When the credit score giant, Equifax, announced in September 2017 that their site had been hacked, the reveal was of precedent-setting magnitude. The security breach compromised the data of over 143 million customers, potentially exposing personal information such as names, birth dates, Social Security numbers, driver’s licenses, and credit card numbers. Lawsuits were filed instantaneously. Less than 24 hours after Equifax made its big reveal, a proposed class action lawsuit was filed in a federal court in Portland, Oregon. Quickly, other lawsuits followed. In light of the severity of the breach and the enormity of the lawsuits, it was only a matter of time before the class actions grew to a size large enough to warrant centralization. Although the United States Judicial Panel on Multidistrict Litigation ruled that these class action suits will be centralized in one district, the litigation has only just begun.
The Equifax Data Breach: How Can Customers Protect Their Data?
In September 2017, Equifax publicly announced that their site’s security had been compromised. Tellingly, the announcement came over a month after Equifax had privately discovered the breach. As one of the biggest credit-reporting companies in the country, Equifax stored data belonging to over 820 million customers and 91 million businesses, including employee data submitted by over 7,100 employers. The data breach has potentially disclosed personal information on nearly 44% of the U.S. population.
In an attempt to ameliorate the panic of its customers, Equifax created a website, Equifaxsecurity2017.com, where customers could check if their information had been compromised. However, the website proved futile, as customers reported receiving different answers on different days concerning their data. Because Equifax is still determining what information exactly was affected, their website does not definitively state whether or not one’s personal information was impacted, just whether they “believe” so. As such, the website has been a poor indicator for whether a customer’s data had been compromised.
The company also offered their customers a year of free credit monitoring through their subsidiary, TrustedID. However, after the year had passed, customers need to still maintain monitoring. Many customers had placed fraud alerts on their credit reports, but these alerts come with the caveat that they expire every 90 days. A credit freeze is another option, which prevents lenders from accessing a customer’s credit report without the customer “unfreezing” it with a PIN number. A credit lock works in a similar manner, but can be unlocked without the use of a PIN. However, none of these precautions are guaranteed safety measures in light of the breach.
Class Action Lawsuits
Since Equifax’s announcement, class action lawsuits have been accruing at rapid speed. Over 240 class actions have been filed against the company, including a rare 50-state suit, which names plaintiffs from every state who have been injured due to the security breach. The complaint alleges numerous acts of negligence on Equifax’s part including: failing adequately alert customers to the breach; creating a conflicting credit monitoring service with an arbitration clause barring plaintiffs from joining class actions; sending customers a fake credit freezing website; allowing hackers further access to the website which prompted customers to download a fraudulent software update; and allowing top Equifax executives to sell $1.8 million in stock preceding the announcement of the breach. The complaint enumerates 83 separate causes of action on behalf of a nationwide class and two statewide subclasses brought under state consumer protection laws and data breach statutes. The complaint alleges that Equifax’s business practices were deceptive and unfair.
The payout from the lawsuits is expected to be bigger than typically seen in other cyber security cases. First, security experts (and Equifax’s own customers) have pointed out that a class action settlement that only included free credit monitoring services would be inadequate to deter identity theft in the long-term and also serves as a means for Equifax to coerce their customers into paid subscription monitoring services. Secondly, courts have been increasingly more willing to recognize the harm in cyber security breaches. While Equifax has estimated that the breach will cost them approximately $87.5 million, this estimate does not include the cost of any judgments, settlements, or penalties.
Centralization and the Future of Equifax Litigation
Last month, the United States Judicial Panel on Multidistrict Litigation granted a motion to centralize the 97 pending actions against Equifax. The Panel held that centralization in the Northern District of Georgia would be the most convenient for the parties and witnesses while also promoting just and efficient litigation. The majority of the class actions are pending in the district, as it is also where Equifax is headquartered. While some plaintiffs opposed centralization in the district, the majority of the parties supported the move, including the defendants Equifax, Inc., Equifax Information Services LLC, and Equifax Consumer Services, LLC. The Panel found that centralizing pretrial proceedings is these actions, all of which share factual issues concerning the Equifax’s cybersecurity breach, would eliminate duplicative discovery, prevent inconsistent pretrial rulings on class certification and other issues, and conserve judicial resources.
Some plaintiffs requested exclusion of their class actions from centralization, arguing that they assert unique claims and can coordinate the pretrial proceedings informally. The Panel was not persuaded holding that “the substantial factual overlap among all actions, including those in which plaintiffs seek exclusion, is undeniable, and any slight variations in the claims alleged is immaterial to the benefits to be had from centralized proceedings. Given the scope of this nationwide litigation, informal coordination with some cases would be unworkable here.” The transferee court, overseen by the Honorable Thomas W. Thrash, will decide “the extent and manner of coordination or consolidation of actions in an MDL.” The Panel also noted that, aside from the 97 pending actions, there are more than 200 potentially-related actions against Equifax filed in over 60 federal districts which are potential tag-along actions.
In light of the ever-increasing number of lawsuits, the centralization of the 97 cases thus identified by the Panel, and the evolving landscape of cyber security in general, the Equifax litigation will undoubtedly set a precedent for how future large-scale data breaches will be handled.
