Equifax now hit with a rare 50-state class-action lawsuit

In the wake of one of the most highly-publicized and highly-sensitive cybersecurity attacks in history, the bad news seems to be never ending for Equifax. A slew of litigation and investigations have quickly followed the breach as consumers and regulators try to grapple with the monumental theft of personal information that resulted from this incident. This includes over 240 individual class-action lawsuits, an investigation opened by the Federal Trade Commission, and more than 60 government investigations from U.S. state attorneys general, federal agencies and the British and Canadian governments.

Now, a rare 50-state class-action suit has been served on the company. The complaint is an ambitious 322-page document that names plaintiffs from every state and the District of Columbia who claim to have been injured to varying degrees by the Equifax security breach.

This case highlights the massive costs and critical damage involved in data breaches and is a particular warning to companies that hold large quantities of highly sensitive personal information to ensure they have the most effective cybersecurity protocols in place well before an incident occurs.

Background on the Equifax breach

Hackers breached Equifax’s system between mid-May and July this year, but it went undetected until July 29, with external forensic consultants engaged in early August. The breach was publicly announced on September 7. Around 145.5 million individuals’ personal information was exposed, mostly that of Americans but also data of Canadian and British consumers. This was an increase of 2.5 million from initial estimates after additional compromised accounts were found.

Customer data was reportedly exploited through a in a website application vulnerability known as Apache Struts. This vulnerability was identified by the United States Computer Emergency Readiness Team (US-CERT) in March. While the company contends that it took steps to patch those identified vulnerabilities after March, the Apache Foundation, which oversees the open-source application framework, has said that Equifax failed to install security updates in a timely manner.

The compromised sensitive data includes: social security numbers, dates of birth, email and mailing addresses and even some driver’s license numbers. This type of data is often used to confirm identity in various types of applications.

Legislators and regulators take a second look

Following the breach, lawmakers and regulators took note. On the day the breach was publicly reported, Congress was hearing on a bill (FCRA Liability Harmonization Act) that would have capped the amount of damages consumers could be awarded in a lawsuit against credit reporting companies. That bill is now unlikely to move forward.

Congressional hearings have also commenced by several different committees, including the House Energy and Commerce Committee and the Senate Banking Committee, where Richard Smith – former Chair and CEO of the company – testified on October 3 that “mistakes were made”.

A national standard for breach notification is also being considered by Congress. The chairman and ranking member of the Senate Judiciary Committee as well as the chairman of the House Financial Services Committee have forecasted a uniform breach notification standard. Another piece of legislation has been revived in the House that would establish a 30-day national standard for breach notifications and would mandate the Federal Trade Commission to help coordinate such disclosures.

Currently, 48 states have their own separate statutes that govern companies’ notification to breach victims. These states are now stepping up regulation in this area. For example, as a reaction to the breach, New York Governor Andrew Cuomo directed the New York Department of Financial Services in late September to include credit-reporting agencies in their new Cybersecurity Regulations.

In addition to Congressional actions, the Consumer Finance Protection Bureau Director Richard Cordray announced that in the wake of the Equifax hack, all three credit regulation agencies are going to have to get used to “a new regime” of regulation. Mr. Cordray has, however, recently announced that he will step down from the Bureau, so many will be watching to see the steps his successor takes in this regard.

The 50-state class-action suit against Equifax

The newly launched 50-state complaint alleges that Equifax failed to employ a critical software security patch that led to the breach itself, but also alleges that plaintiffs suffered further harm because Equifax took a number of missteps following the breach, including:

• Alerting customers more than a month after the breach was discovered and using confusing emails and notices regarding whose data was compromised;
• Creating a monitoring service with conflicting messages as to whether consumers would be forced to arbitrate claims if they took advantage of the service;
• Sending customers a link to a fake website to have their credit frozen;
• Allowing hackers to further exploit Equifax’s website, which prompted consumers to download a fraudulent software update; and
• Allowing several top Equifax executives to sell off $1.8 million in stock.

Allegations of harm for the named plaintiffs range from having had to spend numerous hours monitoring personal accounts to those having experienced identity theft, multiple fraudulent charges on personal credit and debit cards, and/or the opening of unauthorized accounts and mortgages in their name.

In total, the complaint provides eighty-three separate causes of action, brought on behalf of a nationwide class and two statewide subclasses, with one subclass brought under state consumer protection laws, and the other for state data breach statutes. The causes of action allege that Equifax’s business acts and practices were deceptive and unfair.

With the rising number of class action suits pending across the country, a multidistrict litigation (MDL) to consolidate the numerous plaintiffs’ suits into one federal district court seems likely. In recent history, many prominent data breach cases have been consolidated in this manner by the U.S. Judicial Panel on Multidistrict Litigation (JPML). In this case, both Equifax and plaintiffs have already requested that the JPML establish an MDL to consolidate the growing number of class action suits. Oral arguments for the Equifax MDL is scheduled for November 30, 2017.

Impact on the company’s bottom line

This case is a prime example of the costs involved in data breaches the fact that data security and proper data governance have become business critical and Board-level issues.

It has now been reported that Equifax has already spent $88 million in the third quarter as a result of the breach, with their profits falling $35 million from this quarter last year. After a second scare with their credit report assistance portal, shares of the company continued to fall. The Internal Revenue Service has temporarily suspended a contract worth more than $7 million. In 2016, government services made up 5% of Equifax‘s overall $3.1 billion in revenue.

In the wake of the breach and the reputation harm to the company, Richard F. Smith stepped down as CEO on September 26. The company’s CIO and CSO retired a week after the announcement. Equifax’s executives will also not receive incentive pay bonuses in 2017.

With the impending lawsuits and increasing government and regulatory oversight, let’s hope they have good cyberinsurance.