If you get hit for that, you're on the hook, not them. That's explicit in their ToS. Have fun, kiddos.

Nope.

Third party lending as a broad policy trend has certainly opened up over time, but some states still have the restriction, others have reformed it, others call it a different thing and some have abolished it.

Is the risk substantial in your specific case? Maybe not. Maybe it is. Just know there's a risk there and you're the one eating it.

Also, the amounts available in small claims court seems like peanuts compared to my data being "out there" permanently. This is just a general observation--I'm not impugning Legalist with this statement at all. I guess it may seem like small potatoes weighed against the risks, it's not like everyone impacted by this could get appropriate remuneration for the potential lifelong BS caused by this.

I have a feeling that in small courts you can at least get more than that. PA for example has a max of $12k claim amount.

If you feel that Equifax has caused you, say, USD $100k in damages, you can certainly file a "regular" civil suit against them and ask for that amount.

And i'm not a lawyer just thinking out loud.

And since judges probably have seen pretty much everything under the sun, they probably would get the gist of it even if you don't answer in these exact words. And I am not sure judges would also be sympathetic to "auto-lawsuit" setups where you are allowed t generate lawsuit by filling a form without anybody actually ensuring there's a case. And Legalist seems to be advertising "automatic" support - i.e. without even considering if you actually have the case or not. It's basically automatic lawsuit generator. I don't think it'd make judges happy.

Lawsuit financing may be a great idea - I actually like this approach - but turning it into opportunistic money-grabbing mill is probably makes more harm than good.

[1] If you don't believe people really answer like that, check this out: https://wlflegalpulse.com/2017/08/18/food-court-follies-frau...

Maybe Plaintiff John Doe isn't going to be able to exhaustively demonstrate quantifiable material damages, but maybe the court hands out a default judgment.

The real opportunistic money-grabbers here are Equifax...they took their own data breach, which is basically historically unprecedented in its scale, and used it as a way to shill one of their own credit score monitoring products. That, IMO, is despicable. If it's easier to sue these guys for their negligence, so be it.

Does anyone have recommendations for quantifying the damages? Something the judge won't toss out?

Also why does this make us put in the court where we will file? Doesn't it need to be where Equifax is located, and won't it be the same for everyone?

That really ticks me off the most about this. These guys collect you information without your explicit permission then when one of them fucks up and that data gets you YOU HAVE TO PAY THEM TO STOP BAD THINGS FROM HAPPENING.

--

FCRA § 604. states that "any consumer reporting agency may furnish a consumer report under the following circumstances and no other", and lists allowable reasons to dispense a credit report.

FCRA § 607. requires compliance, stating that an agency must "limit the furnishing of consumer reports to the purposes listed under section 604."

FCRA § 616. imposes civil liability for willful noncompliance at a minimum of $1000, even if that is greater than actual damages already sustained.

(a) In general. Any person who willfully fails to comply with any requirement imposed under this title with respect to any consumer is liable to that consumer in an amount equal to the sum of

..<snip>..

(B) in the case of liability of a natural person for obtaining a consumer report under false pretenses or knowingly without a permissible purpose, actual damages sustained by the consumer as a result of the failure or $1,000, whichever is greater;

..<snip>..

(2) such amount of punitive damages as the court may allow;

--

This suggests to me that you will be able to seek "actual damages sustained by the consumer as a result of the failure or $1,000, whichever is greater", plus any punitive damages the court awards (I do not believe this is generally done in small claims). You would need to demonstrate that the failure to safeguard your information was willful.

If I have $1000 in cash stolen from my house by someone not authorized to work in the US, I'm not liable for an employer violation for not filling out an I-9 form...

It's a fairly broad definition. Per press release, Equifax made a data communication of this info to someone who did not show a permissible purpose under § 604.

I would argue that Equifax had months to patch CVE-2017-5638, but they did not. Their web application continued furnishing parts of my consumer report to anyone capable of running https://github.com/mazen160/struts-pwn.

In a statement, Apache Struts wrote, "This vulnerability was patched on 7 March 2017, the same day it was announced ... In conclusion, the Equifax data compromise was due to their failure to install the security updates provided in a timely manner."

https://blogs.apache.org/foundation/entry/media-alert-the-ap...

(I have extremely little sympathy for Equifax here, around any aspect of what they did and did not do. It's still not clear to me though that it was willful by a legal definition/interpretation. I'm quite sure we will find out.)

Money to be made all around on this deal.

Seriously, though, IANAL but I think you're right, I've read a couple other statements to that effect, that you'd have a hard time suing for the _potential_ for trouble. And would a judge require you to _prove_ an ID Theft was the result of the Equifax breach or just one of the other, smaller breaches?

Just because someone has my SSN and my name doesn't mean they are me.

Making it my job to monitor for fraud is bs.

