Equifax’s headquarters in Atlanta.
Photo: John Disney/ALM

Equifax’ ever-growing list of legal problems resulting from a July data breach that exposed over 143 million people’s sensitive personal information now has a new entry: a chatbot.

Chatbot company DoNotPay released a set of chatbots that can help consumers sue Equifax for negligence. Users provide their name and address to the bot and it feeds the information into a state-designated form users can then print and file directly with the court.

DoNotPay’s Equifax bots were first available specifically to residents of California and New York, and on Sept. 12, DoNotPay founder Joshua Browder launched bots to file small claims against Equifax in all 50 states. The California and New York bots alone have already generated over 5,000 small claims alleging negligence.

Browder was among the consumers hit by the breach, which prompted him to look for a way to bring technology to bear on the issue. After consulting with a few attorneys, Browder settled on the small-claims approach, which should not preclude consumers from participating in larger class action litigation.

“The best part about it is that lawyers often aren’t allowed in small claim lawsuits, like in California,” Browder told Legaltech News. The tool, Browder said, makes it easy for pro se litigants to handle these issues on their own.

California, Michigan and Nebraska all require consumers to defend themselves in small claims court. While other states permit attorney representation for small claims, potential awards may not be enough to cover attorney fees.

Small claims awards are capped in all 50 states, but range from $2,500 in Rhode Island and Kentucky all the way up to $25,000 in Tennessee. (Georgia, where Equifax is headquartered, has a small-claims cap of $15,000, except in eviction cases.)

Ken Canfield, an attorney with Doffermyre Shields Canfield & Knowles, flagged both pros and cons to the chatbot’s potential. Canfield concluded that small-claims court may not be the best way for consumers to seek damages from the breach, as consumers are likely to face an uphill battle in proving harm.

“It’s a nice idea. It has the potential to put some pressure on Equifax that isn’t there otherwise, but in terms of being a viable remedy for consumers, it’s not probably particularly useful,” Canfield said.

That pressure largely depends on how many people file small claims against Equifax with or without the tool. If DoNotPay succeeds in creating a massive number of small claims around this issue, it could force Equifax to hire attorneys in essentially every state to defend against them, which could be far costlier than handling a class action claim.

“The existence of this remedy may get the Equifaxes of the world to see the benefits of class actions,” Canfield noted. To date, there are at least 23 different class action lawsuits filed against Equifax in the wake of July’s data breach.

So far, Equifax hasn’t shown much interest in embracing class action lawsuits. Earlier this year the company worked with Akin Gump Strauss Hauer & Feld to push for amendments to the Fair Credit Reporting Act (FCRA) that would effectively limit class action damages.

Browder said that the attorneys he’s consulted with say that bot’s small-claims strategy should allow users to pursue class action remedies even if they file a negligence claim for maximum damages with the bot.

Seton Hall University Law School professor David Opderbeck said that this strategy’s success may be contingent on the way the “class” is ultimately defined. Filing a small claim against Equifax may, according to Opderbeck, actually preclude consumers from either the class or its ultimate settlement.

“It sounds like what you’d be doing ultimately potentially is opting out of the class,” Opderbeck noted, adding that while consumers may want to do that for various reasons, they probably shouldn’t do so at the urging of a chatbot.

DoNotPay’s broader strategy of applying small claims court pressure on Equifax also raised red flags for Scheef & Stone attorney Sean Tuma, who pointed to the lack of success that even practiced attorneys have in proving harm in cybersecurity claims. Especially given that data breach and cybersecurity remains a fairly new body of law, the potential bombardment of small-claims courts around the country with Equifax-related claims could backfire on consumer protections in this space altogether.

“I don’t think that’s going to help the development and refinement of this body of law,” Tuma said.

Data breach settlements are a new area for DoNotPay, which has primarily handled access-to-justice issues since its founding last year. Browder said the outpouring of interest in the Equifax bot may open doors to more targeted consumer protection work. “I might take on more of this corporate takedown stuff,” Browder said.

To date, Browder has not heard from Equifax about the bots. “Not yet,” Browder said, “but they’re about to get 5,000 lawsuits.”