Two class-action lawsuits have been filed against Equifax after the company divulged a data breach potentially affecting 143 million U.S. consumers.
Not even 24 hours after the Georgia-based credit reporting company announced the incident, lawsuits were filed in federal courts in Georgia and Oregon.
In the case filed in Oregon on Thursday evening, plaintiffs say Equifax “negligently failed to maintain adequate technological safeguards to protect … information from unauthorized access by hackers.”
“Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach,” the lawsuit reads. “Equifax could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to.”
In the case filed in the Northern District of Georgia, lawyers for a separate group level similar accusations.
“Equifax disregarded the rights of Plaintiffs and Class members by intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected, failing to disclose to its customers the material fact that it did not have adequate computer systems and security practices to safeguard PII, failing to take available steps to prevent and stop the breach from ever happening, and failing to monitor and detect the breach on a timely basis,” the lawsuit reads.
The Oregon case was filed by two law firms, Olsen Daines PC and Geragos & Geragos, the latter of which is known to handle high-profile class action lawsuits. The firm is handling a $100 million suit against the infamous multi-day concert Fyre Festival.
The Georgia case is being handled by John Yanchunis, a lawyer with Florida-based Morgan & Morgan. Yanchunis has been involved in other high-profile breach cases, including a class-action lawsuit in the wake of Target’s 2013 breach and pending cases against Yahoo.
An interesting wrinkle to the lawsuits lies in the terms of service for Equifax’s TrustedID. Equifax is allowing people affected by the breach to sign up for a free year of their credit monitoring product. However, many people have pointed out on Twitter that if people sign up for TrustedID, they waive their right to join a class-action lawsuit.
Equifax has clarified that this rule, known as an arbitration clause, refers to the TrustedID product and not to any lawsuits dealing with the breach incident.
Equifax TrustedID protection (provided to victims) ToS require you to agree to private arbitration; waive ability 4 class action suit pic.twitter.com/UIVPVg9inn
— kyle shockey (@kyshoc) September 8, 2017
After the terms of service information was disseminated, New York Attorney General Eric Schneiderman called it “unacceptable and unenforceable” and called for Equifax to remove the language from its site.
— NY AG Underwood (@NewYorkStateAG) September 8, 2017
He later clarified his remarks.
Arbitration clauses have been a point of contention for some time when it comes to consumer financial products. The Consumer Financial Protection Bureau has moved to ban these clauses, but Congress is working to repeal the bureau’s rule.
The Oregon suit is seeking $68.6 billion in damages; the Georgia suit says the cost “exceeds $5 million.”
You can read both suits below: