Anyone looking for a legal payday over the Equifax breach — not so fast.
The credit reporting company’s recent disclosure of a cyberbreach that compromised personal data for nearly half the nation’s population may seem certain to produce wins in lawsuits.
However, consumers and the Atlanta-based company are likely to face major legal challenges as they gear up for battle over the more than 70 class-action lawsuits filed against Equifax since the Sept. 7 disclosure.
Difficulty proving harm
“These are difficult cases, for sure,” said David Berger, a partner in the Oakland, Ca-based Gibbs Law Group who has represented clients in class-action lawsuits involving data breaches, and whose firm has filed a case against Equifax
Plaintiffs in class-action cases — lawsuits led by a few people from a larger group who allegedly have the same injury complaint — typically must show they suffered financial or other harm in order to establish legal standing to sue.
Equifax said personal information for 143 million people was compromised, making the incident one of the largest in U.S. history. As of now, however, court records show relatively few plaintiffs have alleged that they were victimized by stolen identity scams linked to the cyberbreach.
Shannon McNulty, a partner and class-action case specialist at the Clifford Law Offices, estimated late last week that the Chicago-based firm was averaging approximately 20 calls per hour from potential clients fearing Equifax-related harm. Yet roughly one of those 20 said they had spotted evidence of suspicious activity in their credit records, such as “hotel charges in states they never visited,” said McNulty, whose firm has also filed a suit against the company.
That could change, as cyber thieves attempt to make broader use of the stolen data and the impact of Equifax’s electronic compromise becomes clearer.
“So far the alleged injury is vague, very indefinite for most people, said John Coffee, a Columbia Law School professor and director of the New York City school’s Center on Corporate Governance. But, given the massive size of this breach, “sooner or later people are going to suffer actual harm.”
One angle: Indefinite credit monitoring costs
Not all victims must show they were victimized by identity theft. Others may seek legal standing to sue by arguing that the Equifax breach required them to spend money for monitoring and or locking their credit records — expenses that may continue indefinitely.
There is no consistent standard that federal court districts across the U.S. use to decide the issue of legal standing in cyberbreach cases. However, most have ruled that the theft of personal consumer data “is sufficient to establish standing,” said Kevin Sharp, a former federal judge in Tennessee who’s now a managing partner for the Sanford Heisler Sharp law firm, which has also sued Equifax.
Yet when it comes to prevailing in court in class-action lawsuits involving electronic intrusions, “cases involving substantial allegations of identity theft will generally fare better than those without,” wrote Gibbs Law Group attorneys Aaron Blumenthal and Andre Mura in a September article in Trial, a legal community-focused magazine published by the American Association for Justice.
People who sue Equifax generally will also be required to prove what’s legally known as causation. That involves producing evidence that shows the harm they suffered was caused by the credit-reporting giant’s loss of their personal information — and not from a breach elsewhere.
Federal courts have taken varying positions on causation standards in cyberbreach cases. If consumer lawyers can show signs of identity theft using the types of information Equifax said was compromised — names, Social Security numbers, birth dates, and addresses — the cases have a better chance, said Sharp.
Equifax has reached out to consumers, offering a year’s worth of free credit monitoring, and waiving the usual fees charged for those who opt to place a freeze on their credit records.
But those efforts likely will do little to deter lawsuits that accuse the company of negligence or recklessness in safeguarding consumers’ data.
Facts that could help plaintiffs
The company said last week that it “was aware of” the electronic weakness identified by the U.S. Consumer Emergency Readiness Team in March, the apparent cause of the breach. In response, Equifax said it “took efforts to patch any vulnerable systems.”
Additionally, hackers surreptitiously worked inside Equifax’s computer network as early as March, two months before the company said consumer data was first accessed, The Wall Street Journal reported Thursday.
Full details of those issues, expected to be demanded by law firms pursuing consumer class-action cases, ultimately could “provide strong evidence for the plaintiffs,” said McNulty.
However, the company last week provided an early signal suggesting it may try to block some legal discovery requests. Equifax said a forensic assessment of the intrusion and its damage conducted by independent cybersecurity firm Mandian was “privileged” — meaning consumer lawyers likely would have to fight for the findings.
Equifax has contacted its insurers to help fund costs related to the cyberbreach. In a statement, the company said it: “carries cybersecurity, crime, general liability and other lines of insurance, and we have begun discussions with our carriers regarding the incident.”
In a Sept. 7 question-and-answer document for investors, Equifax said it was too early to estimate costs related to the cybersecurity incident, but said the company will make specific disclosures about the expenses.