The plaintiff’s bar wasted no time in filing suit following Equifax’s announcement of a data breach last Thursday. Dozens of class action lawsuits have already been filed challenging Equifax’s alleged failure to implement adequate cyber security measures to prevent a data breach earlier this year involving social security numbers, addresses and driver’s license numbers of 143 million customers, and credit card information of over 200,000 customers. See, e.g., McGill v. Equifax, Inc., Case No. 3:17-cv-1405 (D. Or. Sept. 7, 2017); McGonnigal v. Equifax, Inc., Case No. 1:17-cv-03422 (N.D. Ga. Sept. 7, 2017); Gersten v. Equifax, Inc., 3:17-cv-01828 (S.D. Cal. Sept. 8, 2017); Tirelli v. Equifax Info. Svcs, LLC., Case No. 7:17-cv-06868 (S.D.N.Y. Sept. 11, 2017); Davis v. Equifax, Inc., 1:17-cv-06883 (S.D.N.Y. Sept. 11, 2017). The lawsuits also challenge the timing and method of Equifax’s notification to customers and certain trading activity following the breach. Investigations have been announced by the U.S. Consumer Finance Protection Bureau, the Federal Bureau of Investigations, two Congressional committees and at least five attorneys general (including those from New York and Illinois).
One lawsuit is seeking almost $70 billion in damages. The $70 billion dollar question, then, is whether plaintiffs can overcome two major hurdles: establishing standing and adequately alleging damages. The body of case law on these defenses keeps growing and shifting, particularly following the Supreme Court’s watershed decision last year in Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1548 (2016). For example, just last month, the U.S. Court of Appeals for the Eighth Circuit affirmed the dismissal of a putative class action against ScottTrade, a securities brokerage firm that was attacked by hackers in 2013. Kuhns v. ScottTrade Inc., Nos. 16-3426, 16-3542 (8th Cir. Aug. 21, 2017). Plaintiffs alleged the hackers used the information to manipulate stock prices, operate illegal gambling websites, and to run a Bitcoin exchange. The court found that plaintiffs had standing for their contract claims, based on a theory that the services had a diminished value under the contract, but punted on whether plaintiffs had standing under a consumer fraud statute. Ultimately, the court affirmed the dismissal because the complaint failed to allege specific, actual damage resulting from the hack, instead relying on “allegations of worry and inconvenience.” Some circuits have come out the other way, finding that credible allegations of an increased risk of fraudulent charges were sufficient to establish standing, but whether the plaintiff can prove any compensable losses remains a separate question. See, e.g., Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016).[ii]
Establishing that the putative class plaintiffs were damaged, or even actually affected, by the Equifax breach may prove to be difficult. Equifax indicated it will directly notify the customers whose credit card numbers were accessed; none of the plaintiffs in the complaints reviewed alleged they received such a notification. Many of the plaintiffs’ allegations identify the resulting harm as fear, inconvenience, and unspecified costs. One New York case (Davis) alleges “deprivation of the value of” the plaintiffs’ personal information. One Georgia plaintiff alleges he “recently had four credit accounts opened in his name without his authorization” and had multiple credit inquiries, which may adversely affect his credit score. Only one plaintiff, in the Oregon case, alleges an out-of-pocket cost (i.e., payment to a third-party service to monitor and repair his credit). Given the number and geographical diversity of the cases filed, results of any motions to consolidate the matters in one court or coordinate matters as a multi-district litigation may be significant to the outcome.
Another legal battlefront may emerge between Equifax and the thus-far unnamed “U.S. website application” that Equifax has cited as responsible for the hack. Equifax reported that hackers exploited a vulnerability in the application to gain access to certain files. An analyst report by Baird Equity Research claims that it was Struts, which is an open-source software package that provides a programming framework for building web applications in Java. Security researchers identified two security flaws in Struts in March and September of this year. Apache Software Foundation, who distributes Struts, seemingly corroborated the report that its software was involved. Apache did not know which security flaw was involved, but responded that Equifax either failed to apply a critical security patch or the flaw was unknown at the time of the breach (i.e., a zero-day exploit). Reportedly, approximately 65% of Fortune 100 companies and some government agencies (including the IRS) utilize Struts. Assuredly, those entities will be watching closely as the situation develops.