Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

5 Things to Know About the First Wave of Equifax Actions

By Amanda Bronstad
October 02, 2017

With 143 million people potentially hit by Equifax Inc.'s data breach, there's no doubt there will lawsuits — a lot of them.

“You'll have suits in every state,” says Ben Meiselas, an attorney at Los Angeles-based Geragos & Geragos, which filed the first case in Oregon along with Michael Fuller of Olsen Daines in Portland, OR. Geragos & Geragos planned to file lawsuits in at least a dozen states within the next week, according to Meiselas. “The full scope and magnitude is still being gathered, but it's obviously one of the largest data breaches ever and affects almost half the population of the United States. That's going to mean hundreds of lawsuits.”

Another class action was filed in Georgia, where Equifax is headquartered. On September 8, New York Attorney General Eric Schneiderman launched a formal investigation into the breach. There's also a good chance that all the Equifax lawsuits will get coordinated into multidistrict litigation.

A major theme in the suits will be how Atlanta-based Equifax, whose entire business as a credit reporting agency is to maintain personal and confidential data on individuals, wasn't prepared for hackers who have hit retailers and health care companies for that same information.

“The product this company trades in is the type of data that thieves want,” says Brian Gudmundson, a partner at Zimmerman Reed in Minneapolis who has served in lead counsel roles in litigation over data breaches at Arby's, Wendy's, Target and Home Depot. “They would certainly have to be under the highest level of security that there could possibly be and yet they seem to be a subject of a breach for a period of time that lasted almost two months and didn't disclose it until a month and a half after they heard of it to the tune of 143 million — half the population of the United States. That's a red flag. That's a huge red flag.”

It's a point that wasn't even lost on Equifax.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” Equifax CEO Richard Smith said in a statement on September 7. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”

The company's own actions have done little to calm the fears of consumers. Meiselas says his firm was getting thousands of calls by the hour after the breach became public. He says Equifax's “horrible response” is “a teaching moment of how not to respond when there is a data breach like this.”

Here are five key takeaways about the Equifax actions in the immediate wake of the breach revelation:

  1. What Equifax should have known: What did Equifax know — and when did it know — about its own security risks? “While the events that led to the Equifax breach are now unfolding, early reports suggest that Equifax didn't have proper practices in place and was operating without a cybersecurity vice president until recently,” says Eric Gibbs, a partner at San Francisco's Girard Gibbs who had a lead role in the Anthem data breach litigation.
  2. How long it took Equifax to disclose the data breach: The actual breach went on from May to July, but Equifax didn't find out about it until July 29. Then it didn't announce it to the public until September 7. “Waiting a month, or a month and a half, or two or to five months, seems really unreasonable,” Gudmundson says. “This isn't necessarily people's credit cards that people can cancel. This is everything.” Equifax acknowledged that speed was of the essence, noting that it “promptly engaged” a cybersecurity firm and contacted law enforcement authorities once it knew about the breach.
  3. How Equifax responded: Most of the 143 million affected by the Equifax breach don't even know the company has their information. To find out, Equifax has provided a website to help consumers sign up to a program called TrustedID Premier. “What Equifax isn't telling people is that it owns TrustedID, and that TrustedID's growth is part of its longer-term business plans,” Gibbs says. By September 8, many consumers had taken to the Internet to complain that they had to provide six digits of their Social Security number and then sign an arbitration agreement in which they agreed to waive their right to participate in a class action. Schneiderman, in a Twitter post, called the language “unacceptable and unenforceable.” Equifax has since clarified on the website that the class action waiver “applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident.”
  4. Allegations that executives sold shares: Press reports on NPR and in the Washington Post said three Equifax executives sold nearly $2 million in stock in August. That's just after the company says it became aware of the breach. But Equifax has insisted in a statement that the three executives didn't know about the breach at the time. “That's always highly, highly concerning,” Gudmundson says. “Sometimes, where there's smoke, there's fire. But sometimes, it's something as innocent as school starting and people needing money for college tuition. That's certainly an angle that's worth exploring.”
  5. What was stolen: Equifax has insisted that there was “no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.” Although credit card numbers for about 209,000 consumers were accessed, most of the data at risk involved names, Social Security numbers, birth dates and addresses. Many federal judges have ruled that fraudulent charges on one's credit card or other costs are economic injuries that plaintiffs can use to establish standing to sue over data breaches in federal courts — but identity theft isn't one of them. Plaintiffs' lawyers were undeterred, noting that some judges have begun to rule differently. “We obviously believe in the line of cases that says that's a redressable claim and confers standing,” Gudmundson says, “but it's difficult to say how a court might come out.”

*****
Amanda Bronstad
writes for The National Law Journal, an ALM sibling of Cybersecurity Law & Strategy. She can be reached at [email protected]. On Twitter: @abronstadlaw.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.