Americas

  • United States

Asia

Oceania

taraswaminatha
Contributor

Equifax now hit with a rare 50-state class-action lawsuit

News Analysis
Nov 22, 20176 mins
Data and Information SecurityData BreachLegal

This rare 50-state class-action suit against Equifax, highlights the massive costs and critical damage companies could face in the wake of a cybersecurity attack.

Equifax logo with keyboard lock and credit cards
Credit: Dado Ruvic/Reuters

In the wake of one of the most highly-publicized and highly-sensitive cybersecurity attacks in history, the bad news seems to be never ending for Equifax. A slew of litigation and investigations have quickly followed the breach as consumers and regulators try to grapple with the monumental theft of personal information that resulted from this incident. This includes over 240 individual class-action lawsuits, an investigation opened by the Federal Trade Commission, and more than 60 government investigations from U.S. state attorneys general, federal agencies and the British and Canadian governments.

Now, a rare 50-state class-action suit has been served on the company. The complaint is an ambitious 322-page document that names plaintiffs from every state and the District of Columbia who claim to have been injured to varying degrees by the Equifax security breach.

This case highlights the massive costs and critical damage involved in data breaches and is a particular warning to companies that hold large quantities of highly sensitive personal information to ensure they have the most effective cybersecurity protocols in place well before an incident occurs.

Background on the Equifax breach

Hackers breached Equifax’s system between mid-May and July this year, but it went undetected until July 29, with external forensic consultants engaged in early August. The breach was publicly announced on September 7. Around 145.5 million individuals’ personal information was exposed, mostly that of Americans but also data of Canadian and British consumers. This was an increase of 2.5 million from initial estimates after additional compromised accounts were found.

Customer data was reportedly exploited through a in a website application vulnerability known as Apache Struts. This vulnerability was identified by the United States Computer Emergency Readiness Team (US-CERT) in March. While the company contends that it took steps to patch those identified vulnerabilities after March, the Apache Foundation, which oversees the open-source application framework, has said that Equifax failed to install security updates in a timely manner.

The compromised sensitive data includes: social security numbers, dates of birth, email and mailing addresses and even some driver’s license numbers. This type of data is often used to confirm identity in various types of applications.

Legislators and regulators take a second look

Following the breach, lawmakers and regulators took note. On the day the breach was publicly reported, Congress was hearing on a bill (FCRA Liability Harmonization Act) that would have capped the amount of damages consumers could be awarded in a lawsuit against credit reporting companies. That bill is now unlikely to move forward.

Congressional hearings have also commenced by several different committees, including the House Energy and Commerce Committee and the Senate Banking Committee, where Richard Smith – former Chair and CEO of the company – testified on October 3 that “mistakes were made”.

A national standard for breach notification is also being considered by Congress. The chairman and ranking member of the Senate Judiciary Committee as well as the chairman of the House Financial Services Committee have forecasted a uniform breach notification standard. Another piece of legislation has been revived in the House that would establish a 30-day national standard for breach notifications and would mandate the Federal Trade Commission to help coordinate such disclosures.

Currently, 48 states have their own separate statutes that govern companies’ notification to breach victims. These states are now stepping up regulation in this area. For example, as a reaction to the breach, New York Governor Andrew Cuomo directed the New York Department of Financial Services in late September to include credit-reporting agencies in their new Cybersecurity Regulations.

In addition to Congressional actions, the Consumer Finance Protection Bureau Director Richard Cordray announced that in the wake of the Equifax hack, all three credit regulation agencies are going to have to get used to “a new regime” of regulation. Mr. Cordray has, however, recently announced that he will step down from the Bureau, so many will be watching to see the steps his successor takes in this regard.

The 50-state class-action suit against Equifax

The newly launched 50-state complaint alleges that Equifax failed to employ a critical software security patch that led to the breach itself, but also alleges that plaintiffs suffered further harm because Equifax took a number of missteps following the breach, including:

  • Alerting customers more than a month after the breach was discovered and using confusing emails and notices regarding whose data was compromised;
  • Creating a monitoring service with conflicting messages as to whether consumers would be forced to arbitrate claims if they took advantage of the service;
  • Sending customers a link to a fake website to have their credit frozen;
  • Allowing hackers to further exploit Equifax’s website, which prompted consumers to download a fraudulent software update; and
  • Allowing several top Equifax executives to sell off $1.8 million in stock.

