Trial News

The consumer credit reporting agency Equifax Inc. has settled class action claims brought on behalf of 147 million consumers as well as claims brought by the Federal Trade Commission, the Consumer Financial Protection Bureau, and multiple state attorneys general arising out of its 2017 data breach. The settlement includes credit monitoring, identity restoration, and compensation for out-of-pocket losses to class members. It also requires Equifax to spend at least $1 billion to improve its data security. (In re Equifax Inc. Customer Data Sec. Breach Litig., No. 1:17-md-2800-TWT (N.D. Ga. July 22, 2019).)

In September 2017, Equifax announced that over a two-and-a-half-month period hackers had accessed consumers’ sensitive personal information, including their names, Social Security numbers, birth dates, addresses, and driver’s license numbers. In some instances, the hackers also obtained consumers’ credit card information and dispute documents. Even though Equifax’s security team discovered the breach in late July of that year, the agency waited seven weeks to publicly disclose it. Equifax had been using an open-source program, Apache Struts, for its consumer dispute portal. Despite notification from Apache Software in March 2017 of a serious vulnerability and Apache’s dissemination of a security patch, Equifax failed to implement the patch or otherwise secure its systems.

Consumers and financial institutions around the country filed more than 300 class actions against Equifax. The actions were consolidated and transferred to federal court in Georgia, Equifax’s principal place of business, and divided into consumer and financial institution tracks. The consumers alleged Equifax “failed to properly protect personal information,” “had inadequate data security,” and “improperly delayed notifying potentially impacted individuals.” Equifax countered that “the compromise of personally identifiable information itself is not an injury,” the plaintiffs had failed to establish that Equifax’s breach was the proximate cause of their injuries, and the plaintiffs were barred from recovering in tort for purely economic damages.

In January, Judge Thomas Thrash denied Equifax’s motion to dismiss the consumer track’s class action for failure to state a claim. (In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F. Supp. 3d 1295 (N.D. Ga. 2019).) Finding that Georgia law applies to the claims, Judge Thrash determined that the consumers had adequately stated negligence claims and claims under the state’s fraud, consumer protection, and data breach statutes. He allowed the class to move forward with its claims that Equifax caused harm by forcing the plaintiffs to “take measures to combat the risk of identity theft,” by expending their “time and effort to monitor their credit and identity,” and by causing identity theft for some class members. It was enough that many of the consumers alleged that they had experienced a “serious and imminent risk of fraud and identity theft due to the data breach,” Judge Thrash found, disagreeing with Equifax’s argument that these harms were merely “speculative.”

The parties worked toward a settlement following Judge Thrash’s ruling and signed an initial term sheet in March. The term sheet committed the parties to considering input from federal regulators, including the Federal Trade Commission and the Consumer Financial Protection Bureau, as well as state attorneys general who also had brought claims against Equifax.

On July 22, the class members, along with federal regulators and state attorneys general, announced a global settlement. The settlement provides class members with up to $20,000 for their out-of-pocket losses, including $25 per hour for up to 20 hours of time they spent protecting personal information or dealing with identity theft.

Equifax also must pay for at least four years of three-bureau credit monitoring for affected consumers provided by its competitor Experian and provide up to six more years of one-bureau credit monitoring. Consumers who have experienced identity theft also are eligible for seven years of free assisted identity restoration services. Consumers may elect to receive a $125 cash payout instead of the monitoring services (with the cash payout option capped at $31 million for the initial claims period). However, Kansas City, Mo., attorney, Norman Siegel, who represented the consumer class, estimates that the total value of the monitoring services offered exceeds $2,000. He suggested that based on recent data breach cases, class members will choose the monitoring option over the cash payout at a rate of 10-to-1.

The settlement requires Equifax to establish a $380.5 million fund to pay for the required credit monitoring and restoration services and to provide financial compensation to affected class members and to increase the fund by $125 million as necessary to compensate for consumers’ out-of-pocket losses. In addition to these direct remedies for class members, the settlement requires Equifax to spend $1 billion on cybersecurity and related technology over the next five years to better safeguard consumer data.

Chicago attorney Amy Keller, who represented the consumer class, said she was “pleased that we were able to negotiate the largest data breach settlement in history—which not only ensures that Equifax make security improvements but also puts $505.5 million into a consumer fund for class member claims. It was important to us that the settlement not only compensated individuals for their out-of-pocket damages but also the time they spent in dealing with the effects of the data breach.”

Siegel added that recent news reports have “conflated the $125 cash payment that may be selected as an alternate to credit monitoring services with the out-of-pocket reimbursements for consumers’ losses and time spent responding to the breach. But the official class notice, which will be sent to class members shortly, clarifies the structure of the settlement as well as the true value of the credit monitoring services being offered.” 

Keller also said that “while the settlement provides real, meaningful relief for consumers, it also demonstrates the current limitations of the law and is a perfect example as to why Congress needs to act to force companies to take cybersecurity and privacy seriously.” Siegel added that “quantifying damages in data breach cases is always challenging, and what is really needed is the adoption of regulations with teeth.” But Keller said “we appreciated the regulators’ feedback on our initial term sheet and believe that it ultimately helped to make certain portions of the settlement stronger.”