Lawyers suing over the Equifax data breach have turned to the Fair Credit Reporting Act — a statute the credit reporting agency has lobbied over — to bring class actions on behalf of 143 million potential victims.

About 60 class actions so far have been filed over the Sept. 7 breach, which potentially compromised the names, Social Security numbers, birth dates and, in some cases credit card information, of 143 million people. As of Sept. 12, the suits had been filed on behalf of a nationwide class and in 26 states, including Georgia, New York, California, Texas, New Jersey and Pennsylvania, and the District of Columbia. On Monday, a group of attorneys led by John Yanchunis of Morgan & Morgan and former Georgia Gov. Roy Barnes, who filed a class action in Georgia, moved to coordinate all the cases into multidistrict litigation in the U.S. District Court for the Northern District of Georgia, where Equifax Inc. is based, in Atlanta.

Most of the suits allege that Equifax violated the FCRA, which Equifax has pushed Congress to amend so that damages in class actions brought under the statute would be capped.

“The Fair Credit Reporting Act, however, requires companies like Equifax to protect customer data — including Social Security numbers, birthdates, addresses and driver’s license numbers,” said Adam Levitt, a partner at Chicago’s DiCello Levitt & Casey, who has filed a class action in Georgia. “That is, Equifax is prohibited from furnishing this extremely sensitive information to third parties without consent.”

In particular, the class actions allege that Equifax violated the FCRA, which limits the entities for which credit reporting agencies should “furnish a consumer report” and requires that they “maintain reasonable procedures” to avoid identity theft. The FCRA allows for individual statutory damages of up to $1,000, punitive damages and attorney fees and costs.

It’s not a common claim in most data breach cases. But the suits reference a data breach case against Experian Information Solutions Inc., another credit reporting agency that suffered a 2015 data breach. In that case, lawsuits were brought on behalf of 15 million customers of T-Mobile, which had run credit reports through Experian.

Although smaller, the Experian case also brought claims under the TCRA. But on Dec. 29, U.S. District Judge Andrew Guilford the Central District of California in Santa Ana, California, dismissed the TCRA claims, finding Experian did not “furnish” a consumer report to the hackers.

“Theft victims don’t ‘provide’ a thief with stolen goods,” Guilford wrote. “Although victims of theft might be the ‘source’ of the stolen goods, saying that the victims are furnishing their goods to a thief is counterintuitive.”

But the Equifax suits have other claims: They allege negligence, pointing to a string of prior hacks against the company. According to some suits, Equifax reported a data breach to the New Hampshire attorney general in 2014. In 2016, Equifax suffered lapses in security involving Kroger Co. employee tax forms. Independent security professionals have also found bugs on its website. The suits cite a Sept. 7 article in Forbes that said Equifax has battled security problems for years.

The suits also bring claims under various state data breach and consumer laws that focus on Equifax’s response to the hack — criticized on social media for being too slow and at times dishonest.

“We have in some instances clients who only became aware of the breach on social media and they had not received and still have not received a formal notice concerning the breach,” said Shannon McNulty of Clifford Law Offices in Chicago, whose firm has brought lawsuits in New York, Nevada and Illinois. “And in many states, including Illinois, that type of notification is required under law.”


Given the rising number of lawsuits, Levitt filed a motion on Sept. 12 to expedite the MDL process. He brought a class action in Georgia along with lawyers from Cohen Milstein Sellers & Toll and Hausfeld. They sought to bump up oral arguments in the Equifax litigation to the U.S. Judicial Panel on Multidistrict Litigation’s next hearing on Sept. 28 in Boston, citing the “potential for conflicting actions for the next several months.” The panel denied the motion immediately, raising the prospect that Equifax could move to stay all the lawsuits until the panel’s next hearing on Nov. 30 in St. Louis.

The cases have a strong shot of ending up in Georgia. The motion to transfer the cases there noted that two other data breaches against Home Depot Inc. and Arby’s were in Georgia. U.S. District Judge Richard Story of the Northern District of Georgia also was assigned the multidistrict litigation over Ethicon Inc.’s Physiomesh earlier this year.

But the panel is notoriously unpredictable.

“With the jurisdictional considerations that have been discussed in recent months in particular that everyone would be looking to Georgia as a potential landing spot for the case,” McNulty said. “That said, I think that the JPML always considers the docket of any possible court or jurisdiction.”