With 143 million people potentially hit by Equifax Inc.’s data breach this week, there’s no doubt there will lawsuits — a lot of them.
“You’ll have suits in every state,” said Ben Meiselas, an attorney at Los Angeles-based Geragos & Geragos, which filed the first case in Oregon along with Michael Fuller of Olsen Daines in Portland, Oregon. Geragos & Geragos planned to file lawsuits in at least a dozen states within the next week, Meiselas said. “The full scope and magnitude is still being gathered, but it’s obviously one of the largest data breaches ever and affects almost half the population of the United States. That’s going to mean hundreds of lawsuits.”
Another class action was filed in Georgia, where Equifax is headquartered. On Friday, New York Attorney General Eric Schneiderman launched a formal investigation into the breach. There’s also a good chance that all the Equifax lawsuits will get coordinated into multidistrict litigation.
A major theme in the suits will be how Atlanta-based Equifax, whose entire business as a credit reporting agency is to maintain personal and confidential data on individuals, wasn’t prepared for hackers who have hit retailers and health care companies for that same information.
“The product this company trades in is the type of data that thieves want,” said Brian Gudmundson, a partner at Zimmerman Reed in Minneapolis who has served in lead counsel roles in litigation over data breaches at Arby’s, Wendy’s, Target and Home Depot. “They would certainly have to be under the highest level of security that there could possibly be and yet they seem to be a subject of a breach for a period of time that lasted almost two months and didn’t disclose it until a month and a half after they heard of it to the tune of 143 million — half the population of the United States. That’s a red flag. That’s a huge red flag.”
It’s a point that wasn’t even lost on Equifax.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Equifax CEO Richard Smith in a statement on Thursday. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
The company’s own actions have done little to calm the fears of consumers. Meiselas said his firm was getting thousands of calls by the hour on Friday. He said Equifax’s “horrible response” is “a teaching moment of how not to respond when there is a data breach like this.”
Here are five key takeaways about the Equifax actions in the immediate wake of the breach revelation:
• What Equifax should have known: What did Equifax know — and when did it know — about its own security risks? “While the events that led to the Equifax breach are now unfolding, early reports suggest that Equifax didn’t have proper practices in place and was operating without a cybersecurity vice president until recently,” said Eric Gibbs, a partner at San Francisco’s Girard Gibbs in San Francisco who had a lead role in the Anthem data breach litigation.
• How long it took Equifax to disclose the data breach: The actual breach went on from May to July, but Equifax didn’t find out about it until July 29. Then it didn’t announce it to the public until Thursday. “Waiting a month, or a month and a half, or two or to five months, seems really unreasonable,” Gudmundson said. “This isn’t necessarily people’s credit cards that people can cancel. This is everything.” Equifax acknowledged that speed was of the essence, noting that it “promptly engaged” a cybersecurity firm and contacted law enforcement authorities once it knew about the breach.
• How Equifax responded: Most of the 143 million affected by the Equifax breach don’t even know the company has their information. To find out, Equifax has provided a website to help consumers sign up to a program called TrustedID Premier. “What Equifax isn’t telling people is that it owns TrustedID, and that TrustedID’s growth is part of its longer-term business plans,” Gibbs said. By Friday, many consumers had taken to the internet to complain that they had to provide six digits of their Social Security number and then sign an arbitration agreement in which they agreed to waive their right to participate in a class action. Schneiderman, in a Twitter post on Friday, called the language “unacceptable and unenforceable.” Equifax has since clarified on the website that the class action waiver “applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident.”
• Allegations that executives sold shares: Press reports on Friday said three Equifax executives sold nearly $2 million in stock in August. That’s just after the company says it became aware of the breach. But Equifax has insisted in a statement that the three executives didn’t know about the breach at the time. “That’s always highly, highly concerning,” Gudmundson said. “Sometimes, where there’s smoke, there’s fire. But sometimes, it’s something as innocent as school starting and people needing money for college tuition. That’s certainly an angle that’s worth exploring.”
• What was stolen: Equifax has insisted that there was “no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.” Although credit card numbers for about 209,000 consumers were accessed, most of the data at risk involved names, Social Security numbers, birth dates and addresses. Many federal judges have ruled that fraudulent charges on one’s credit card or other costs are economic injuries that plaintiffs can use to establish standing to sue over data breaches in federal courts — but identity theft isn’t one of them. Plaintiffs lawyers were undeterred, noting that some judges have begun to rule differently. “We obviously believe in the line of cases that says that’s a redressable claim and confers standing,” Gudmundson said, “but it’s difficult to say how a court might come out.”