CYBER RISK CLIENT ALERT: “50-State” Complaint Filed Against Equifax
Last Friday, a “50-State” complaint was filed against credit reporting giant Equifax concerning an extensive data breach that occurred earlier this year, and which exposed the personal identification and financial information of more than 145 million Americans. This summer, hackers took advantage of a flaw in a software tool utilized by Equifax, and obtained enormous amounts of sensitive customer data. The company has since admitted that it knew about this flaw at least two months before the breach occurred, and at least three months before it alerted consumers of the breach. The lawsuit contends that Equifax failed to improve data safeguards while expanding into new business areas. The lawsuit also alleges that Equifax mishandled its response to the breach, and alleges violation of breach notification laws in states throughout the country. Plaintiffs’ class-action lawsuit seeks recovery of millions of dollars in compensatory damages, as well as punitive damages, disgorgement of profits and attorneys’ fees.
The Complaint identifies Plaintiffs from all 50 states as well as the District of Columbia. The recent lawsuit, which was filed last week in the U.S. District Court for the Northern District of Georgia given Equifax’s Georgia headquarters, states extensive claims including alleged violations of the federal Fair Credit Reporting Act, as well as claims for fraud, deceptive trade practices and alleged violations of numerous state consumer protection laws. The lawsuit details examples of how the breach impacted citizens throughout the country, and contends that the breach allowed hackers to steal tax refunds, fraudulently obtain loans, create fake identifies, and destroy customers’ credit worthiness. For example, a Georgia resident contends that the breach allowed hackers to access his personal information, which was then fraudulently used to apply for a mortgage in his name. Likewise, an individual from Illinois alleges that, as a result of the data breach, his name, Social Security number, and date of birth have been used to open multiple credit accounts in his name. Other citizens allege they have been victims of fraud involving unauthorized debit and credit charges.
The Equifax breach is yet another example of why companies must constantly engage in cyber-risk management activities, or risk serious consequences. Of course, one of the most critical components of cyber-risk management is the development and implementation of a comprehensive and effective emergency response plan that is triggered in the event of a breach. In addition to extensive allegations concerning the alleged pre-breach conduct by Equifax, the lawsuit also alleges that Equifax failed to properly conduct itself after the breach. The lawsuit contends that Equifax failed to implement appropriate security measures following the breach in order to prevent future attacks, failed to timely notify consumers of the breach, and that Equifax’s eventual post-breach communications with customers were confusing and unclear. These allegations highlight the critical importance of effective post-breach response activities.
In addition to the creation and implementation of an effective emergency response plan, a state-of-the-art cyber-risk management program will address key areas including employee training, management of business partners, obtaining appropriate insurance coverage and – of course – implementing and updating appropriate IT protections. Effective cyber-risk management adopts the use of a team that includes management, legal counsel and IT personnel. Clearly, the legal exposure faced by Equifax, here, is monumental. In addition to the extraordinary financial liability exposure, there is no question that Equifax has suffered –and will continue to suffer—damages to its brand and good-will with consumers. The Equifax breach and inevitable litigation highlights just how important it is for a company to invest in and implement an effective cyber-risk management program before a breach ever occurs.
Disclaimer: This update is intended to educate generally on certain issues and is not intended to provide legal or professional advice. The information and opinions expressed in this document are solely those of the authors and do not necessarily represent the views or opinions of any current or former clients of Segal McCambridge Singer & Mahoney, Ltd.
- New Michigan DIFS Order Raises More Questions for Auto Insurers
- Proposed Hours of Service Rules: Balancing Safety and Economy
- Ninth Circuit Holds BIPA Class-Action Plaintiffs Have Article III Standing
- PROFESSIONAL LIABILITY CLIENT ALERT: Attorney Liability Under the FDCPA
- Five Words & Phrases Defense Attorneys Should be Mindful of in Trucking Litigation
- CYBER RISK CLIENT ALERT: BIPA Cutbacks Stalled in Springfield - For Now.
- PROFESSIONAL LIABILITY CLIENT ALERT: The Development of Michigan's Attorney Judgment Rule
- Another BIPA Violation Alleged in Illinois
- LIFE SCIENCES CLIENT ALERT: United States Supreme Court holds that the judge, not the jury, makes pre-emption determination in failure-to-warn pharmaceutical cases.
- Michigan No-Fault Reform Update
- Professional Liability
- Class Action
- Insurance Coverage
- Insurance & Reinsurance Litigation & Counseling
- Complex Commercial Litigation
- Cyber Risk & Liability
- Toxic Tort
- Professional Development
- Pharmaceutical & Medical Device Litigation
- Social Media & Privacy
- Employment Litigation & Counseling
- Workers' Compensation
- Construction Litigation & Counseling
- Discrimination, Harassment & Hostile Workplace Claims
- Medical Negligence & Healthcare Liability
- Product Liability