Legal Sidebari Hundreds of Equifax Data Breach Lawsuits Have Been Filed—What are their Chances November 1 2017 The recent data security breach of Equifax one of the three main credit reporting agencies has already spawned scores of federal lawsuits as individual consumers financial institutions and state and local governments have all filed suit against the company These cases involve a wide variety of federal and state claims raising a host of legal issues that may more broadly inform Congress’s consideration of cybersecurity law going forward The impetus for the bevy of lawsuits against Equifax was a data breach that compromised sensitive consumer information e g names birthdates Social Security numbers for over 145 million Americans The breach which occurred in mid-summer and was reported by Equifax in September stemmed from the exploitation of a vulnerability that the credit reporting agency was made aware of in March 2017 For more details on the breach itself see this testimony from CRS cybersecurity analyst Chris Jaikaran Since the breach over 200 lawsuits have been filed against Equifax in federal and state courts around the country The cases brought against the company allege various common law state statutory and federal statutory claims The suits seek monetary damages as well as injunctive relief e g a court order requiring Equifax to implement stronger cybersecurity measures The lawsuits however face a variety of challenges including with regard to both the process of finding a venue that can hear a given case and the substance of the underlying claims Procedural issues On the procedural side one of the biggest hurdles the Equifax plaintiffs will have to overcome in light of recent Supreme Court precedent relates to the constitutional requirement of “standing ” This legal doctrine which derives from Article III’s case or controversy requirement necessitates that parties seeking judicial relief from a federal court show that 1 they have suffered or will imminently suffer a concrete and particularized injury that 2 has been caused by the defendant’s actions and 3 can be redressed by the court The Supreme Court recently specified that the injury alleged in a lawsuit must both affect a plaintiff “in a personal and individual way” and be real rather than abstract Cognizable harms can include incursions on property interests contractual rights and in certain circumstances statutorily created rights There is some question regarding to what extent Congress can functionally create Article III standing based solely on violation of a statutory right In the Equifax cases plaintiffs may have trouble meeting the standing requirement for several reasons First to the extent their claims are based solely on the increased risk of identity theft that they potentially Congressional Research Service https crsreports congress gov LSB10024 CRS INSIGHT Prepared for Members and Committees of Congress Congressional Research Service 2 face due to having their personal information compromised in the breach courts may be skeptical as to whether any injury that the plaintiffs may suffer is “certainly impending ” the standard announced in a 2013 Supreme Court case Lower courts have split on the question of whether the risk of identity theft alone is a sufficient injury to confer standing on a plaintiff or whether a person must wait until she has actually had her identity stolen before she can sue The Eleventh Circuit—which includes Atlanta where Equifax is located and where the litigation reportedly might be consolidated—has not taken a side on the issue Second it may be difficult for a plaintiff to prove the causation prong of the standing inquiry because the burden would be on the party seeking federal jurisdiction to prove that any identity theft or risk thereof is the result of the Equifax breach as opposed to some other cause Beyond the standing issue other procedural issues that may be raised in the Equifax litigation include   Class action certification—Equifax plaintiffs will have to establish that they meet the requirements under the Federal Rules of Civil Procedure to have their claims aggregated into a single suit such as that there are questions of law or fact common to all of the plaintiffs and Whether their claims will have to be arbitrated—there has been some debate over whether Equifax could require its consumers to bring their claims before an arbitrator as opposed to a court Substantive issues The Equifax data breach plaintiffs also face substantive challenges in bringing their suits One particularly tricky issue concerns any claims relying on common law torts like negligence To prove negligence a plaintiff must demonstrate 1 that the defendant owed her a duty of care 2 that the defendant breached that duty and 3 that as a proximate cause of that breach the plaintiff 4 was harmed When courts ask whether a defendant has been negligent the defendant’s conduct must be measured against a general standard of care with which it ought to have complied For example even if a company follows all of the best cybersecurity practices and is as vigilant as it can be it may still be possible for sophisticated hackers to nevertheless access the company’s networks in unauthorized ways In such a case a court would be unlikely to find such a company negligent despite a breach in its security On the other hand a company that openly put unencrypted sensitive customer information on a website that it knew could be subject to a breach would be much more likely to be found negligent Somewhere between these extremes is the relevant standard of care for purposes of a data breach negligence lawsuit However in the data breach context there is no universally agreed upon standard of care for cybersecurity measures Courts might look to the National Institute of Science and Technology’s 2014 Framework for Improving Critical Infrastructure Cybersecurity relevant state regulations or industry-created security standards to determine what kinds of actions Equifax should have been taking to protect the sensitive personal information it stored but it is unclear whether any of these provisions would amount to a standard of care with which Equifax had the duty to comply In addition to the standard of care issue the other elements of a negligence claim are not slam dunks either The plaintiffs must show they were harmed and while money spent by consumers to freeze or monitor their credit is easily quantifiable other injuries such as emotional distress are harder to prove Also showing that the Equifax breach was a “proximate” cause of any injury requires proof that the breach was reasonably foreseeable Beyond the negligence claims litigants have sued Equifax under other theories including violations of positive state and federal laws Additional substantive questions related to plaintiffs’ lawsuits include  Whether Equifax’s 6-week delay in announcing the data breach violated state data breach notification statutes most of which require only that notification occur “without unreasonable delay” Congressional Research Service     3 Whether the company violated state unfair and deceptive practices laws e g California Business Professional Code § 17200 et seq Whether the company had reasonable procedures in place to protect consumer data from unauthorized disclosures as required by the Fair Credit Reporting Act Whether Equifax implemented the safeguards promulgated by the Federal Trade Commission pursuant to the Gramm–Leach–Bliley Act What’s next The Equifax breach litigation implicates a number of issues that are potentially relevant to Congress as it considers this fast-changing legal area Several federal bills have been proposed in the wake of the breach such as to prohibit credit reporting agencies from charging a consumer to freeze her credit S 1816 S 1810 H R 3755 H R 3878 or to establish cybersecurity standards for credit bureaus S 1982 H R 4028 The Equifax breach could also affect the perennial debate about whether a federal data breach notification law is necessary—one bill to establish a 30-day deadline for notification to consumers H R 3806 has been introduced in the House In the litigation itself the question of which court will hear many of the suits may be answered soon Multiple parties including Equifax itself have asked the Judicial Panel on Multidistrict Litigation “JPML” to consolidate the federal cases in a single district court for coordinated pretrial proceedings the JPML is scheduled to hold hearings on that issue at the end of November Finally the breach has also aroused the interest of several federal agencies the Department of Justice the FTC and the Consumer Financial Protection Bureau have all reportedly begun investigations into Equifax’s conduct that could lead to civil or even criminal penalties Author Information Austin D Smith Legislative Attorney Disclaimer This document was prepared by the Congressional Research Service CRS CRS serves as nonpartisan shared staff to congressional committees and Members of Congress It operates solely at the behest of and under the direction of Congress Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role CRS Reports as a work of the United States Government are not subject to copyright protection in the United States Any CRS Report may be reproduced and distributed in its entirety without permission from CRS However as a CRS Report may include copyrighted images or material from a third party you may need to obtain the permission of the copyright holder if you wish to copy or otherwise use copyrighted material LSB10024 · VERSION 2 · NEW