TalentBin Paid $1.15M in 2017. Kistler v. Eightfold Is the Sequel.

Your legal team has spent two years briefing you on Mobley v. Workday. They have the wrong case file open. The lawsuit that will actually rewrite your AI sourcing contract, your candidate disclosures, and possibly your vendor list was filed in Contra Costa County on January 20, 2026, and it has a nine-year-old template attached to it that nobody on your procurement call has read.

The case is Kistler v. Eightfold AI, Inc., now in the Northern District of California as 3:26-cv-1768. The template is Halvorson v. TalentBin, settled for $1.15M in July 2017. If you are buying, renewing, or shortlisting an AI sourcing or scoring platform this quarter, those two dockets are the only documents that matter.

Why Mobley is the wrong analogy

Mobley v. Workday is a discrimination case. It runs on an agency theory: the vendor allegedly acts as the employer's agent in making hiring decisions, so Title VII attaches. To win, plaintiffs eventually have to prove disparate impact or intent. That is hard, slow, and bounded by protected-class definitions.

Kistler v. Eightfold AI is not that. It is a consumer-protection action under the federal Fair Credit Reporting Act and California's Investigative Consumer Reporting Agencies Act. Plaintiffs do not need to prove bias. They do not need to prove the AI score was wrong. They do not need to prove a single hire was denied. They only need to convince a judge that Eightfold assembled a "consumer report" on a candidate and skipped the procedural scaffolding the statute requires: permissible-purpose certifications, employment-purpose certifications, summary-of-rights distribution, notice of user obligations, and a consumer file-access mechanism.

Those are the same five failures that sank TalentBin in 2017. Verbatim.

This is a vastly lower bar and a much bigger class. Fisher Phillips, Jones Walker, Akin Gump, Fox Rothschild, Norton Rose, and CDF have all published advisories in April and May calling Kistler the first FCRA test of an AI sourcing and scoring platform. When seven defense firms publish the same client alert in six weeks, that is not an opinion. That is a warning.

What the complaint actually says

The Kistler complaint, filed by Erin Kistler and Sruti Bhaumik, alleges that Eightfold scores applicants on a 0-to-5 scale based on "likelihood of success" by ingesting more than 1.5 billion global data points across profiles of over 1 billion workers. The data sources named in the pleading include LinkedIn, GitHub, Stack Overflow, Crunchbase, Hoovers, blogs, conference appearances, prior job-application history, location data, internet and device activity, cookies, and tracking data.

The operative allegation is that low-ranked candidates are "discarded before a human being ever looks at their application." That sentence is doing enormous work. It converts the AI score from "decision support" into a "consumer report" under 15 U.S.C. § 1681a(f), which is the threshold the entire case turns on.

Plaintiffs are represented by Outten & Golden (Christopher McNerney, Allison Aaronson, and Jenny R. Yang, the former EEOC chair) and Towards Justice (Rachel Dempsey, David Seligman, and Seth Frotman, the former CFPB Student Loan Ombudsman). This is not a fishing expedition. This is the plaintiffs' bar for AI employment cases, and they picked Eightfold first for a reason.

$1.15M

TalentBin is not a precedent. It is the answer key.

Halvorson v. TalentBin (3:15-cv-05166-JCS) was filed November 10, 2015 and received final approval on July 25, 2017. TalentBin had scraped GitHub, Stack Overflow, and other public sources to build candidate profiles for recruiters. The class covered anyone whose profile was exported to a recruiter between October 2, 2013 and August 8, 2016. Individual payments ran $100 to $500. Total: $1.15M.

The money was not the point. The remediation was. TalentBin, by then acquired by Monster Worldwide, had to "fundamentally change its product to comply with FCRA standards." It was a product rebuild, not a checkbox. The Halvorson TalentBin settlement is on the public docket, and Kistler's plaintiffs are using it as a template. The five FCRA failures alleged against Eightfold map one-to-one onto the five TalentBin failures. Same court. Same circuit. Same magistrate judge available. Same plaintiffs'-firm playbook.

If you want to know what your AI sourcing vendor's product will look like in eighteen months, read the TalentBin settlement docket. That is the leaked answer key for what consumer reporting agency AI recruiting compliance will require: standalone disclosures, written candidate consent, CRA certifications signed by the employer-client, summary-of-rights distribution, and a candidate file-access and dispute mechanism. None of that exists in your current Eightfold, SeekOut, Findem, or hireEZ deployment. I have looked.

The "public data" defense already lost

Vendors will tell you on the renewal call that scraping public LinkedIn and GitHub data is exempt from the FCRA because the data is public. TalentBin made exactly that argument. TalentBin denied being a Consumer Reporting Agency. TalentBin paid $1.15M and rebuilt the product. The "public data" position has never won at trial. It has only ever settled.

This matters because the entire AI sourcing category is built on the same architecture: ingest public profiles, enrich with inferred signals, rank candidates, push the top of the ranking to a human recruiter. If that architecture is a CRA when TalentBin does it, it is a CRA when Eightfold does it, and it is a CRA when the next nine vendors do it.

ClassAction.org is already soliciting plaintiffs and has publicly named the next targets in the queue: HireVue, Workday, Greenhouse, Lever (now Employ), and Ashby, "and potentially others." Defense advisories add SeekOut, hireEZ, and Findem to that list. Read that sentence again. Every meaningful AI sourcing or scoring vendor your team has demoed in 2025 and 2026 is named in a public investigation page or a defense-firm client alert. This is a queue, not a one-off.

The CFPB rescission is a trap

In 2024, the CFPB issued Circular 2024-06, "Background Dossiers and Algorithmic Scores," which said in plain English that a company "could meet the CRA standard if the entity collects consumer data in order to train an algorithm that produces scores or other assessments about workers for employers." The Circular was rescinded in 2025.

Your vendor's account executive will tell you the rescission means the theory is dead. It is not. The statutory text of 15 U.S.C. § 1681a(f) did not change when the Circular went away. The plaintiffs' theory in Kistler is built on the statute, not on the Circular. Jones Walker's May advisory is explicit on this: buyers who treat the rescission as cover are exposed. The Circular was guidance. The statute is law.

The "public data" defense has never won at trial. It has only ever settled. </pull> ## ICRAA makes California worse The California ICRAA is broader than the federal FCRA. It covers investigative reports on character and reputation, requires pre-report notice with a candidate opt-in to receive a copy, and gives candidates the right to know who received their report in the prior three years. Kistler pleads ICRAA in parallel with FCRA, which is why removal to federal court did not dispose of the state claims. For any company hiring in California, this is the binding constraint. If your sourcing tool is an investigative consumer reporting agency under ICRAA, the right-to-receive-the-report obligation alone breaks most current vendor UX flows. There is no candidate-facing portal in any AI sourcing tool I have evaluated that satisfies the three-year disclosure requirement out of the box. ## The liability squeeze falls on you Here is the part nobody wants to put in the procurement deck. Even when the vendor is the CRA, the FCRA imposes the standalone-disclosure, written-authorization, and two-step adverse-action obligations on the employer. Your TA org has these processes wired up for Checkr and HireRight background checks at the end of the funnel. You almost certainly do not have them wired up for the AI sourcing and scoring tool sitting upstream at the top of the funnel. That is the blind spot.

stat number: 88% label: of AI vendors cap their own liability in the contract note: Often at the monthly subscription fee. Only 17% warrant regulatory compliance. The employer eats the rest. (Jones Walker, May 2026.)

Read your Eightfold, HireVue, or SeekOut MSA. The indemnity is capped at one month of fees in most of them. When statutory damages run $100 to $1,000 per willful violation and the alleged database covers a billion profiles, the math is existential for the vendor and uninsurable for you. The vendor's lawyers already know this. Yours should too.

## What to do before your next AI sourcing RFP

Three concrete moves, in order.

First, ask the vendor in writing whether they self-classify as a Consumer Reporting Agency. If the answer is "no," ask them to indemnify you uncapped against an FCRA reclassification finding. The answer will be no. That is your signal.

Second, audit where in your funnel an AI-generated score gates a human review. Anywhere a score causes a candidate to be "discarded before a human being ever looks at their application," in the Kistler complaint's phrasing, you have an adverse-action obligation that nobody is meeting. That is true today, regardless of how Kistler is decided.

Third, separate sourcing from scoring. The legal exposure in Kistler comes from the scoring layer, not from the search layer. A tool that surfaces candidates against criteria you wrote in plain English, with the source evidence visible, is a sourcing tool. A tool that assigns a hidden 0-to-5 likelihood-of-success number and ranks humans against each other on that number is, on the Kistler theory, a consumer report.

This is the architectural distinction we built [Refolk](/) around. You ask in plain English, you get the candidates that match, and you see the GitHub, LinkedIn, and open-web evidence behind each match. No hidden score. No 0-to-5 likelihood-of-success number sitting between you and the candidate. The reason this matters for FCRA AI hiring tools risk is straightforward: when the human recruiter is the one weighing the evidence, the tool is not assembling a consumer report, it is running a search.

The Kistler v. Eightfold AI case will take eighteen to thirty months to resolve. The TalentBin docket is already public. You can read both this afternoon. The vendors in the queue cannot.

## FAQ

### Is Kistler v. Eightfold AI likely to settle or go to trial?

Halvorson v. TalentBin settled. Most FCRA class actions settle, because statutory damages of $100 to $1,000 per willful violation against a class of millions create an uninsurable downside for the defendant. Expect Eightfold to fight the motion to dismiss aggressively on the "we are not a CRA" question, lose or get a partial denial, and then settle with a remediation package that looks structurally identical to the TalentBin one. The interesting question is not whether it settles, but how much of the AI sourcing category's product surface has to change as part of the deal.

### Does this affect employers using Eightfold, or only Eightfold itself?

Both, and the employer exposure is larger than most TA leaders realize. Even if the vendor is reclassified as a CRA, the employer carries the standalone-disclosure, written-authorization, pre-adverse-action notice, and final-adverse-action notice obligations. Eighty-eight percent of AI vendor contracts cap vendor liability at the monthly subscription fee. When the regulator or a plaintiffs' firm comes looking, the deeper pocket is the employer, not the vendor.

### What about SeekOut, Findem, hireEZ, and other AI sourcing tools?

ClassAction.org's investigation page and the April and May defense-firm advisories name HireVue, Workday, Greenhouse, Lever, Ashby, SeekOut, hireEZ, and Findem as plausible next targets. The theory in Kistler is architectural, not vendor-specific. Any tool that ingests public and inferred data, assigns a score or ranking, and gates human review on that score is exposed. The relevant question on your next RFP is whether the tool produces a hidden score that drives exclusion, or whether it produces a transparent search result that a human evaluates.

### How should I rewrite my AI sourcing RFP this quarter?

Add four questions. One: does the vendor self-classify as a Consumer Reporting Agency under the FCRA or ICRAA, and will they indemnify uncapped against a reclassification finding? Two: does the product assign a numerical score that gates whether a human reviews the candidate? Three: what candidate-facing disclosure, file-access, and dispute mechanism does the vendor provide, and does it satisfy ICRAA's three-year recipient-disclosure requirement? Four: will the vendor sign the FCRA certifications the statute requires of CRA users? Vendors that cannot answer those four questions cleanly are the ones in the queue.