(The opinions expressed here are those of the author, a columnist for Reuters.)
By Alison Frankel
NEW YORK, Sept 8 (Reuters) - Less than a day after Equifax revealed one of the biggest data breaches in U.S. corporate history, the credit reporting company has already been hit with two proposed class actions in federal court – and one of those cases was filed by consumer lawyers who just won the right to move forward with gargantuan data breach litigation against Yahoo.
That’s an ominous development for Equifax. And you can be sure there will be more suits to come.
Equifax said hackers accessed files that contained the names, Social Security numbers and driver’s license numbers of as many as 143 million U.S. consumers. The profusion of potential data breach victims will attract lots of lawyers who will probably file lots more proposed class actions. (Equifax did not respond to a request for comment on the litigation from my Reuters colleague Jon Stempel.)
Eventually, if recent data breach litigation against Anthem, Yahoo and Target is a guide, the Equifax cases will be consolidated by a panel of federal judges who will transfer the cases to a single federal court. That court will rule on the crucial early-stage motions that will shape Equifax’s liability to the millions of consumers whose data has been compromised.
That’s where things could get very interesting. In data breach litigation, the answer to a threshold question about who has the right to sue depends on which court is hearing the case.
If litigation against Equifax ends up in Chicago, for example, data breach victims must only show they are at risk of identity theft to establish the constitutional right to sue in federal court, otherwise known as standing. But in Richmond, Virginia, heightened risk isn’t enough to satisfy standing requirements.
Federal appellate courts are deeply divided on the question of who has standing to sue over data breaches. Several federal circuits, including the 3rd, 6th, 7th and District of Columbia U.S. Circuit Courts of Appeal, have held in the past two years that the mere increased risk of identity theft or credit card fraud gives consumers a threshold right to bring a class action.
Those rulings make it much easier to move forward with data breach litigation because lawyers representing consumers whose personal information has been stolen don’t have to show their clients’ data has actually been misused. Getting class actions past the threshold requirement can, in turn, lead to quicker, larger settlements.
This summer, for instance, the insurer Anthem agreed to a record-setting $115 million settlement of data-breach litigation consolidated in federal court in San Jose. The 9th Circuit, which encompasses California, has held that data breach victims meet standing requirements if they can show “a credible threat of real and immediate harm.”
The 2nd, 4th and 8th Circuits don’t buy that reasoning. They have all recently held that risk alone - without allegations that personal information has actually been misused – is not an adequately concrete injury to allow consumers to sue.
Equifax is based in Atlanta, which is located in the 11th Circuit. That appeals court most recently ruled on standing for data breach victims in 2012, in a proposed class action called Resnick v. AvMed, which involved the theft of two laptops containing personal information about clients of AvMed, a healthcare provider.
The AvMed clients who filed the case claimed their information had already been misused. AvMed argued that they didn’t meet constitutional standing requirements because they couldn’t show the supposed misuse stemmed from the theft of AvMed laptops. The 11th Circuit concluded that data breach victims do not have to prove such a link in order to establish their threshold right to sue.
But the Resnick opinion did not address the question of standing for data breach victims whose information has only been stolen but not yet misused – which is what consumers are alleging in the two Equifax proposed class actions that have already been filed. At least one federal district judge in the 11th Circuit has found, in a 2016 decision, that the risk of identity theft after a data breach is not enough to give consumers a right to sue.
Sooner or later, the U.S. Supreme Court will probably have to resolve uncertainty among the federal appellate courts on the standing of data breach victims facing increased risk of identity theft. The health insurer CareFirst, which last month lost an appeal at the D.C. Circuit in which it tried to bounce a data breach class action, has informed the appeals court that it intends to ask the justices to hear the issue.
Possible Supreme Court involvement is just one of the factors that will ultimately determine the magnitude of Equifax’s litigation exposure to consumers. (Another could be Equifax’s terms of service, which include a provision that appears to require consumers enrolling in a complimentary monitoring service called TrustedID Premier to waive their class action rights and submit disputes to arbitration.) These big data breach class actions are typically measured in years, not weeks or even months.
But keep an eye on which court ends up overseeing the consolidated litigation. In data breach class actions, as in real estate, much depends on location, location, location.
Reporting by Alison Frankel. Editing by Alessandra Rafferty.