It's been almost two years since word first leaked out that the massive data broker Experian had, through a subsidiary known as Court Ventures, allowed a Vietnamese identity thief to buy access to databases containing the personal and confidential information on up to 5 out of every 6 American adults — 200 million people in all.
The identity thief in question, Hieu Minh Ngo, was sentenced last week to 13 years in prison.
Law suit cites negligence
A couple days later, on July 17, three plaintiffs filed a federal class action suit against Experian in California, alleging that the company was negligent in allowing an identity thief to buy access to its data for nearly 10 months.
Security expert Brian Krebs (who first broke word of the Experian breach in October 2013) announced the lawsuit yesterday. The 38-page suit, which is available as a .pdf here, seeks statutory damages for alleged violations of the Fair Credit Reporting Act, declaratory and injunctive relief, and reimbursement of the plaintiffs' court costs and litigation expenses.
The suit also claims that “Experian refuses to notify the victims of Ngo's identity fraud operation or provide them with protection even though Experian knows their identities, and its senior vice president promised Congress [that] Experian would 'make sure they're protected'.”
Therefore, the plaintiffs have asked the court to force Experian to notify all consumers who were affected by Ngo's actions. They're also pushing for Experian to provide everyone who was affected with free credit monitoring services.
Incidentally, in American English, the phrase “make a federal case” is a common idiomatic phrase used to indicate that somebody is overreacting: “Dude, he didn't intend to spill your drink! There's no need to make a federal case out of this.” But in other contexts, it's not an idiom but a straightforward description, as in “Apparently you do need to make a federal case out of it, if you want Experian to notify the victims of its own negligence.”