On January 28, Thomas W. Thrash, Jr., the Chief Judge of the United States District Court for the Northern District of Georgia, issued four decisions on motions to dismiss in cases arising out of the Equifax data breach. Below are a few noteworthy takeaways.

Factual Background

From mid-May through the end of July 2017, hackers stole personally-identifiable information of nearly 148 million American consumers by exploiting a vulnerability in certain software used by Equifax (the “Data Breach”). Litigation arising out of the Data Breach was consolidated into a Multidistrict Litigation (“MDL”) styled as In Re Equifax, Inc., Customer Data Security Breach Litigation, 1:17-md-2800-TWT.

Chief Judge Thrash issued decisions on motions to dismiss in the MDL regarding (1) the Consumer Cases, (2) the Financial Institution Cases, and (3) the Small Business Cases. Chief Judge Thrash is also presiding over a consolidated federal securities fraud class action lawsuit arising out of the Data Breach and issued an order on a motion to dismiss in that case on the same day. Each of the Court’s decisions are discussed in turn below.

The Consumer Cases

In the Consumer Cases, the plaintiffs (“Plaintiffs”) brought a variety of claims, purporting to represent a class of individuals who were allegedly injured by the Data Breach. The Court first held that Plaintiffs could not assert claims under the Fair Credit Reporting Act because Equifax did not “furnish” any “consumer report” within the meaning of the FCRA. Rather, hackers stole information about Plaintiffs which did not fall within the definition of data subject to the FCRA.

However, the Court held Plaintiffs could assert tort claims for negligence and negligence per se under Georgia common law, which applies to the case due to choice-of-law principles. The Court held Equifax had an independent duty to protect the consumers’ information because it knew of a foreseeable risk to its security systems and allegedly did not follow reasonable procedures to secure the information. Plaintiffs sufficiently alleged actual injury, as some Plaintiffs had suffered identity theft, and had sufficiently alleged concrete potential injury in the form of an increased risk of harm. The criminal nature of the hackers’ behavior did not cut off Equifax’s potential liability because a jury could conclude such conduct is reasonably foreseeable in light of the many other data breaches that have occurred.

The Court further held Plaintiffs failed to assert claims for breach of contract because Equifax’s Privacy Policy prohibited damages, and Plaintiffs could not assert an implied contract due to the valid merger clause in Equifax’s Terms of Use. The Court also reached Plaintiff’s unjust enrichment claim given the lack of a contractual relationship and absence of any allegation that Plaintiff had provided anything of value to Equifax.

Plaintiffs’ claims under various Georgia statutes—the Georgia Fair Business Practices Act (“GFBPA”), the Georgia Uniform Deceptive Trade Practices Act (“GUDTPA”), and Georgia’s statute regarding notification after a personal information data breach—all failed. Under current Georgia law, the GFBPA and GUDTPA do not apply to data breaches, and Georgia’s law regarding notification after a data breach is not privately enforceable. Plaintiffs also asserted claims under other states’ Uniform Deceptive Trade Practices Act laws and other states’ data breach notification laws, some of which survived the motion to dismiss. Finally, Plaintiffs’ claim for attorneys’ fees under Georgia law was allowed to proceed because the Plaintiffs’ made sufficient allegations of “bad faith.”

The Financial Institution Cases

In the Financial Institution Cases, various banks, credit unions, and associations sought to remedy the financial losses they allegedly suffered and continue to suffer as a result of the Data Breach. The claims asserted by these Plaintiffs include negligence, negligence per se, negligent misrepresentation, and claims under various state business practices statutes.

Equifax moved to dismiss Plaintiffs’ claims, arguing, among other things: (1) Plaintiffs lack standing and fail to allege any cognizable injuries; (2) Plaintiffs fail to establish a duty or causation as required to proceed with their negligence-based claims; (3) Plaintiffs’ negligence per se claim fails because the statutes relied upon do not set out any specific statutory duty to protect personally identifiable information; and (4) Plaintiffs failed to plead their negligent misrepresentation claim with the required specificity as required under Rule 9(b).

Ultimately, Equifax’s motion was granted in part and denied in part. With respect to standing, the Court found the Plaintiffs in this case can be categorized into two groups. The first group was made of the “Financial Institution” Plaintiffs, who allegedly spent time and money: (1) responding to the compromise of the credit reporting system and personal information they rely upon for their business; (2) assessing the impact of the Data Breach as required by applicable law; and (3) mitigating the alleged “substantial risk” of future fraudulent activity. The second group of Plaintiffs, the “Financial Institution Card Issuers,” assert the same allegations plus a fourth – they allege they issued payment cards compromised in the Data Breach and have spent time and money reissuing payment cards or reimbursing customers.

After dividing Plaintiffs into these two categories, the Court found Plaintiffs adequately pled standing as to the Financial Institution Card Issuers but failed to adequately plead standing with respect to the Financial Institution Plaintiffs. In support of this conclusion, the Court found that reissuing payment cards and reimbursing customers for fraudulent charges, as alleged only by the Financial Institution Card Issuers, “are not speculative and are not threatened future injuries, but are actual, current, monetary damages.” Because the same type of concrete and particularized injury had not been alleged by the Financial Institution Plaintiffs, and because their alleged injuries were not actual or imminent, their case was dismissed.

The Court also dismissed the case with respect to the “Association Plaintiffs” who sought to bring claims on behalf of their financial institution members who had allegedly suffered injury as a result of the Data Breach because the Association Plaintiffs did not identify the specific members who have standing.

