Equifax breach is the worst leak of personal info ever

[The Minsky Moment]

Credit card fraud losses mean the issuers or networks have to charge higher transactions fees which means higher prices.

If the transaction fees are too high, then vendors can always have two prices: one for cards and one for cash (I believe the post 2008 financial reforms mandated that this be possible, but even if they did not, it is a relatively easy fix - much easier than truly securing all data).

There's a reason why most vendors don't do that - consumers don't like it.
But for the sake of argument, let's say the response to increasing fraud losses is that more and more vendors do it, and the spread between cash and credit keeps increasing.  That means that the cost for the convenience value of credit goes way up.  It also means that cash becomes a more prominent means of payment in the economy as a whole, which is not a desirable thing either.

[alfred russel]

There's a reason why most vendors don't do that - consumers don't like it.
But for the sake of argument, let's say the response to increasing fraud losses is that more and more vendors do it, and the spread between cash and credit keeps increasing.  That means that the cost for the convenience value of credit goes way up.  It also means that cash becomes a more prominent means of payment in the economy as a whole, which is not a desirable thing either.

#1: I pay for everything with a card, and never carry cash, because it is more convenient. I wouldn't like an increased charge for the credit option, but it wouldn't be the end of the world by any stretch.

#2: There is an alternative scenario where getting a credit card becomes a bit more burdensome. More is done than a quick online application to verify identity.

#3: If we shift toward a more cash economy, I tend to agree that would be a negative, but there are also current problems with consumer credit card debt. There would be benefits as well.

In summary, I agree with you that data privacy breaches are bad and can harm us all. But in the grand scheme of things, the negative effects don't seem so awful.

[grumbler]

Dan Goodin didn't say it was the worst ever in the article Tim posted.

I'm not contending this was not the worst leak ever. I just think that if you are going to start a thread with the only comment, "Damn, we're fucked", the thread title should reflect what the article says. If Tim titles a thread "The Sky is Blue" (or more likely "The Skie is Blew"), and posts a link to an article about how water is wet, with just the comment, "Damn, we're fucked", I'll still complain about the thread title. The accuracy of the statement doesn't change the failure to a) reflect the contents of the article, or b) introduce the topic for discussion.

I would agree with you if Tim was merely commenting on an article.  If he points out a larger conclusion than is stated in one article of many to be true (rather than just probably true), though, the article certainly doesn't disprove his statement.

Frankly, you sound like you are just being pedantic for the sake of pedantry.  There is plenty of evidence to support Tim's argument, and none (as you concede) readily available to dispute it.

[CountDeMoney]

I have no idea what your objection is here.

I've stated my objection. Sorry you struggle to comprehend.

Comprehending your objection certainly is a struggle.

You are arguing with a Russian with at least one sock account.

[HVC]

a con artist doesn't see an issue with making cons easier? colour me shocked

[grumbler]

For some. I venture that there are some wise people on the forum that understood what and why I was objecting.

I don't think that anyone of this forum is from your planet, so maybe you should strive to communicate in our language and not assume that there is someone else here who speaks Stupid well enough to understand what and why you were objecting.

[merithyn]

So two days ago I got a call from my credit card company, asking me if I was really spending $2987.48 with some unknown internet company in Spain.

Of course I was not, so they denied the charge and cancelled my card.

But I am sure there is nothing really to worry about around internet security.

I've had similar things happen to me. Not once have I been stuck with the charges (and in your example the sale apparently didn't even go through, so neither the card company nor the vendor was harmed). So...who cares?

I use two specific credit cards to pay certain bills. Each time this has happened to me - and it's happened a couple of times - those bills didn't get paid on time because my cards have been cancelled and I haven't gotten the new ones yet to pay the bill. That adds up over time.

Additionally, when we ran the toffee shop, often the charge would go through initially, only to come back as a fraud charge after. The toffee would already be gone, which left us holding the bag. Plus, as we would have accounted for that sale in other ways, if it were a big order, it could leave us strapped in other ways.

Multiply all of that by 143,000,000.

