U.S. Markets open in 36 mins

Judge denies Equifax's request to dismiss class action lawsuit

Ethan Wolff-Mann
Senior Writer
This Saturday, July 21, 2012, photo shows signage at the corporate headquarters of Equifax Inc. in Atlanta. A Wall Street Journal report says that hackers broke into Equifax's computer systems in March 2017, giving them time to probe vulnerabilities and eventually gain access to the data of 143 million Americans. The Journal cited a report from security firm FireEye sent to some Equifax customers, including financial firms. (AP Photo/Mike Stewart)

A federal judge on Monday shot down Equifax’s (EFX) attempt in an Atlanta district court to dismiss a proposed class-action lawsuit, a move that would have stopped the case from moving forward.

The case follows Equifax’s 2017 security breach in which almost 150 million people had their sensitive personal information compromised, including Social Security numbers, credit card information, addresses, birth dates, and more. It was one of the largest data breaches of this kind in history.

Following the data incident, many people have sued, some of them in small claims, and some have had success. (At least one person told Yahoo Finance they had received and cashed a check.)

But this case is a proposed consolidated class action with many who allege damages from “present, immediate, imminent, and continuing increased risk of harm” because of the data breach. The lawsuit aims to represent similar people in the U.S., which could be up to approximately 150 million people.

Equifax tried to have a judge strike down the lawsuit on the grounds that the plaintiffs haven’t “sufficiently alleged injury and proximate causation.” The evidence of injury is a tricky thing when it comes to something as abstract as the exposure of a Social Security number, because it’s hard to quantify the damage unless there was an identity theft with an obvious cost. Equifax has honed this strategy in its small-claims court defenses.

Furthermore, with many data breaches in the past, it can be hard to connect damages to specific companies, which could potentially point that the data is out there already.

Consumers on the other hand, contend that Equifax had a duty of care to guard the data well, a matter that the court agreed with.

“The Court finds that [a precedent] supports the conclusion that the Defendants owed a legal duty to take reasonable measures to prevent a reasonably foreseeable risk of harm due to a data breach incident,” Judge Thomas W. Thrash, Jr wrote.

Amy Keller, a lawyer for the plaintiffs at DiCello Levitt & Casey, LLC, expressed satisfaction with the opinion and noted that holding otherwise “would create perverse incentives for businesses who profit off of the use of consumers’ personal data to turn a blind eye and ignore known security risks.”

Still, the judge did dismiss some elements of the complaint, including a claim under the Fair Credit Reporting Act.

This opinion is the this first substantive ruling the court has made regarding the merits of the case, which will now proceed forward to a discovery process. No damages have been put forth by the plaintiffs yet.

Equifax did not respond to a request for comment.


Ethan Wolff-Mann is a writer at Yahoo Finance focusing on consumer issues, personal finance, retail, airlines, and more. Follow him on Twitter @ewolffmann.

Equifax releases details on 2017 data breach

Equifax is losing in small claims court