After addressing standing, the remainder of the Court’s opinion and order applied only to the surviving claims of the Financial Institution Card Issuers. With respect to the negligence claim, the Court concluded Equifax owed the Financial Institution Card Issuers a duty of care to safeguard the information in its custody, namely arising from the allegations that Equifax knew of a foreseeable risk to Equifax’s data security systems but failed to implement reasonable security measures. The Court also dismissed the negligence per se claim to the extent it was predicated upon the Gramm-Leach-Bliley-Act (“GLBA”) alone, which the Court ruled does not provide a specific standard of conduct that is sufficient to give rise to a legal duty under Georgia law. To the extent the negligence per se claim was predicated on the Safeguards Rule of the GLBA, however, which does provide an ascertainable standard of conduct, the Court permitted the claim to continue. The Court also agreed with Plaintiffs that Section 5 of the FTC Act can provide a statutory duty for a negligence per se claim under Georgia law and therefore, Equifax’s Motion to Dismiss with respect to the negligence per se claim was largely denied.

In addressing Equifax’s argument that Plaintiffs failed to sufficiently plead a claim for negligent misrepresentation, the Court, following the Georgia District Court’s precedent, found that Rule 9(b) does not apply to claims of negligent misrepresentation, but that even if Rule 9(b) were to apply, Plaintiffs’ allegations would likely suffice. Indeed, the Court found “Plaintiffs have alleged the specific misrepresentations that the Defendants made, which Defendants made them, how such representations were false, and why the Defendants knew or should have known that those statements were false.” Such allegations, the Court concluded, are sufficient.

Finally, the Court also reviewed the claims brought under the Georgia Fair Business Practices Act, foreign state fraud and consumer protection statutes, claims relating to payment card data, and Plaintiffs’ “ancillary claims.” The Court dismissed the GFBPA claim, finding the Act does not require the safeguarding of personally identifiable information but allowed a majority of the other claims to continue.

The Small Business Cases

A group of ten small businesses sought to bring claims on behalf of a class of small businesses that allegedly relied upon the personal creditworthiness of their owners to obtain and maintain credit (the “Small Business Plaintiffs”). The Small Business Plaintiffs contended their owners’ personal information might have been involved in the Data Breach, and alleged they were harmed by having to take measures to combat the risk of identity theft and by expending time and effort to monitor the credit of their owners.

Equifax moved to dismiss the Small Business Plaintiffs’ claims, arguing: (1) the businesses lacked Article III standing to assert claims for alleged injuries arising out of the alleged breach of their owners’ personal information, and (2) the economic loss doctrine precluded the Small Business Plaintiffs from asserting tort claims. The Court agreed with both of Equifax’s arguments and dismissed the claims.

The Court noted that each of the Small Business Plaintiffs are distinct legal entities from their individual owners. While the owners could seek recovery of their damages in the Consumer Cases, the Small Business Plaintiffs were “not entitled to a second recovery” for the alleged injuries to the owners as small business owners. The Court further held the Small Business Plaintiffs’ alleged injuries were too speculative because Small Business Plaintiffs would have to prove: (a) their owners’ data was compromised and obtained by some criminals; (b) the owners’ credit was directly impacted by the criminals’ misuse of the information; (c) the Small Business Plaintiffs thereafter attempted to rely on the owner’s credit for their own “creditworthiness and continued operations”; and (d) the Small Business Plaintiffs’ “creditworthiness [or] continued operations” were harmed as a direct result of the owner’s damaged credit.

The Small Business Plaintiffs also failed to allege a substantial risk of harm that was sufficient to confer standing. Because of the long, attenuated chain of events that would have to occur before the Small Business Plaintiffs might suffer an injury because of the Data Breach, they did not face an “imminent injury” and their allegations about the alleged costs they incurred were “nothing more than the exercise of ordinary due diligence in monitoring their creditworthiness.”

Finally, the Court held that the economic loss doctrine barred the Small Business Plaintiffs’ tort claims. The doctrine prevents a plaintiff from recovering economic losses associated with injury or damage to another person. Because the Small Business Plaintiffs were distinct legal entities from their owners, the businesses could not recover for alleged injuries to the owners. Equifax did not breach an independent legal duty to the Small Business Plaintiffs, the Court held, because Equifax’s duty to safeguard the information of the individuals was owed to them personally. Accordingly, the Court dismissed the Small Business Cases in their entirety.

The Securities Case

A separate case—In Re Equifax, Inc. Securities Litigation, 17-cv-3463-TWT—is also pending before Chief Judge Thrash, who issued an order on Defendants’ motion to dismiss on the same day as the other orders discussed above. In this case, the lead plaintiff (“Plaintiff”) has brought claims on behalf of a putative class of investors that purchased securities of Equifax from February 25, 2016 through September 15, 2017. Plaintiff asserted claims under sections 10(b) and 20(a) of the Securities Exchange Act of 1934 against Equifax and four individuals who were corporate officers at Equifax during the putative class period. [Disclosure: Troutman Sanders LLP represents one of the individual Defendants in this litigation, former Chief Executive Officer Richard F. Smith.]

Plaintiff alleged Defendants made false or misleading statements and/or omissions about the sensitive information in Equifax’s custody, the vulnerability of Equifax’s internal systems, and Equifax’s compliance with cybersecurity regulations and best practices. As a result, Plaintiff and the other putative class members allegedly suffered a loss in the value of their investments when the Data Breach was revealed.

The Court dismissed the claims against three of the individual Defendants but allowed the claims against Equifax and its former CEO to proceed to discovery. Additionally, the Court limited the scope of allegedly false or misleading statements that could be actionable, holding: (1) “Defendants were under no duty to disclose the existence of the Data Breach before they knew it had occurred”; (2) the mere “occurrence of the Data Breach did not itself make [certain] prior statements false or misleading”; (3) Defendants’ warnings that “Equifax could be vulnerable to a data breach” were not misleading; and (4) Defendants’ representations about certain internal controls in place at Equifax were not false or misleading.