If you are not one of the one-hundred and forty-three million consumers whose private financial information was obtained in the recent data breach at Equifax, it’s likely you know someone whose information was.
We are predicting an onslaught of litigation with the need for many data privacy, information management, and encryption and encoding experts. The mountain of cybersecurity litigation that will follow may even result in a new, industry-wide security standard for us all.
| According to Equifax, this massive data hack was caused by a website application vulnerability that allowed hackers to access and gather private information from nearly half the U.S. population. This included names, birthdates, Social Security numbers, and credit card numbers. The severity of the event is obvious and the repercussions will continue. In the weeks since the news broke, the shares in the company have fallen more than 20 percent and on September 26th, CEO and Chairman Richard Smith retired after 12 years in the role. |
A massive data breach could prompt Congress to accelerate its efforts to create uniform data security and data breach notification standards.
 |
There is also evidence that Equifax may have known about the breach before it was publicly reported. Three shareholders
sold their shares—to the combined tune of $1.8M—after the breach was discovered but before it was publicly announced. The Department of Justice is reviewing the transactions for potential insider trading violations. A
class action lawsuit accusing Equifax of negligence, breach of contract, unjust enrichment, and violating the Fair Credit Reporting Act was filed just hours after the data breach was announced and more are expected.
It is very early for anyone to have a full understanding of all of the details, either favorable or unfavorable, related to the standard of care and nature of circumstances that led to this event. However, with the elements already in play we expect a variety of expertise will be helpful to assess and respond to the following claims:
- Violation of the Fair Credit Reporting Act: As a “consumer reporting agency” under the Act, Equifax was required to “maintain reasonable procedures designed to … limit the furnishing of consumer reports to the purposes listed” in the Act. See 15 U.S.C. § 1681e(a). Consumer plaintiffs are alleging that a failure to fulfill this duty under the Act allowed the data breach to occur, likely requiring experts in the credit reporting industry who are knowledgeable about the standards of information management and measures taken by other credit reporting agencies to maintain data security.
- Negligence: This claim has been pursued by consumers and credit unions throughout the nation who are suing to recover the vast additional expenses they will incur to cover fraudulent charges and accounts opened fraudulently as a result of the data breach. This will call for not only data privacy and security experts, but also experts on personal finances and private identity theft services for the consumers but also banking and financial experts familiar with the complicated costs incurred by banking institutions in investigating, disputing, and paying for fraudulent charges which they are responsible to cover on behalf of their banking clientele.
- Breach of Contract: Typically, the contract between a credit reporting agency and its users states that the agency will not “disclose your personal information to third parties.” Business relations and contractual experts will be needed to opine whether a failure to implement sufficient security measures (particularly in today’s increasingly complicated digital world) constitutes a “disclosure” of personal information.
- Unjust Enrichment: Plaintiffs in numerous pending class actions are alleging unjust enrichment as Equifax was able to trade on and sell its users’ private information in the form of credit reports to generate significant revenue without devoting sufficient funds to ensuring the data remained secure. In addition, in response to the breach, Equifax offered one year of free identity protection services with TrustedID—a company it owns—which could, allegedly, result in further profits down the road if consumers decide to continue and pay for the service after one year. This would potentially be a direct profit resulting from the breach.
A data breach this massive, triggering nationwide litigation could likely also prompt Congress to accelerate its efforts to create uniform data security and data breach notification standards. There will likely be a paradigm shift of costs and benefits to consider for those enterprises who acquire and hold private financial information from millions of consumers with fewer incentives to collect such data and more incentive to increase their budget and efforts toward securing it.
We expect this most recent breach will change the way we approach data security both on the business side and on the legal side. What do you think will be the most important development in the industry in the coming year?