On Thursday, September 7, 2017, two Oregon residents filed a federal class-action lawsuit against Equifax, Inc., one of the largest consumer credit reporting agencies in the country. Filed in response to a data breach that compromised the sensitive personal information of approximately 143 million consumers, the lawsuit alleges that Equifax was negligent in its failure to adopt more advanced computer security technology, which could have prevented hackers from accessing the company’s database.
The lawsuit seeks class-action status for those whose personal information was compromised. According to one of the attorneys for the plaintiffs, the suit will seek as much as $70 billion in damages.
Filed just hours after Equifax acknowledged the data breach, the Oregon suit was just the first of many. By the following Monday, USA Today reported that Equifax was facing at least 23 proposed class-action lawsuits over the data breach.
Data breach on a massive scale
The sheer number of consumers affected has privacy experts grasping to understand the possible fallout. Hackers who targeted Equifax obtained a wide variety of sensitive personal data, including Social Security numbers, driver’s license numbers, addresses, and birthdates. Equifax became aware of the vulnerability in late July, but waited more than a month to publicly acknowledge the breach, a delay that has enraged many people.
The news that three Equifax executives sold substantial shares of the company’s stock shortly after the cyberattack further inflamed public opinion.
Free credit monitoring offered—with a catch?
Facing yet another public relations black eye, Equifax quickly clarified that consumers who sign up for the free credit monitoring will not be forced to accept arbitration for any claims related to the original data breach.
Can the suit meet the legal standards of negligence?
The class-action lawsuit claims that Equifax, blinded by its drive to maximize profits, failed to maintain adequate security standards and that the data breach occurred as a direct consequence of this negligence.
Ideally, Equifax would have installed more advanced data security systems to protect consumers. But Equifax might be able to fall short of that standard and still not be deemed negligent under prevailing legal standards.
Actions that are reasonable, rather than ideal, generally don’t meet the enforceable legal standard of negligence, and so the court will have to weigh all the relevant facts. The unprecedented, gargantuan scope of this particular breach will definitely be a consideration, however.
Regardless, the visibility of the case seems likely to have significant impact on companies’ legal obligations to protect consumers’ personal information going forward.