When Ryn “The Guardian” Melberg stumbled across samples of credit reports for sale on the dark web — where users stay anonymous — she contacted the FBI immediately.
“I saw people’s personal information posted in March 2017,” said Ms. Melberg, an angel hacker who looks for illegal internet activity. There was no way to know, at the time, the origins of the confidential information.
“Hackers are copying the identity of American citizens and stealing billions of dollars,” said Ms. Melberg, who disclosed to PacerMonitor that the hacked information she saw belonged to Equifax, one of the three large credit reporting agencies in the U.S. But it wasn’t until September that Equifax announced that unauthorized users had accessed its systems.
According to media reports, the private information of some 143 million Equifax customers was exposed, including addresses, names and Social Security numbers. The delayed response is among the plaintiffs’ complaints.
Wyatt Jefferies, senior director of public relations for Equifax Inc., declined to comment on pending litigation but in an email to PacerMonitor wrote, “We remain focused on helping our customers as well as their employees and consumers to navigate this situation.”
Beyond the delays in notifying consumers, other claims include Equifax’s use of Apache Struts software after Apache Struts Project Management Committee (PMC) issued a security patch on March 7.
“Any complex software contains flaws,” wrote Apache Struts Vice President René Gielen in a statement posted online. “Don’t build your security policy on the assumption that supporting software products are flawless especially in terms of security vulnerabilities.”
While Equifax had originally offered free credit monitoring, it was with the caveat that enrolled consumers would resolve disputes through arbitration and waive rights to a trial. However, after public pressure, Equifax removed the waiver.
“Credit monitoring doesn’t mitigate the loss and the damage to the person from having their information compromised,” said Jim Francis, founder of law firm Francis & Mailman in Philadelphia. “The only mitigating factor for Equifax is that this incident was not foreseeable.”
“The incident rises to a level beyond negligence,” said Kevin Sharp, an attorney with the law firm Sanford Heisler Sharp who filed a lawsuit on behalf of his client, Sean Martin v Equifax in the Middle District of Tennessee. “The breach was not intentional, but it was so reckless that it became willful since Equifax knew their computer software had a flaw and they didn’t fix it or seek to replace it.”
Under FCRA, violations include a willful failure to maintain reasonable security measures and requirements that consumer reporting agencies maintain reasonable procedures.
“As long as my client’s information was unlawfully disclosed by Equifax is all that’s required under that statute to collect damages and the reality is that my clients’ information has been forever released publicly and can never be regained,” Mr. Francis said.
Mr. Sharp’s firm has filed Equifax class actions in 34 states and the District of Columbia. At last count, some 75 lawsuits nationwide had been filed, according to Sharp, a former chief judge for the federal district court in the Middle District of Tennessee.
Claims of harm so far include costs of credit monitoring, needing to freeze credit and placing fraud alerts on accounts.
“The question will be whether a data breach alone resulting in the loss of personally identifying information is enough to create standing or if additional harm must be associated with it,” said Mr. Sharp.
If Spokeo, Inc. v. Robins is any indication, an alleged FCRA violation may not be enough to convince the court. In 2010, Thomas Robins filed a class-action complaint under the FCRA, alleging Spokeo’s people search engine had disseminated incorrect information about him.
The Central District Court of California dismissed that suit for lack of standing, meaning there is precedence for Equifax to admit to a breach of trust and even gross negligence while evading real damages. That’s because FCRA does not necessarily presume damages.
“These Equifax suits, if they are consolidated, will hinge on what the damages are and whether they can be presumed, which directly depend on where a plaintiff sued and what state or federal statute they cited in their complaint,” said Robin Cohen, an insurance litigator and head of McKool Smith’s Insurance Recovery Litigation group.
The next step is for a panel of seven judges to convene at the U.S. District Court for the Eastern District of Missouri in St. Louis for a Multi District Litigation hearing on November 30 to decide whether the cases will be consolidated. However, certification of the class will only occur after the venue has been determined.
“Where the case ultimately lands matters because you want a judge that understands the law and issues around data breach,” said Mr. Sharp.
“Most of the breaches lately at places like Ashley Madison were backdoor hacks that were enabled by business practices and policies,” Ms. Melberg said. “The lessons learned from Ashley Madison appear lost on most Fortune 500 companies, with Equifax the most recent and dangerous.”
But Equifax is a much higher-profile defendant, and one that touches the lives of far more people. A multimillion-dollar settlement there may be just the nudge American corporations need to modernize cybersecurity.