Equifax won't require arbitration of cybersecurity claims; are there lawsuit impediments?
Updated: Scores of federal lawsuits and class actions have been filed against Equifax by consumers since the credit reporting agency revealed last week that a data breach may have affected 143 million people.
Massachusetts announced plans to sue on Wednesday, while other states are investigating, including New York, Pennsylvania and Connecticut, CNBC reports. The Wall Street Journal (sub. req.) reports that more than 100 federal lawsuits have been filed, while the National Law Journal (sub. req.) says about 60 class actions have been filed.
The lawsuits may raise questions about whether a statute governing fair credit reporting applies to data hacks, and whether consumers who don’t suffer financial repercussions have standing to sue over the breach, according to the stories.
As the number of lawsuits mount, the Federal Trade Commission announced on Thursday that it is investigating the incident, the Washington Post reports. The disclosure of an ongoing probe “is highly unusual, underscoring the enormous stakes involved,” the newspaper says. The Consumer Financial Protection has also said it is also looking at the issue.
A lawyer who filed an early class action had warned that an information website for Equifax consumers contained language that could require users to take any claims to arbitration.
But Equifax has since changed the language to make clear that no consumer will be required to waive the right to a class action lawsuit to receive free credit monitoring and identity theft protection, according to a press release from New York Attorney General Eric Schneiderman.
“To be as clear as possible,” Equifax says on its website, “we will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself.”
Equifax has hired Phyllis Sumner, a partner at King & Spalding, to serve as lead defense counsel, according to the Daily Report (sub. req.).
On Monday, a group of lawyers moved to consolidate the cases against Equifax in multidistrict litigation in Atlanta where Equifax is based, according to the National Law Journal. Most of the suits allege a violation of the Fair Credit Reporting Act, which requires agencies that furnish a credit report to “maintain reasonable procedures” to avoid identity theft.
In a data breach case filed against Experian, a federal judge tossed the FCRA claims because the company didn’t furnish a consumer report to hackers, according to the National Law Journal. Other claims are pending.
In the Equifax suits, other claims include negligence, and violation of state data-breach and consumer laws.
Experts tell the Wall Street Journal that, four or five years ago, courts generally tossed data breach lawsuits. The hurdle for plaintiffs is the requirement that there must be a concrete injury that can be redressed. “But more courts are warming to the idea that even the threat of identity theft—and the aggravation, distress and cost of containing the risk—can cause harm” that gives plaintiffs standing to sue, the article says.
The Wall Street Journal cites a federal appeals decision last month rejecting arguments that claims in a data breach suit were too speculative. The defendant, CareFirst BlueCross BlueShield, says it will seek review in the U.S. Supreme Court.
Federal appeals courts are split on the issue, according to Reuters. “Sooner or later,” the article reports, “the U.S. Supreme Court will probably have to resolve uncertainty among the federal appellate courts on the standing of data breach victims facing increased risk of identity theft.”
Story updated on Sept. 15 to report on Equifax’s lead lawyer.