CYBER RISK CLIENT ALERT: “50-State” Complaint Filed Against Equifax


Last Friday, a “50-State” complaint was filed against credit reporting giant Equifax concerning an extensive data breach that occurred earlier this year, and which exposed the personal identification and financial information of more than 145 million Americans.  This summer, hackers took advantage of a flaw in a software tool utilized by Equifax, and obtained enormous amounts of sensitive customer data.  The company has since admitted that it knew about this flaw at least two months before the breach occurred, and at least three months before it alerted consumers of the breach.  The lawsuit contends that Equifax failed to improve data safeguards while expanding into new business areas.  The lawsuit also alleges that Equifax mishandled its response to the breach, and alleges violation of breach notification laws in states throughout the country.  Plaintiffs’ class-action lawsuit seeks recovery of millions of dollars in compensatory damages, as well as punitive damages, disgorgement of profits and attorneys’ fees.

The Complaint identifies Plaintiffs from all 50 states as well as the District of Columbia.  The recent lawsuit, which was filed last week in the U.S. District Court for the Northern District of Georgia given Equifax’s Georgia headquarters, states extensive claims including alleged violations of the federal Fair Credit Reporting Act, as well as claims for fraud, deceptive trade practices and alleged violations of numerous state consumer protection laws.  The lawsuit details examples of how the breach impacted citizens throughout the country, and contends that the breach allowed hackers to steal tax refunds, fraudulently obtain loans, create fake identifies, and destroy customers’ credit worthiness.  For example, a Georgia resident contends that the breach allowed hackers to access his personal information, which was then fraudulently used to apply for a mortgage in his name. Likewise, an individual from Illinois alleges that, as a result of the data breach, his name, Social Security number, and date of birth have been used to open multiple credit accounts in his name. Other citizens allege they have been victims of fraud involving unauthorized debit and credit charges.

The Equifax breach is yet another example of why companies must constantly engage in cyber-risk management activities, or risk serious consequences.  Of course, one of the most critical components of cyber-risk management is the development and implementation of a comprehensive and effective emergency response plan that is triggered in the event of a breach.  In addition to extensive allegations concerning the alleged pre-breach conduct by Equifax, the lawsuit also alleges that Equifax failed to properly conduct itself after the breach. The lawsuit contends that Equifax failed to implement appropriate security measures following the breach in order to prevent future attacks, failed to timely notify consumers of the breach, and that Equifax’s eventual post-breach communications with customers were confusing and unclear. These allegations highlight the critical importance of effective post-breach response activities. 

In addition to the creation and implementation of an effective emergency response plan, a state-of-the-art cyber-risk management program will address key areas including employee training, management of business partners, obtaining appropriate insurance coverage and – of course – implementing and updating appropriate IT protections. Effective cyber-risk management adopts the use of a team that includes management, legal counsel and IT personnel. Clearly, the legal exposure faced by Equifax, here, is monumental. In addition to the extraordinary financial liability exposure, there is no question that Equifax has suffered –and will continue to suffer—damages to its brand and good-will with consumers. The Equifax breach and inevitable litigation highlights just how important it is for a company to invest in and implement an effective cyber-risk management program before a breach ever occurs.         

Disclaimer: This update is intended to educate generally on certain issues and is not intended to provide legal or professional advice. The information and opinions expressed in this document are solely those of the authors and do not necessarily represent the views or opinions of any current or former clients of Segal McCambridge Singer & Mahoney, Ltd.

Get Updates By Email

Blog Contributors