A string of consolidated lawsuits against Atlanta-based Equifax stemming from a 2017 data breach that affected more than 146 million consumers may go forward, the chief judge of the U.S. District Court for the Northern District of Georgia ruled Monday.

Calling the data breach that affected nearly half the U.S. population “unprecedented,” Chief Judge Thomas Thrash Jr. largely rejected arguments by Equifax lawyers that he dismiss pending lawsuits filed on behalf of consumers whose personal and financial information was exposed, and financial institutions that issued debit or credit cards to affected customers and were then faced with helping customers clean up the resulting mess.

Thrash dismissed from the litigation any financial institutions that didn't issue credit or debit cards to affected consumers. But financial card issuers remain plaintiffs because they contend they incurred concrete costs associated with investigating and refunding fraudulent charges, canceling and reissuing potentially compromised cards, and heightened customer fraud monitoring, the judge ruled.

Although Equifax lawyers have argued there are no allegations pending that the financial institutions continue to be harmed by the 2017 data breach, Thrash noted that counsel for the banks contend “that Equifax's cybersecurity systems remain inadequate, and another breach is imminent.”

Chief Judge Thomas Thrash Jr., U.S. District Court for the Northern District of Georgia (Photo: John Disney/ALM) Chief Judge Thomas Thrash Jr. (Photo: John Disney/ALM)

Thrash also dismissed separate suits filed by 10 small businesses that were not folded into the consumers' multidistrict litigation. Attorneys representing the businesses didn't contend that confidential business information was compromised. Instead, they advanced “a new legal theory that has never been advanced—much less accepted—in data breach litigation,” Thrash said. “The business plaintiffs assert claims based on the theft of their owners' personally identifying information,” contending the businesses could be harmed because “they rely on the creditworthiness of their owners to obtain business credit.”

King & Spalding partners David Balser and Phyllis Sumner, who are leading a team of lawyers defending Equifax couldn't be reached for comment.

The consumer plaintiffs' lead counsel—Ken Canfield of Atlanta's Doffermyre Shields Canfield & Knowles; Norman Siegel of Kansas City's Stueve Siegel and Amy Keller of Chicago's DiCello Levitt—also couldn't be reached.

The breach, which extended over nearly three months in 2017, “was also severe in terms of the type of information that the hackers were able to obtain,” Thrash wrote. “The hackers stole at least 146.6 million names, 146.6 million dates of birth, 145.5 million Social Security numbers, 99 million addresses, 17.6 million driver's license numbers, 209,000 credit card numbers, and 97,500 tax identification numbers.”

In an 80-page order addressing claims by 96 people on behalf of a proposed class of all consumers whose data was exposed, Thrash concluded that, based on facts alleged in the complaints, “Equifax owed the plaintiffs a duty of care to safeguard the personal information in its custody.” That duty “arises from the allegations that the defendants knew of a foreseeable risk to its data security systems but failed to implement reasonable security measures.”

Chief among arguments offered by Equifax counsel at King & Spalding in Atlanta was Equifax's contention that the exposure of consumers' personal identifying information is not an injury. Equifax also contended that either no harm had resulted from the data breach, or that it was only “speculative future harm.”

Thrash disagreed. “The plaintiffs here have alleged that they have been harmed by having to take measures to combat the risk of identity theft, by identity theft that has already occurred to some members of the class, by expending time and effort to monitor their credit and identity, and that they all face a serious and imminent risk of fraud and identity theft due to the data breach,” Thrash said.

Thrash also was unimpressed by defense arguments that the plaintiffs could not demonstrate that allegations of identity theft or credit or debit card fraud could be traced back to Equifax, which was one of more than 1,500 data breaches the company's attorneys said occurred in 2017 alone.

“The plaintiffs plausibly allege that Equifax had custody of their personally identifiable information, that Equifax's systems were hacked, that these hackers obtained this personal information, and that as a result of this breach, they have become the victims of identity theft and other fraudulent activity,” the judge determined.

Thrash was equally unmoved by Equifax arguments that the credit bureau should not be held responsible for “unforseeable criminal acts of third parties.”

The judge said the question of whether a criminal attack is foreseeable is a jury question. But, he added, “It may not be in this case because of the many public statements by Equifax that it knew how valuable its information was to cyber criminals and its susceptibility to hacking attempts.”

“Equifax itself even experienced prior data breaches,” the judge said. “Furthermore, Equifax ignored warnings from cybersecurity experts that its data systems were dangerously deficient and that there was a substantial risk of an imminent breach.These allegations are sufficient to establish that the acts of the third party cyber-hackers were reasonably foreseeable.”

Read more: