After Equifax's massive data breach - social security number, date of birth, and address from 143 million Americans stolen by cyber criminals - the question is: Can a financial institution be liable for using wrong Equifax data?
One would expect that this Equifax event will result in an increase in ID theft. Banks trust credit scores provided by Equifax and other agencies. Indeed, they rely mostly on these numbers to offer or decline a loan. What if they offer a loan to a (fake) army colonel that is not even a US citizen, that is not on any payroll, has a phone number different from mine, and lives in a different state, but just happens to have the same social security number as me, as a result of ID theft and the bank's reliance on credit scores attached to a social security number.
In the Equifax data breach, even secrete questions and answers (name of your first pet and so on) used by customers to recover account access,has been compromised. In short, now the fraudster can use this info to unfreeze accounts or modify your address, before applying for a loan with stolen credentials. In my case, my answer to these questions is a code, that I change over time, so no big deal, but most people still honestly answer and rely on these questions. Equifax now allows you to check if your information has been compromised, but who would still trust them at this point? Even their top executives sold millions of dollars worth of shares right after they learned about the incident. Frankly, I don't see what kind of future they have; few would want to use their data for business decisions moving forward: The risk of litigation in case of corrupt data, is too high..
To come back to my initial question, what would happen if someone sued not Equifax, but a bank using Equifax to offer a loan based on wrong data? Some banks do a good job identifying fraudulent applications, and some do a terrible job. Criminals know which ones to target. and in my above real-life example (fake army colonel that is not even a US citizen, and not on any payroll), you could argue that this is just reckless data science or reckless use of data. By the way, that fake colonel received more than $80,000 in various loans and credit cards, all from one agency: Navy Federal Credit Union. I suppose he or his associates were jailed or something bad happened to them, as the last $15,000 were never spent. I did not incur any loss myself, except waste of time.
I believe it is a great startup idea to launch a website that would allow all victims of ID theft to provide their email address, name of financial institution responsible for reckless data science, and to mention the accounts being opened with the fake data. That way, class action lawsuits would be possible not only against Equifax, but against the institutions relying on the credit score and doing a terrible job at fraud detection. Afterall, Wells Fargo was sued for manufacturing millions of fake accounts (to boost their statistics and stock price). In the case of ID theft, the consequences are far worse, which justifies even harsher litigation.
The same applies to any kind of data science: Predicting the path and severity of an hurricane, and being off by a large margin, could be linked, in some cases, to reckless use of statistical techniques, resulting sometimes in billion dollars of losses.