Also, it's unclear what court you're supposed to file in. I did some research and, at least in New York, you're supposed to file a claim where the defendant does business. I put my local county small claims court in (New York County Civil Court), but I'm not sure if that was right. Maybe because Equifax is such a big company doing business everywhere I can file in my local court? Otherwise it looks like I would need to file in Atlanta, where their headquarters is.

https://www.massbar.org/publications/lawyers-journal/2016/no...

BTW, what are you giving up when you sue Equifax and win? Does winning absolve Equifax of any liability or need to help you in case of future identity theft?

These guys should be, at the very least, fined by the government for how blatantly careless they were with consumers' PII. I can't believe the credit bureau oligopoly in the United States is this technologically incompetent, but I suppose it's not surprising given the lack of economic incentive to innovate. Hefty fines / settlement payouts should do the trick...

would love to be able to use legalist but I'm not even sure if I'm a victim

How do you prove this in court?

"Your honor, I gave a Dark Web hacker some bitcoin and they said I was definitely affected."

points to the Equifax page here: https://www.equifaxsecurity2017.com/potential-impact/

As far as I remember, you could enter any random information into their form and it will say you were affected. That is the proof that Legalist is asking to provide the basis for the suit.

Also, SC is probably your worst option, as far as ROI goes. If you want a more strategic sense of your legal options, check out:

http://myradvocate.com/new-blog/2017/9/10/5vpvo8j70gnergoci4...

How do I know Legalist is dependable and trustworthy so that my personal information is NOT going to be leaked by Legalist again in the future for the second time?

And small claim court filling fee is only less than $100 (in my state it's $35, appeal is $250 refundable). And maximum claim amount in small claim court in my state is $3000.

Is it worthy for me to trust another 3rd party with my sensitive information to get at most 3k (in reality it will be much less and there is also the fee from Legalist).

I personally don't think this is a useful service AT ALL.

IANAL, but it doesn't look like Legalist is handling any information that you wouldn't be making publicly available in a court filing were you to do this yourself. As someone who doesn't have the time or diligence to do all this myself, I actually find this pretty useful.

No problem. If that happens, Legalist would be happy to finance you suing them in a small claims court!

What type of SSL certificate -- DV or EV -- did the Legalist web site have, if any?

I'm just interested in {whether|how many of} you bothered to look before submitting your information.

(I'm asking because I was reminded of a recent HN discussion about DV/EV certificates and this seemed as good of a "test case" as any.)

Sure. It was a discussion [0] of an article by Troy Hunt entitled "On the Perceived Value of EV Certs, Commercial CAs, Phishing and Let's Encrypt" [1].

(There have been a few other recent discussions [2,3] that also mentioned EV that you might be interested in.)

> I've been looking into SSL recently for some personal sites and the easiest method has been a combination of GitHub pages / Cloudflare.

That seems to be a pretty common setup (for "easy"), as well as static sites on AWS S3, etc.

Most of my sites run WordPress on my own (physical) servers so I can't personally comment on those methods.

> ...aren't EV certs just a cash grab by the issuing authorities?

That seems to be the popular opinion (at least here on HN), though I can understand the desire to use EV over DV in certain situations.

[0]: https://news.ycombinator.com/item?id=14805233

[1]: https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas...

[2]: https://news.ycombinator.com/item?id=14749565

[3]: https://news.ycombinator.com/item?id=15221119

Do I owe legalist their fee if I win, but am unable to collect from Equifax?

It takes me to /equifax-sent/ but title is 500 Error

From their home page:

> All legal bills covered.

> Litigation is expensive. Whether it’s attorney’s fees or that expert witness report you need to prove damages, litigation costs can add up. When you’re backed by Legalist, you don’t have to worry about unexpected legal expenses. Focus on growing your business, and we’ll take care of it.

I'm always skeptical of assurances like this.

Just because you don't know how lawyerin' works is no excuse to be insulting. They take a contingency, like every other friggin' lawyer on the planet. (No financial interest, don't know the founders from Adam, yada, yada)

The class against Equifax is huge and you should absolutely be aware that less than ethical lawyers are going to come out of the woodwork making all sorts of promises so that they can get their slice of what Equifax is going to pay out. The lawyers that I want to work with will either charge me an hourly fee or they will be upfront that my involvement in a class means that I'll be helping to punish Equifax but that I'll be forgoing most damages to do so.

Actually, there are countries where lawyers don't (and legally can not) take contingency fees.

Not allowed to advertise, either.

"Legalist funding varies from case to case, depending on your case details and our risk assessment outputs. Apply now to get a rate!"

"But if you do file the case and win $1000, we'll recover alongside you"

It's funny how many people are upset by my comment. The only thing I can say is that, when I hire a lawyer, the point is to have them clarify the law for me and translate it into plain english. If a lawyer won't even put their own fees into plain english, I don't believe they are working for me so I won't hire them.

[0] https://www.linkedin.com/in/eshang/

> Only if you win your case is repayment deducted from your recovery. Legalist funding varies from case to case, depending on your case details and our risk assessment outputs.

1. https://www.legalist.com/faqs/

Edit: formatting

My jurisdiction limits claims to $6000 and allows attorneys.

How common is this?