Joey Rafaeli – During summer of 2017 more than 143 million Americans’ personal information, including names, addresses, dates of birth, and Social Security numbers were stolen from Equifax, one of America’s largest consumer reporting agencies, by computer hackers. The hackers were able to access this information due to an online security flaw that Equifax knew about but ignored. In March Cisco System reported the online security flaw but Equifax failed to react. It is estimated that the hackers were mining millions of people’s information every week from mid-May all the way until July 30. Such a large number of American’s identities at risk of theft led to numerous class action lawsuits filed in order to compensate the breach victims.
One class action suit was filed in Oregon, on September 7, 2017, the same day that the security breach was announced. The lawsuit, filed on behalf of the 143 million Americans affected by the breach, alleges negligence on Equifax’s behalf, specifically alleging that “Equifax negligently failed to maintain adequate technological safeguards to protect [millions of American’s] information from unauthorized access by hackers.” Additionally, the complaint alleges that “Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach. Equifax could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to.” The plaintiffs are seeking “fair compensation in an amount that will ensure every consumer harmed by its data breach will not be out-of-pocket for the costs of independent third-party credit repair and monitoring services.”
Although there been a plethora of similar lawsuits in the past, it is difficult to predict the outcome of Equifax case. This is due to the sharp split in the U.S. Circuit Courts of Appeals regarding whether class action members have standing to sue companies in data breach law suits – considering these members have not yet suffered an “injury-in-fact.”. The D.C. Circuit, Sixth Circuit, Seventh Circuit, and Eleventh Circuit have all ruled that data breach victims have been injured for standing purposes because their personal information has been stolen – putting them at risk of identity fraud. However, the Fourth Circuit and the Second Circuit disagree. Those circuits ruled that the personal information must be used to steal the victim’s identity in order for the plaintiffs to have standing to sue in a class action. With the sharp split in the circuits, it is obvious that the decision to certify data breach classes will be decided according to the forum filed in and not on the merits. The plaintiffs in these cases have clear incentives to file their suit in the federal circuits that have already favorably decided the standing issue. Considering the circuit split and its effect on these cases, it would not be surprising to see the Supreme Court review the issue in the near future.