Daniel got his first credit card as a teenager growing up in a Twin Cities suburb.
It came with strict instructions from his parents: Use it only on small expenses like filling your gas tank. For everything else, pay for it from your bank account.
After nearly a decade of paying credit card bills on time, Daniel, now 26, can nearly recite his “excellent” credit score off the top of his head. That number’s been invaluable in his career as a budding tech entrepreneur.
“You need credit to run a business, obviously, but I guess I had kind of taken good credit for granted,” says Daniel, who asked to use a pseudonym. He’s been exposed enough as it is.
Like most Americans, he first heard of Equifax last fall, when the company disclosed it had allowed hackers to make off with the private information of 147 million Americans. Equifax, one of the “big three” credit reporting agencies, had diversified its business by trading in the most sensitive facts there are. Beyond credit scores and card numbers, Equifax coveted Social Security numbers, medical histories, and information on how much people make.
Maybe you don’t remember giving any of this to Equifax. That’s because you didn’t. Your bank or credit card company probably did. Your employer might have, too: Equifax collects data from thousands of American employers, including the three-fourths of Fortune 500 companies it counts as customers.
The scale of the data breach was historic, the risk to average, unwitting Americans unprecedented. Overnight, Equifax rocketed from obscurity to public enemy.
Then the news cycle turned over, floating new villains into view. Most Americans moved on.
Not Daniel. He was pissed about the thought of his pristinse score, built on years of restraint, suddenly vulnerable to any identity thief with enough wits to download a file.
And professionally, as someone “very into security and tech,” he sounds disgusted when he talks about Equifax’s failure to protect information. Soon after announcing its exposure, the company fingered a culprit: a single employee, whose job it was to inform its cybersecurity team to apply a patch, a simple upgrade that would’ve repaired a vulnerability in its storage system.
The missing patch had been available for months, and Equifax ignored “simple instructions” to protect itself.
“It’s a stretch to even call what happened a ‘hack,’” Daniel says. “My parents are the kind of people who have trouble using an iPhone. But I put it like this: ‘Hey Mom and Dad, would you leave a spiral notebook with the names and Social Security numbers of 150 million Americans in a house with unlocked doors?’ That’s what these guys did.”
The more he read, the angrier he got. Daniel searched his name and Social Security number on Equifax’s hastily assembled crisis response site, and was informed he was one of the people affected. Equifax then ushered the exposed into a sign-up for one free year of identity theft protection. The fine print on that offer conveniently waived the user’s right to sue Equifax, instead forcing them to go through arbitration, notoriously favorable to corporations over individuals.
Equifax later claimed the arbitration clause was a mistake, just one more minor oversight, and removed it.
Arbitration is so slanted toward businesses, the Consumer Financial Protection Bureau approved a rule last year neutering such clauses by financial institutions. Republicans fought back on behalf of banks. Two months after the Equifax scandal, Donald Trump signed a law repealing the rule.
Daniel avoided Equifax’s trap. He contacted an acquaintance, attorney David Madgett, who took the case to small claims court. That went badly. “We get zero verdict,” Madgett says, “and the judge essentially yells at me... like, ‘I can’t believe you’re trying to bleed this company.’”
The judge cited Equifax’s offer of free identity theft protection “for life at no cost,” information he’d evidently gleaned from a corporate witness Equifax flew in to testify. This was untrue; Equifax was offering only one year of protection. If Daniel expected to live without risk of Equifax’s making beyond age 27, he’d be paying out of pocket.
He appealed to district court. Madgett advised his client to take the preemptive step of buying identity theft insurance before the trial. Now they weren’t arguing “speculative” costs from some future event. Daniel was already paying for Equifax’s screw-up, and planned to do so for at least the next several decades.
Equifax again flew in an expert witness, and its lawyers argued that data breaches have become fairly common, and are not necessarily a sign of “negligent” behavior. Hearing this, Madgett scrapped his prepared closing argument. “I told the jury, ‘Don’t get lawyered. You don’t need to leave your common sense at the courtroom steps.’”
The jury would return a verdict of $7,200 in Daniel’s favor, enough to pay for 25 years’ worth of identity theft insurance worth up to $1 million. Similar judgments have come down in other states, but Madgett believes this jury’s award is the first of its kind in Minnesota. He expects more.
“It’s goddamned unbelievable Americans have to put up with it,” Madgett says. “This is not a consumer-facing business. It’s a business that deals—all their deals are with other businesses. People cannot opt out of dealing with this company. That’s the real travesty.”
Equifax politely declined to comment for this story. “We do not have anything to add at this time,” a spokesperson said.
So if you have any questions for them, about what they did with your most valuable and carefully held secrets, consider asking them before a judge.
More from Mike Mullen: