Class action objector Ted Frank has opposed the $1.4 billion settlement over the Equifax data breach, claiming the deal unfairly compensates some customers over others and awards excessive fees to plaintiffs' attorneys.

In a Tuesday objection filed in court, Frank, director of the Center for Class Action Fairness at the Hamilton Lincoln Law Institute, a nonprofit in Washington D.C., said that the deal fails to differentiate the potential 147 million class members from each other based on statutory damages available under various state data breach laws.

"You have citizens of 50 states, in which many state legislators were explicitly concerned about data breaches and created these regimes to protect customers, and all these individual regimes are being ignored," he said.

He also wrote that plaintiffs firms should get closer to $16 million in fees, not the $77.5 million they are requesting.

The objection is one of several lodged in court ahead of a Dec. 19 final approval hearing before Chief Judge Thomas Thrash of the U.S. District Court for the Northern District of Georgia. The deadline to object was Tuesday.

The settlement, reached on July 22, resolved claims by consumers whose personal and financial information was compromised from the 2017 cyberattack, plus civil complaints brought by the Federal Trade Commission, the Consumer Financial Protection Bureau and 50 state attorneys general.

Each state, however, has different data breach laws, Frank said, some of which impose potentially thousands of dollars in statutory damages while others do not.

Frank's argument mimics that of an objector who appealed approval of a class action settlement with Hyundai Motor America Inc. and Kia Motors America Inc., winning a ruling last year from the U.S. Court of Appeals for the Ninth Circuit that found the district judge failed to analyze the consumer laws of several states. A Ninth Circuit en banc panel reversed that decision earlier this year.

But, unlike In re: Hyundai, Frank said there were specific differences in the Equifax case that created "fundamental intraclass conflicts." In New York, for example, data breach victims are entitled to $50 in statutory damages, while a Washington D.C. resident, like himself, could receive $1,500, he wrote in his motion.

Addressing another aspect of the deal, Frank chastised "outrageous and impermissible" requirements imposed on objectors to the Equifax settlement, such as making themselves available for depositions and disclosing how much their attorneys plan to ask for in attorney fees.

"Not only do the hurdles constitute a reason to reject the settlement in this case, they provide an added reason to discredit any argument that a low number of objectors signals the class members' approval of the settlement," he wrote.

Under the settlement, Equifax agreed to spend $1 billion on cybersecurity measures over the next five years. Equifax also agreed to pay another $125 million for out-of-pocket losses by consumers, and as much as $2 billion more in credit monitoring, if needed.

The deal provided class members free credit monitoring or, as an alternative, $125 in cash.

After millions of its customers submitted claims for the cash, Equifax sent out a new notice via email that required class members to verify they already had credit monitoring as of Oct. 15 in order to get the $125, according to Frank's motion. Many class members likely ignored that email, which looked like spam, he wrote.

"The class notice never informed these class members that perfecting their claim would require providing additional information," Frank wrote. "With no notice of this new requirement, the settling parties deny millions of class members the settlement share they validly claimed."

A handful of class members, mostly in letters directly addressed to the court, said they now get 21 cents instead of the $125.

Meanwhile, plaintiffs attorneys have submitted an "excessive fee request," Frank's motion says.

Last month, lawyers from 13 firms appointed to the multidistrict litigation filed a motion for fees they said were reasonable given that the amount represented less than 20.4% of the $380.5 million cash fund and only 5.6% of the settlement when including the other benefits to the class. It would primarily compensate all 13 firms, but another 46 law firms worked on the case.

They estimated that their total billing multiplied by their hourly rate—referred to as the lodesta—would total more than $27.7 million when including future work on the settlement.

Frank called the $380.5 million figure a "completely fictional cash fund," and the lodestar inflated given the lawyers "didn't do any actual litigating in this case." As a result, he said, the fees should be 10% of $162 million, the real value of the settlement.

The fee request is the highest of any data breach settlement, with fee awards approved in similar cases against Anthem and Yahoo totaling $31 million and $30 million, respectively.

In those data breach cases, U.S. District Judge Lucy Koh of the Northern District of California, questioned the amount of billing and the number of law firms involved. Those same problems exist in the Equifax settlement, Frank said.

"Obviously, there's a lot of back scratching going on here," Frank said. "It's the same thing that happened in Anthem."

Neither co-lead plaintiffs attorney Ken Canfield of Atlanta's Doffermyre Shields Canfield & Knowles, nor Equifax lead counsel David Balser, of King & Spalding in Atlanta, responded to requests for comment.