You have probably heard that Equifax, one of the 3 big nationwide credit reporting companies, recently had a huge data breach.
Some 143 million Americans have had their information compromised.
Considering that there were 323.1 million Americans in 2016, and that lots of Americans, like children, don’t have credit reports, this is probably more than half of American adults.
WHAT DID EQUIFAX LOSE TO HACKERS?
According to the Life lock, the hackers got names, addresses, birth dates, Social Security numbers, and driver’s license numbers.
This is all the information that someone needs to open a credit card in someone else’s name, or to fraudulently file a tax return and steal someone’s tax refunds.
It is not possible to easily change this information to prevent people from using it in the future.
Sure you can move and get a new address, but it would be expensive and annoying to friends and family to change your name.
It is also almost impossible to get a new Social Security number.
In Minnesota, people get a new driver’s license once every 5 years.
WHAT ARE MY LEGAL RIGHTS?
I am a bankruptcy lawyer, so I am not an expert on this, but I have done some research for Minnesotans.
The basics don’t look good.
Minn. Stat. Section 325E.61 says that any person or business that maintains data with the personal information of Minnesotans must notify affected people “in the most expedient time possible and without unreasonable delay,” unless there is some sort of law enforcement reason to keep the data breach secret.
Equifax knew of this breach on July 29, 2017, and didn’t go public with it until September, 2017.
That doesn’t seem to be the most expedient way possible.
Equifax also has not notified all people affected by the breach. They only made a website that allows you to search and see if you are affected or not.
The Minnesota courts have not decided whether making a website that people can search to see if they were affected counts as notifying the affected people.
What about people who don’t use the Internet? Does the website notify them?
One thing Minnesota Courts have decided is that Minn. Stat. Section 325E.61 does not allow individual people to bring lawsuits against companies that suffer data breaches.
In a 2014 case about the Target data breach, the Minnesota Supreme Court found that only the Attorney General may enforce the data breach statute on behalf of Minnesotans.
WHAT DOES THE MINNESOTA ATTORNEY GENERAL RECOMMEND?
As of press time in September, 2017 the Minnesota Attorney General has not started an enforcement action.
The Attorney General’s website recommends that everyone freeze their credit profiles with each of the 3 credit bureaus, Experian, Transunion, and Equifax. It costs money to freeze one’s credit profile.
Why freeze all 3?
Because someone who got your name, address, and Social Security number can open credit accounts anywhere.
Many of the lenders check one of the other 2 bureaus instead of Equifax, so if you only freeze with Equifax, then you are only partially protected.
Interestingly, the Attorney General says that Equifax will not be notifying people individually by mail, telephone, email or text.
If you receive a communication from someone purporting to be from Equifax, they are probably trying to scam you.
I do not offer legal advice on whether this policy complies with the requirement that a company with a data breach notify all who were affected by the breach.
Because Minnesota law does not allow Minnesotans to bring individual lawsuits for data breach, our only option is to try and limit harm by freezing credit profiles.
Also, it is wise to file your tax returns early so that no one steals your tax refunds.
Tax refund theft is another common practice of identity thieves, and is best presented by filing your tax returns as soon as you have your W-2s, 1099s, and other tax documents.
SO WHAT ARE YOUR RIGHTS?
At present, your rights seem to be only to wait and see.
Because Equifax collected your personal information and did not safeguard it, that info was lost to hackers.
These hackers may now open new accounts in your name or try to steal your tax refunds.
Your only real right seems to be to spend time and money protecting yourself from fraudsters.
I am not an expert on privacy law, I focus my practice on bankruptcy.
If you are harmed by the Equifax breach, I recommend you consult with a specialist.