Equifax, We Trusted you!

Equifax is a credit reporting agency that collects and aggregates information for millions of people in the United States and world-wide. Between mid-May and July 2017, Equifax was hacked, but it only disclosed this cyber-security breach about 6 weeks ago.

Radio Law Talk Segment

Equifax, We Trusted You!

*We do not get political. We just give the facts and the law.

*Remember this is entertainment, make it interesting and applicable to the general population.



Equifax’s system was hacked almost two months ago; however, it failed to tell its consumers of this cyber-security breach and is now being investigated by the FTC regarding recent events.

FACTS (brief, 6 sentences):

Equifax is a credit reporting agency that collects and aggregates information for millions of people in the United States and world-wide. Between mid-May and July 2017, Equifax was hacked, but it only disclosed this cyber-security breach about 6 weeks ago. Now, the company is facing investigation by the Federal Trade Commission and class-action suits from customers who might be affected or have already been affected. One of the main issues that plaintiffs face in attempting to sue Equifax is establish that they have suffered an injury which can be redressed by a favorable decision. Congress will have a hearing on October 3 where Equifax chief executive Richard Smith is expected to testify; however, some are not optimistic that this breach will cause Congress to act and pass bills to fix the deficiencies in the Fair Credit Reporting Act. Lastly, Equifax has changed its terms and conditions that required customers to agree to an arbitration provision and thus prohibiting them from suing the company.

ISSUES (Summarize both sides argument, both perspectives. You can use bullet points):

  • Whether Equifax violated the Fair Credit Reporting Act, which requires agencies that furnish a credit report to “maintain reasonable procedures” to avoid identity theft?
    • Yes: Under 15 U.S.C. §1681(b), “the consumer reporting agencies must adopt reasonable procedures for meeting the needs of commerce…in a manner equitable to the consumer”
      • Here, Equifax clearly breached its duty by 1. Not securing their customers information and 2. failing to disclose information regarding its breach (when it already knew about it) in a reasonable amount of time
    • No: Equifax did not breach their duty to their customers –
      • Plaintiffs have had great difficulty in the past proving that Equifax acted negligently in handling their customers’ information
        • However, this is because plaintiffs have a hard time showing they have standing and that their injury can be redressed by a favorable outcome
      • there is no time frame requirement to notify customers about a breach
        • However, Sen. Mark Warner (D-Va). is working on passing a data breach notification law, which would require companies to notify customers about a breach in a narrow time frame
      • Do plaintiffs have standing to sue Equifax over the breach if they do not suffer financial repercussions?
        • Yes: this threat of identity theft causes a concrete, particularized injury and can be redressed by suing Equifax
        • No: either 1. This is a generalized grievance, 2. Plaintiffs worrying about the possibility of identity theft is not imminent and actual 3. Plaintiffs suing will not redress their injury (if there is one)
          • Plaintiffs must show concrete emotional distress (Edeh v. Equifax Inco. Sers.), it is not enough to show concern, frustration, disappointment, and embarrassment
        • Whether companies have the power to impose arbitration waivers on plaintiffs?
          • Yes: Although Equifax changed their terms and conditions so that consumers could join a class action lawsuit to sue Equifax, companies currently have the power to impose arbitration on their consumers if included in their terms and conditions.
            • Currently, Rep. Ted Lieu (D-Calif.) said that he is drafting two bills, one that would create minimum data security standards for credit reporting agencies and the other would bar firms from forcing victims of data breaches into arbitration
          • No: A.G. Schneiderman announced in a press release on September 12, 2017 that no consumer will be required to waive his/her legal right to a class action lawsuit as a condition for enrolling in the company’s free credit monitoring and identity theft protection products

LAW (with references, no need for blue book citations. This is the most important part, make sure the attorneys can answer any questions from callers on the topic. You can use bullet points):

  • The Senate has already responded to this on September 15, 2017, required that Equifax (within 1 week): 163 Cong Rec S 5711
    • Commit proactively to reach out all individuals who may have been compromised
    • Provide credit monitoring and ID theft protection services for no less than 10 years
    • Offer impacted individuals the ability to freeze their credit
    • Remove arbitration provisions from any agreement or terms of use for products, services, or disclosures offered by Equifax
    • Equifax must agree to testify before Senate, FTC and SEC
  • Credit Reporting agencies have 1. The duty to conduct a “reasonable reinvestigation” into the dispute, including consideration of “all relevant information”; and 2. The duty to provide notification of the dispute to a finisher of information, and include “all relevant information regarding the dispute” in that notice. Edeh v. Equifax Inco. Servs., LLC; Also See 15 U.S.C. §1681i(a)
  • The court won’t decide a case without the plaintiff showing that the Credit Reporting Agency’s acts constituted actual damages under the Fair Credit Reporting Act. (See Millstone where the “plaintiff suffered loss of sleep, nervousness, frustration and mental anguish”) 528 F.2d 829, 834
    • Although emotional distress damages can constitute actual damages, this emotional distress cannot just be frustration and unhappiness (Edeh v. Equifax Info. Servs., LLC)

DETAILED FACTS (tell the story):

It is unclear whether plaintiffs will be successful in this case against Equifax. Although the FTC is investigating the company, plaintiffs may be unable to sue by their lack of standing if they have not already been impacted by identity theft. The company is being publically scrutinized for failing to tell its customers of this breach for 6 weeks, and Minority Leader of the Senate, Shumer, has set forth 5 requirements Equifax must meet in the very near future. Some of which, Equifax has already completed, including removing the arbitration provision in its terms of agreement and proving its customers the ability to freeze their credit at any point for 10 years. Furthermore, this cyber-security breach has the capacity of affecting half of the nation’s personal information, which may or may not prompt Congress to act and try to pass laws to prevent future breaches as well as try to redress the disastrous results of the most recent Equifax breach.

OTHER FACTS (interesting facts, related facts, trivia, etc.):

  • Equifax waited 6 weeks to tell its consumers about the breach and that their information had been compromised
  • It is rare that the FTC discloses their investigations, but in this case, the FTC has confirmed that it is investigating Equifax’s breach
    • The Consumer Financial Protection Bureau is also considering the company’s response to the breach

ARTICLE LINKS (so we can print them out):




MEDIA (less than a 2 minutes FUNNY sound bite. You can include a couple of options. We realize that for some topics there is not much):



More Posts

Send Us A Message