Not two months has passed since Equifax publicly admitted that the personal data of up to 143 million Americans may have been compromised in a massive hacking breach. In that short time, over 100 federal lawsuits have already been filed against the credit-reporting company. The claimants are not just individual consumers but states like Massachusetts, which recently announced plans to sue Equifax. According to CNBC, other states including New York, Pennsylvania, and Connecticut, are jointly investigating the breach.[1]

In response to concerns that Equifax would require arbitration of claims related to the data breach, Equifax has clarified that no consumer will be required to waive the right to a class action lawsuit to receive free credit monitoring and identity theft protection.[2] Equifax said on its website that it “will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself.”

Though Equifax will not force arbitration, consumers may face other legal hurdles to maintaining lawsuits in courts of law. A major hurdle for these plaintiffs has been standing, i.e. the constitutional requirement that there must be a concrete injury that can be redressed by the court. In other words, many courts have found that victims of data breaches have not shown a sufficiently concrete injury merely by having their data compromised. This appears to be changing with the increasing problem of identity theft and, in the case of credit-reporting companies like Equifax, in situations in which many consumers never voluntarily disclosed their information to these companies in the first place. Federal courts including the 3rd, 6th, 7th, and District of Columbia Circuit Courts of Appeal have held in the past two years that the mere increased risk of identity theft or credit card fraud gives consumers a threshold right to bring a class action.[3] This is not the law in all circuits, including the 2nd, 4th, and 8th Circuits, which have required a specific injury such as a showing that the compromised information was actually misused. With the large volume of lawsuits already filed, the United States Supreme Court will have a broad array of cases to choose from if it decides to take up the issue and resolve the circuit split.