Breaking News
More () »

Equifax hit with at least 23 class-action lawsuits over massive cyberbreach

Court complaints accuse credit-reporting giant Equifax of security negligence, failing to notify consumers sooner about massive cyberbreach

Equifax faces at least 23 proposed class-action lawsuits since its disclosure that personal identifying information for 143 million U.S. consumers may have been compromised by a massive cyberbreach.

And additional cases are likely to come.

Federal court records show the lawsuits were filed through the weekend after the credit-reporting giant's Thursday disclosure that a cyberattack by criminal hackers provided unauthorized access to information for nearly 44% of the U.S. population.

Separately, Sens. Orrin Hatch, R-Utah, and Ron Wyden, D-Oregon, respectively the chairman and ranking member of the Senate Committee on Finance, sent Equifax detailed questions about the breach on Monday.

A copy of the letter, reviewed by USA TODAY, shows the panel wants a detailed timeline of the breach, information about the company's efforts to identify the number of consumers affected, the breadth of information compromised and the steps Equifax has taken to identify and limit potential consumer harm.

The relatively large number of new lawsuits against Equifax that seek class-action status signal the high legal stakes over the potential for identity-theft losses by millions of Americans whose personal data was exposed.

The cases also show an eagerness by plaintiff law firms to stake swift claims on behalf of consumers who eventually might be in line for a share of either a court judgment against Equifax or a settlement by the company.

"Equifax probably injured 143 million people, which is kind of a record," said John Coffee, a Columbia Law School professor and director of the school's Center on Corporate Governance. Although the extent of the damage hasn't yet been determined, "with 143 million people it doesn't surprise me there are already 23 suits," said Coffee.

Equifax did not respond to emails seeking comment on the cases. However, the company acknowledged last week it expects costs related to the cyberattack. Shares of Equifax (EFX) closed down 8.2% at $113.12 in Monday trading, extending Friday's nearly 13.7% plunge.

Unknown hackers carried out the cyberattack out from mid-May through July 2017. The resulting breach primarily involved names, Social Security numbers, birth dates, addresses, and in some cases, driver's license numbers, Equifax said last week.

The company said it discovered the intrusion on July 29, but it first disclosed the attack publicly on Sept. 7, after engaging an independent cybersecurity firm to conduct a forensic assessment and provide recommendations to toughen electronic security safeguards.

The Atlanta-based firm is one of the nation's three largest credit-reporting and monitoring firms, along with Experian and TransUnion.

Equifax organizes and analyzes data on more than 820 million consumers and more than 91 million businesses worldwide. The company's databases hold employee data submitted by more than 7,100 employers.

The complaints:

Filed in 14 states and the District of Columbia, the federal lawsuits target either Equifax or the company's Equifax Information Services subsidiary. The legal complaints cite a range of legal claims, including alleged security negligence by Equifax, the delay in alerting the public and concerns about the free credit monitoring service the company has offered consumers.

Noting that Equifax experienced smaller cyberbreaches in 2013, 2016, and earlier this year, the lawsuit filed in California federal court on behalf of Ehud Gersten and Hannah Obradovich charges the company "knew and should have known of the inadequacy of its own data security."

Equifax's delay in alerting consumers was "willful, or at least negligent," argued the case filed in Illinois federal court on behalf of Dan Lang and Russell Pantek.

As a result, "consumers were deprived of their opportunity to meaningfully consider and address issues related to the potential fraud, as well as to avail themselves of the remedies available under the FCRA (U.S. Fair Credit Reporting Act) to prevent further dissemination of their private information," the Illinois lawsuit alleged.

A California federal court lawsuit filed on behalf of Richard Spicer and Julia Gutierrez in part focused on Equifax's offer to register consumers for a free year of credit monitoring from TrustedID.

"Equifax failed to disclose to consumers that it owned TrustedID, and its long-term business model turns on baiting consumers into signing up for its services," the California case alleged. "In other words, Equifax sought to turn its failure to protect consumers' sensitive data into a clandestine money-making opportunity."

Cyber breach at Equifax could affect 143M U.S. consumers

The company separately drew legal criticism from New York Attorney General Eric Schneiderman's office over an implication that those who registered for TrustedID would waive their rights to pursue class-action lawsuits and instead would have to pursue legal claims through arbitration.

Schneiderman is investigating the Equifax cyberbreach. Late Friday, the company said the waiver requirement applied only to the offer of free credit monitoring and identity theft protection, "not the cybersecurity incident."

How the legal process could play out:

Barring any pretrial settlement, the cases would likely go through a legal culling process.

First, a federal panel on multidistrict litigation would likely to consolidate the cases in a single lawsuit on behalf of all consumers claiming harm, and assign that case to a judge, said Coffee. In turn, the judge would likely determine which law firm or firms would serve as lead plaintiff counsel — a designation that typically brings a larger percentage share of any settlement or judgment.

Although the lawsuits seek class-action status, such a designation typically is approved by a federal court only after extensive legal arguments from plaintiff and defense lawyers.

In a Thursday online notice to investors, Equifax said it was too early "to provide specific estimates of the costs we expect to incur related to the cybersecurity incident."

While anticipating "some disruption to our business," Equifax said it "remains committed to delivering on the long term financial model of 7-10% revenue growth and 11%-14% growth in adjusted earnings per share on average over a business cycle."

Follow USA TODAY reporter Kevin McCoy on Twitter: @kmccoynyc

Before You Leave, Check This Out