Equifax hit with at least 23 class-action lawsuits over massive cyberbreach – USA TODAY
Nearly half of all Americans are affected by a cyber security breach at Equifax, one of the nation’s three major credit-reporting agencies. Here’s how to avoid being a victim.
Equifax faces at least 23Â proposed class-action lawsuits since its disclosure that personal identifying information for 143 million U.S. consumers may have been compromised byÂ a massive cyberbreach.
And additional cases are likely to come.
Federal court records show the lawsuits were filed through the weekend afterÂ the credit-reporting giant’s Thursday disclosure that a cyberattack by criminal hackers provided unauthorized access to information for nearly 44% of the U.S. population.
Separately, Sens. Orrin Hatch, R-Utah, and Ron Wyden, D-Oregon, respectively the chairman and ranking member of the Senate Committee on Finance, sent Equifax detailed questions about the breach on Monday.
A copy of theÂ letter, reviewed by USA TODAY, shows the panel wants a detailed timeline of the breach, information about the company’s effortsÂ to identify the number of consumers affected, the breadth of information compromised and the steps Equifax has taken to identify and limit potential consumer harm.
The relatively large number of new lawsuits against Equifax that seek class-action status signal the high legal stakes over the potential for identity-theftÂ losses by millions of Americans whose personal data was exposed.
The cases also show an eagerness by plaintiff law firms to stake swift claims on behalf of consumers who eventually mightÂ be in line for aÂ shareÂ of either a court judgment against Equifax or aÂ settlement by the company.
Â “Equifax probably injured 143 million people, which is kind of a record,” said John Coffee, a Columbia Law School professor and director of the school’s Center on Corporate Governance. Although the extent of the damage hasn’t yet been determined, “with 143 million people it doesn’t surprise me there are already 23 suits,” saidÂ Coffee.
Equifax did not respond to emails seeking comment on the cases. However, the company acknowledged last week it expects costs related to the cyberattack. Shares of Equifax (EFX) closed downÂ 8.2% at $113.12 in Monday trading, extendingÂ Friday’sÂ nearly 13.7% plunge.
The news from credit reporting company Equifax that 143 million Americans had their information exposed is very serious. Experts say once your personal data is out there, it’s basically out there forever. (Sept. 8)
Unknown hackers carried out the cyberattack out from mid-May through July 2017. The resulting breachÂ primarily involved names, Social Security numbers, birth dates, addresses, and in some cases, driver’s license numbers, Equifax said last week.
The company said it discovered the intrusionÂ on July 29, but it first disclosed the attack publicly on Sept. 7, after engaging an independent cybersecurity firm to conduct a forensic assessment and provide recommendations to toughen electronic security safeguards.Â
The Atlanta-based firmÂ is one of the nation’s three largest credit-reporting and monitoring firms, along with Experian and TransUnion.Â
Equifax organizes and analyzes data on more than 820 million consumers and more than 91 million businesses worldwide. The company’s databases hold employee data submitted by more than 7,100 employers.
Names, Social Security numbers and addresses of millions of people were exposed during the Equifax breach.
Video provided by Newsy
Filed in 14 states and the District of Columbia, the federal lawsuits target either Equifax or the company’s Equifax Information Services subsidiary. The legalÂ complaints citeÂ a rangeÂ of legal claims, including alleged security negligence by Equifax, the delay in alerting the publicÂ and concerns about the free credit monitoring service the company has offered consumers.
Noting that Equifax experienced smaller cyberbreaches in 2013, 2016, and earlier this year, the lawsuit filed in California federal court on behalf of Ehud Gersten and Hannah Obradovich charges the company “knew and should have known of the inadequacy of its own data security.”
Equifax’s delay in alerting consumers was “willful, or at least negligent,” argued the case filed in Illinois federal court on behalf of Dan Lang and Russell Pantek.
As a result, “consumers were deprived of their opportunity to meaningfully consider and address issues related to the potential fraud, as well as to avail themselves of the remedies available under the FCRA (U.S. Fair Credit Reporting Act) to prevent further dissemination of their private information,” the Illinois lawsuit alleged.
A California federal court lawsuit filed on behalf of Richard Spicer and Julia Gutierrez in part focused on Equifax’s offer to register consumers for a free year of credit monitoring from TrustedID.
“Equifax failed to disclose to consumers that it ownedÂ TrustedID, and its long-term business model turns on baiting consumers into signing up for its services,” the California case alleged. “In other words, Equifax sought to turn its failure to protect consumers’ sensitive data into a clandestine money-making opportunity.”
The company separately drew legal criticism from New York Attorney General Eric Schneiderman’s office over an implication that those who registered for TrustedID would waive their rights to pursue class-action lawsuitsÂ and instead would have to pursue legal claims through arbitration.
SchneidermanÂ is investigating the Equifax cyberbreach. Late Friday, the company said the waiver requirement applied only to the offer of free credit monitoring and identity theft protection, “not the cybersecurity incident.”
How the legal process could play out:Â
Barring any pretrial settlement, the cases would likely go through a legal culling process.
First, a federal panel on multidistrict litigation would likely to consolidate the cases in a single lawsuit on behalf of all consumers claiming harm, andÂ assign that case to a judge, said Coffee. In turn, the judge would likely determine which law firm or firms would serve as lead plaintiff counsel â a designation that typically bringsÂ a larger percentage share of any settlement or judgment.Â
Although the lawsuits seek class-action status, such a designation typically is approved by a federal court only after extensive legal arguments from plaintiff and defense lawyers.
In a Thursday online notice to investors, Equifax said it was too early “to provide specific estimates of the costs we expect to incur related to the cybersecurity incident.”
While anticipating “some disruption to our business,” Equifax said it “remains committed to delivering on the long term financial model of 7-10% revenue growth and 11%-14% growth in adjusted earnings per share on average over a business cycle.”
Follow USA TODAY reporter Kevin McCoy on Twitter: @kmccoynyc