those lawsuits don’t make the front pages. Did you know that banks got together and filed a class action lawsuit against Target for the much publicized data breach? The consumer class action lawsuits against the health insurance behemoths like Anthem and Premera have garnered a lot of attention. In the meanwhile, some of the Goliaths are suing the other Goliaths for their class action was certified late last year.

A takeaway from all of these class action is that the victims and plaintiffs in data breach lawsuits  are not only everyday  consumers, they are also retail giants, banks, employees, etc. When an organization fails to exercise due care in safeguarding personal information, it had better get ready to face the wrath of someone…

Subscribe to Blog via Email