A lawsuit seems appropriate, but I'm confused on their allegations. How can this lawsuit claim that Equifax "wasn't spending enough or doing enough to protect the information" when nobody, except for those within the company, know how much is spent or done to protect the information?
Is there some public record I'm not aware of that says Equifax underspent on cybersecurity? Or is this lawsuit just a shot in the dark hoping to hit a target?
I wouldn't be surprised at all if the allegation is true, but AFAIK there's no way these individuals actually have proof of it, and it seems like a flaw in our legal system that people are allowed to make allegations like this without any type of proof.
That's what the "or" is for in "wasn't spending enough or doing enough." It's evident that they did not do enough to protect the information. Spend is a proxy for action, but ultimately it's the action (or inaction) that matters here. I only see them exonerating themselves to a large degree if they engaged in routine third-party audits of their security and consistently responded to every identified issue.
If the plaintiff's expert witnesses can be brought in to show convincingly that the nature of the breach - as we can see from the outside - suggests basic common safeguards were not taken, that could force Equifax's hand to show otherwise.
Is there some public record I'm not aware of that says Equifax underspent on cybersecurity? Or is this lawsuit just a shot in the dark hoping to hit a target?
I wouldn't be surprised at all if the allegation is true, but AFAIK there's no way these individuals actually have proof of it, and it seems like a flaw in our legal system that people are allowed to make allegations like this without any type of proof.