Hacker News new | ask | show | jobs
by etjossem 3205 days ago
I am not a lawyer, this isn't legal advice backed by any level of expertise in the law. But if I had to write a complaint for small claims right now, here's what I'd bring up:

--

FCRA § 604. states that "any consumer reporting agency may furnish a consumer report under the following circumstances and no other", and lists allowable reasons to dispense a credit report.

FCRA § 607. requires compliance, stating that an agency must "limit the furnishing of consumer reports to the purposes listed under section 604."

FCRA § 616. imposes civil liability for willful noncompliance at a minimum of $1000, even if that is greater than actual damages already sustained.

(a) In general. Any person who willfully fails to comply with any requirement imposed under this title with respect to any consumer is liable to that consumer in an amount equal to the sum of

..<snip>..

(B) in the case of liability of a natural person for obtaining a consumer report under false pretenses or knowingly without a permissible purpose, actual damages sustained by the consumer as a result of the failure or $1,000, whichever is greater;

..<snip>..

(2) such amount of punitive damages as the court may allow;

--

This suggests to me that you will be able to seek "actual damages sustained by the consumer as a result of the failure or $1,000, whichever is greater", plus any punitive damages the court awards (I do not believe this is generally done in small claims). You would need to demonstrate that the failure to safeguard your information was willful.
2 comments
sokoloff 3205 days ago
I think you'd also have to demonstrate that Equifax "furnished your consumer report".

If I have $1000 in cash stolen from my house by someone not authorized to work in the US, I'm not liable for an employer violation for not filling out an I-9 form...

link
etjossem 3205 days ago
"The term 'consumer report' means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for [credit]."

It's a fairly broad definition. Per press release, Equifax made a data communication of this info to someone who did not show a permissible purpose under § 604.

I would argue that Equifax had months to patch CVE-2017-5638, but they did not. Their web application continued furnishing parts of my consumer report to anyone capable of running https://github.com/mazen160/struts-pwn.

link
jayess 3205 days ago
How do you show "willful noncompliance" if they were hacked?
link
etjossem 3205 days ago
Equifax left a critical security vulnerability open for quite a while after it was announced, and confirmed that it was used in the breach.

In a statement, Apache Struts wrote, "This vulnerability was patched on 7 March 2017, the same day it was announced ... In conclusion, the Equifax data compromise was due to their failure to install the security updates provided in a timely manner."

https://blogs.apache.org/foundation/entry/media-alert-the-ap...

link
sokoloff 3205 days ago
Incompetence, poor judgment, and/or laziness is probably not the same as willful non-compliance.

(I have extremely little sympathy for Equifax here, around any aspect of what they did and did not do. It's still not clear to me though that it was willful by a legal definition/interpretation. I'm quite sure we will find out.)

link