On November 10, plaintiffs, and the members of the class and subclasses they seek to represent, filed a complaint in the Northern District of Georgia against a major credit reporting company, consolidating individual suits filed against the company since September in each of the 50 states and the District of Columbia. The plaintiffs allege that the company’s data breach (covered previously in InfoBytes)—in which hackers exploited a website application vulnerability to access names, Social Security numbers, birth dates, addresses, driver’s license numbers, as well as roughly 209,000 credit card numbers—has led to, among other things, identity theft, unauthorized credit and debit card charges, and applications for unauthorized student loans.

The complaint alleges a series of missteps by the company before, during, and after the breach, including: (i) not applying a recommended security patch; (ii) failing to recognize the breach for over three months; (iii) not warning consumers for another month after discovering the breach, thus preventing timely credit freezes or other protection methods; (iv) sending confusing emails and notices to consumers about whose data was compromised and how to protect themselves after the breach; and (v) creating confusion as to whether an arbitration clause included in the terms of service for the company’s credit monitoring website would apply to consumers using the service.

The plaintiffs seek, among other things, class certification; permanent injunctive relief; disgorgement and restitutions of earnings; compensatory, consequential, general, statutory, and punitive damages; declaratory relief; and attorneys’ fees.