[viper37]

A way to find if you are affected by the breach (maybe)

It's a convoluted and unclear process.  And I'm not sure I still trust Equifax with a website where I need to enter my social security number.  But, it could be the only way for many of you to avoid potential nightmares later on.

Enrollment must be completed by november 21st, if you are affected.

[Eddie Teach]

I have no idea what your objection is here.

I've stated my objection. Sorry you struggle to comprehend.

Comprehending your objection certainly is a struggle.

For some. I venture that there are some wise people on the forum that understood what and why I was objecting.

What: Tim's existence
Why: that I don't get

[merithyn]

A way to find if you are affected by the breach (maybe)

It's a convoluted and unclear process.  And I'm not sure I still trust Equifax with a website where I need to enter my social security number.  But, it could be the only way for many of you to avoid potential nightmares later on.

Enrollment must be completed by november 21st, if you are affected.

Don't be so quick to do this...

https://www.washingtonpost.com/news/the-switch/wp/2017/09/08/what-to-know-before-you-check-equifaxs-data-breach-website/?utm_term=.661a7cff2899

Worried you may be affected by Equifax's massive data breach? The credit bureau has set up a site, equifaxsecurity2017.com, that allows you to check whether your personal information was exposed. But regulators are becoming concerned that the site could pose risks to consumers. As a result, you may want to think twice about using it. Here's why.

The website's terms of service potentially restricts your legal rights.

Sharp-eyed social media users have combed through the data breach site's fine print — and have found what they argue is a red flag. Buried in the terms of service is language that bars those who enroll in the Equifax checker program from participating in any class-action lawsuits that may arise from the incident. Here's the relevant passage of the terms of service:

AGREEMENT TO RESOLVE ALL DISPUTES BY BINDING INDIVIDUAL ARBITRATION. PLEASE READ THIS ENTIRE SECTION CAREFULLY BECAUSE IT AFFECTS YOUR LEGAL RIGHTS BY REQUIRING ARBITRATION OF DISPUTES (EXCEPT AS SET FORTH BELOW) AND A WAIVER OF THE ABILITY TO BRING OR PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE ACTION. ARBITRATION PROVIDES A QUICK AND COST EFFECTIVE MECHANISM FOR RESOLVING DISPUTES, BUT YOU SHOULD BE AWARE THAT IT ALSO LIMITS YOUR RIGHTS TO DISCOVERY AND APPEAL.

This language is commonly known in the industry as an "arbitration clause." In theory, arbitration clauses are meant to streamline the amount of work that's dumped onto the court system. But the Consumer Financial Protection Bureau concluded in the summer that arbitration clauses do more harm to consumers than good — and the agency put in place a rule to ban them.

"In practice, companies use these clauses to bar groups of consumers from joining together to seek justice by vindicating their legal right," Richard Cordray, the CFPB's director, told reporters in July, according to my colleague Jonnelle Marte.

For consumers affected by Equifax's breach, this is a live issue; there is already at least one class-action suit brewing against Equifax.

If the government is moving to bar arbitration clauses, then why is one in there?

Despite the CFPB's move to ban arbitration clauses, the rule has not yet gone into effect, according to the agency. That won't happen until Sept. 18, the CFPB said. What's more, the rule doesn't work retroactively, meaning that the Equifax legalese would not be covered anyway. The ban only affects contracts made after March 19, 2018, six months after the rule takes effect.

The CFPB said Friday that Equifax's arbitration clause was "troubling" and that the agency is investigating the data breach and Equifax's response.

"Equifax could remove this clause so that consumers can receive this service without condition," the CFPB said in a statement.

The future of the ban is itself in doubt; just after the CFPB approved the rule, House lawmakers voted to repeal it. The motion to repeal must still be voted on by the Senate and signed by President Trump to become official, but if it does, then the CFPB's regulation could be nixed.

On Friday, New York Attorney General Eric Schneiderman took aim at Equifax's arbitration clause, tweeting that his staff has contacted the company urging it to remove that part of the fine print.