Allegations of harm for the named plaintiffs range from having had to spend numerous hours monitoring personal accounts to those having experienced identity theft, multiple fraudulent charges on personal credit and debit cards, and/or the opening of unauthorized accounts and mortgages in their name.

In total, the complaint provides eighty-three separate causes of action, brought on behalf of a nationwide class and two statewide subclasses, with one subclass brought under state consumer protection laws, and the other for state data breach statutes. The causes of action allege that Equifax’s business acts and practices were deceptive and unfair.

With the rising number of class action suits pending across the country, a multidistrict litigation (MDL) to consolidate the numerous plaintiffs’ suits into one federal district court seems likely. In recent history, many prominent data breach cases have been consolidated in this manner by the U.S. Judicial Panel on Multidistrict Litigation (JPML). In this case, both Equifax and plaintiffs have already requested that the JPML establish an MDL to consolidate the growing number of class action suits. Oral arguments for the Equifax MDL is scheduled for November 30, 2017.

Impact on the company’s bottom line

This case is a prime example of the costs involved in data breaches the fact that data security and proper data governance have become business critical and Board-level issues.

It has now been reported that Equifax has already spent $88 million in the third quarter as a result of the breach, with their profits falling $35 million from this quarter last year. After a second scare with their credit report assistance portal, shares of the company continued to fall. The Internal Revenue Service has temporarily suspended a contract worth more than $7 million. In 2016, government services made up 5% of Equifax‘s overall $3.1 billion in revenue.

In the wake of the breach and the reputation harm to the company, Richard F. Smith stepped down as CEO on September 26. The company’s CIO and CSO retired a week after the announcement. Equifax’s executives will also not receive incentive pay bonuses in 2017.

With the impending lawsuits and increasing government and regulatory oversight, let’s hope they have good cyberinsurance.

taraswaminatha
Contributor

Tara Swaminatha is a partner at Squire Patton Boggs, focusing on cybersecurity, litigation and white collar investigations. Tara has acted as outside cybersecurity counsel on some of the most significant data breaches in recent years and has defended clients against federal, state and international regulatory actions and related litigation.

During her time in private practice, Tara has advised multinational companies on cybersecurity liability risk assessments, internal compliance measures and incident response protocols. In the instance of security or privacy incidents, Tara led an incident response effort and served as her client’s subject matter expert. Her extensive knowledge of how digital evidence may be used to prove facts litigation in security incidents has enabled her to minimize her clients’ litigation exposure during incident responses, investigations and data breaches.

At the Department of Justice (DOJ), Tara directed technical forensic investigations for federal law enforcement agencies, assisted prosecutors and investigators across the country with computer crime-related cases, and prosecuted IP crimes to combat massive online piracy of entertainment software, motion pictures and business software. Adding to her legal dexterity, Tara’s clients benefit from her technical understanding of cybersecurity methods and issues, having been the Information Security Administrator for the International Finance Corporation (IFC), part of the World Bank Group, built networks and conducted application security risk assessments while working at a boutique security firm prior to becoming a lawyer. Tara helped implement the IFC’s first information security policy for 3,000 employees worldwide.

In addition, Tara commits to considerable pro bono and volunteering activities. She represents pro bono juvenile clients seeking asylum and represents the National Association for the Education of Young Children on data governance and other matters. An active member of her community, she is a board member for the Hearing & Speech Center at Children’s National Medical Center and helps mentor families with children with hearing loss.

Tara is a frequent speaker on and writes extensively on security, privacy and cybercrime issues, having written one of the first textbooks on wireless security privacy and contributed to the National Association of Corporate Directors' Handbook on Cyber-Risk Oversight (2017 edition). She serves as an Adjunct Professor at George Mason University Law School where she teaches Computer Crime Law. She was named a Cybersecurity Trailblazer in 2017 by the National Law Journal and one of the leading cybersecurity incident response professionals as part of the “Incident Response 30.” She was also recognized in The Legal 500 for Cyber Law, where she is “commended for her experience in high-profile data breach investigations and “understands forensics and is able to digest technical reports in a meaningful and actionable way.”

The opinions expressed in this blog are those of Tara Swaminatha and do not necessarily represent those of Squire Patton Boggs or of IDG Communications, Inc., its parent, subsidiary or affiliated companies.