Equifax, Inc. Data Breach
In re: Equifax, Inc. Customer Data Security Breach Litigation
United States District Court for the Northern District of Georgia, Atlanta Divison
Case No. 17-md-2800
In September and October 2017, Keller Rohrback L.L.P. filed four class action complaints in federal courts in California and Georgia against Equifax Inc. Those cases, and many others containing similar claims, were consolidated in the United States District Court for the Northern District of Georgia, Atlanta Division and are proceeding before the Honorable Judge Thomas W. Thrash.
The Plaintiffs are pursuing claims, on behalf of a proposed class, against Equifax for breaching its duty to safeguard and protect the PII of the Plaintiffs and the proposed class members; injunctive relief that will stop Equifax from continuing its deceptive, fraudulent and unfair business practices; restitution and/or disgorgement and compensatory damages for the economic losses and the out-of-pocket costs; and treble damages applicable under state and federal laws.
On May 14, 2018, the Plaintiffs filed the Consolidated Consumer Class Action Complaint against Equifax Inc., Equifax Information Services LLC (“EIS”), and Equifax Consumer Services LLC (“ECS”) (collectively, “Equifax” or “Defendants”). In that consolidated complaint, Plaintiffs seek certification of a nationwide class defined as:
“All natural persons residing in the United States whose Personal Information was compromised as a result of the data breach announced by Equifax on or about September 7, 2017, as identified by Equifax’s records relating to the data breach”
Plaintiffs are also seeking certification of various subclasses. To review those definitions, please see the Consolidated Consumer Class Action Complaint in the Case Documents section below.
The Defendants responded to the consolidated complaint with a motion to dismiss. On January 28, 2019, the Court issued its Opinion and Order granting and denying in part the motion to dismiss. The Court upheld Plaintiffs’ core claims being pursued–negligence and negligence per se. In addition, the Court found that Plaintiffs have pled both a duty and injury related to the theft of their personal information.
The parties will soon enter the discovery phase, wherein the parties will seek to assemble evidence related to the issues and claims being pursued in the litigation, including requests for production of documents, taking the depositions of parties and witnesses, issuing subpoenas to third parties for information, documents or testimony, the retention of expert witnesses and the preparation of their reports and eventual testimony. The discovery stage is expected to last well into 2019.
Background on the Breach
On September 7, 2017, Equifax disclosed that it had experienced a data breach that exposed the sensitive, personally identifying information (“PII”) for an estimated 143 million Americans, which the Company revised upward by several million in May 2018. The PII disclosed includes names, birth dates, Social Security numbers, tax ID numbers, addresses – information most often used for identity theft. In addition, email addresses, phone numbers, credit card numbers and driver’s license numbers were also exposed.
Equifax knew about the breach as early as July 29, 2017, but did not disclose it to the public, allowing the hackers nearly two months to gather the PII in the possession and control of Equifax. There are indications that the hackers began accessing the data as early as May 2017 – two months before Equifax even became aware. In addition, there appears to be knowledge on the part of Equifax that there were vulnerabilities in the web applications and software packages being utilized, yet no protections were put in place.
The Federal Trade Commission’s website is a useful resource for information on the immediate steps to take if you have or may have been exposed in a data breach: www.identitytheft.gov.
We are unable to respond to any questions with respect to the status of the personal identifying information (PII) for any specific individual possessed or maintained by Equifax and whether that PII was subject to this 2017 breach. PII can be names, addresses, Social Security numbers and other forms of unique identifiers or data.
Please be advised that we are unable to accept the opportunity to represent individual persons for the purpose of bringing individual cases, and we cannot provide any legal advice with respect to any potential individual claims.
Consolidated Consumer Class Action Complaint – 05/14/2018