Equifax Faces Bumpy Legal Terrain as Consumer Suits Mount
Credit-reporting company Equifax Inc., which last week suffered a massive data breach, could face a tougher challenge in court than other corporate giants that have dealt with the legal fallout of data breaches, according to legal experts.
Unlike earlier retailer hacks, such as those suffered by Home Depot Inc. and Target Corp., the Equifax breach is bigger in scope, potentially compromising the personal information -- including Social Security and driver's license numbers -- of roughly 143 million U.S. consumers.
The legal terrain, meanwhile, has become bumpier for hacking defendants. A few years ago, consumer litigation over data breaches had trouble even getting onto the docket. But as the number of hacking cases rises, judges have been increasingly willing to let data-breach plaintiffs have their day in court.
"Five or six years ago, it was much easier to simply get lawsuits dismissed," said Amy Mushahwar, a data-privacy and security attorney at Davis Wright Tremaine LLP in Washington, D.C.
Since Equifax disclosed last Thursday that hackers had gained access to some of its systems, more than 100 lawsuits have been filed in federal courts across the country, according to a review by The Wall Street Journal.
"Equifax's only job in life was to safeguard data," said Marc Dann, whose Ohio law firm and co-counsel have brought lawsuits against Equifax in at least seven states.
Finding aggrieved plaintiffs didn't take a lot of searching, Mr. Dann said. "I couldn't take out the garbage without someone asking me to represent them in this case," he said.
An Equifax spokesman didn't respond to a request for comment. The company said last week that it is offering free identity-theft protection and credit-monitoring to U.S. consumers. "We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations," Equifax Chief Executive Richard Smith said last week.
Many of the Equifax lawsuits allege the company was a negligent custodian of personal data that millions rely on to establish their identity and creditworthiness.
Most of the complaints bring their claims under the Fair Credit Reporting Act, a 1970 federal law that imposes data-security requirements on consumer-reporting firms. The FCRA gives consumers rights to access their credit and ensure their credit file is accurate. The law offers per-violation damages that could be easier to prove than actual damages, but is little tested in the area of data-breach litigation.
Until recently, courts have generally declined to hear data-breach lawsuits trying to hold a company responsible for the havoc wrought by hackers. The reason: Plaintiffs in federal court generally must allege they suffered a concrete injury and that the injury can be redressed.
But more courts are warming to the idea that even the threat of identity theft -- and the aggravation, distress and cost of containing the risk -- can cause harm.
Last month, the U.S. Court of Appeals for the District of Columbia Circuit overturned the dismissal of a lawsuit against health insurer CareFirst BlueCross BlueShield over a 2015 data breach. The appellate judges disagreed with a lower court finding that the injury claims were too speculative.
CareFirst said it plans to ask the U.S. Supreme Court to take up the issue. The company's lawyers stated in their filing that they want the justices to "guide courts in sorting out the claims of truly injured victims of data breaches from those who file class actions without being able to allege that any harm is real."
The breadth of the Equifax breach could make it harder for the credit-reporting company to either win the cases in court or settle them cheaply, say legal experts.
When credit- or debit-card information is compromised, as in data breaches at Target and Home Depot, consumers could minimize the risk of identity theft or fraud by getting new cards and enrolling in credit-monitoring services.
With Equifax, hackers gained access to servers containing customers' names, social-security numbers, birth dates and addresses. The exposure of that personal information, which consumers use to apply for credit cards or to take out loans, raises the specter of a longer-term privacy threat that could encourage plaintiffs to push further into the discovery process instead of settling early, said Craig Newman, a cybersecurity lawyer at Patterson Belknap Webb & Tyler LLP.
(END) Dow Jones Newswires
September 13, 2017 19:01 ET (23:01 GMT)