"This language is unacceptable and unenforceable," the state's top lawyer said in his tweet. Minutes later, Schneiderman's office announced a formal probe into the Equifax breach. In a release, the state attorney general's office said Schneiderman had sent a letter to Equifax asking for more information. Among the questions were whether any consumer information has found its way to the "black market," according to a person familiar with the investigation.

A spokesperson for Schneiderman declined to comment on whether officials were investigating the sale of company stock by Equifax executives prior to the discovery of the hack.

So should I register with the Equifax site, or not?

It's up to you, but you should know going into the process what you're signing up for.

Friday morning, after social media users began complaining about the arbitration clause, Equifax updated its terms of service to give consumers an escape hatch if they do not wish to be bound by its language.

Here's how the opt-out provision reads:

In order to exclude Yourself from the arbitration provision, You must notify Equifax in writing within 30 days of the date that You first accept this Agreement on the Site (for Products purchased from Equifax on the Site). ...

You must include Your name, address, and Equifax User ID, as well as a clear statement that You do not wish to resolve disputes with Equifax through arbitration.

This language helps address some of the concerns, but it requires consumers to remember to write to Equifax.

Meanwhile, there's something else that you should know if you do decide to use Equifax's website to check if you were affected.

The site demands even more information from you to prove your identity.

To make sure that the person checking the database is really you, Equifax's data breach site asks for your last name and the final six digits of your Social Security number. This is extremely unusual. While the site is legitimate, the fact that you must volunteer more of what would otherwise be private information may not inspire much confidence.

Is there anything else I can do?

You can still monitor your own credit by obtaining a copy of your credit report. Every year, you can request a free copy of your report from each of the three major credit reporting agencies. This means that you can effectively check your credit free every four months or so. You can also put a proactive freeze on your credit, which will prevent unauthorized use.

[Malthus]

I can see liability lawsuits coming, but I am not sure on what basis they will succeed.  Can lawtalkers talk here about the obligations Equifax had, and to whom?

Cases usually get brought alleging state law violations, including consumer protection laws or business practices laws - some of which are quite broad - or state common law claims on theories like negligence, breach of contract, quasi-contract, or unjust enrichment.

The usual defense approach in these cases is to move to dismiss for lack of standing on the ground that there is insufficient evidence of injury.  A 2013 Supreme Court case is often interpreted to suggest that some proof is needed of actual identity theft or economic loss - that can be difficult to show as the bad guys usually don't publicize their bad acts.  In this case - however - given the depth and breadth of the info - social security, drivers license numbers, birth dates etc - there is a better chance of convincing a court of injury.

In Canada, by way of comparison, there exists a statutory right to damages based on the federal Personal Information Protection and Electronic Documents Act, if the breach was exacerbated by a failure to abide by statutory requirements. Though what kind of quantum you could get, I don't know. The statute expressly allows a court to award damages for "humiliation", so presumably you could get above and beyond mere proven economic losses.

Remedies

16 The Court may, in addition to any other remedies it may give,

(a) order an organization to correct its practices in order to comply with sections 5 to 10;


(b) order an organization to publish a notice of any action taken or proposed to be taken to correct its practices, whether or not ordered to correct them under paragraph (a); and


(c) award damages to the complainant, including damages for any humiliation that the complainant has suffered.

[11B4V]

But of course they did

Three Equifax executives sold shares of the credit-reporting company worth nearly $2 million shortly after a massive data breach was discovered. The sales occurred before the company announced the breach to the public on Thursday.

http://money.cnn.com/2017/09/08/investing/equifax-stock-insider-sales-hack-data-breach/index.html

[Iormlund]

How come you guys get all those fraudulent charges on your cards? Don't you get sent an SMS with a one-time code to confirm online purchases? Don't you use a pin code for purchases on a store?

[Admiral Yi]

How come you guys get all those fraudulent charges on your cards? Don't you get sent an SMS with a one-time code to confirm online purchases? Don't you use a pin code for purchases on a store?

No and no.

[Valmy]

How come you guys get all those fraudulent charges on your cards? Don't you get sent an SMS with a one-time code to confirm online purchases? Don't you use a pin code for purchases on a store?

When I can on the first one. Only when I am using my debit card on the second part.