In re Equifax, Inc.

• Decision Date: 28 January 2019
• Docket Number: 1:17-md-2800-TWT,MDL DOCKET NO. 2800
• Parties: IN RE EQUIFAX, INC., CUSTOMER DATA SECURITY BREACH LITIGATION
• Court: U.S. District Court — Northern District of Georgia

371 F.Supp.3d 1150

IN RE EQUIFAX, INC., CUSTOMER DATA SECURITY BREACH LITIGATION

MDL DOCKET NO. 2800
1:17-md-2800-TWT

United States District Court, N.D. Georgia, Atlanta Division.

Signed January 28, 2019

371 F.Supp.3d 1157

FINANCIAL INSTITUTION CASES

OPINION AND ORDER

THOMAS W. THRASH, JR. United States District Judge

This is a data breach case. It is before the Court on the Defendants' Motion to Dismiss the Financial Institutions' Consolidated Amended Complaint [Doc. 435]. For the reasons set forth below, the Defendants' Motion to Dismiss the Financial Institutions' Consolidated Amended Complaint [Doc. 435] is GRANTED in part and DENIED in part.

I. Background

On September 7, 2017, the Defendant Equifax Inc. announced that it was the subject of one of the largest data breaches in history.¹ From mid-May through the end of July 2017, hackers stole the personal information of nearly 150 million Americans (the "Data Breach").² This personally identifiable information included names, Social Security numbers, birth dates, addresses, driver's license numbers, images of taxpayer ID cards and passports, photographs associated with government-issued identification, payment card information, and more.³ This Data Breach, according to the Plaintiffs, was the direct result of Equifax's disregard for cybersecurity.

Equifax is a Georgia corporation with its principal place of business in Atlanta, Georgia.⁴ The Defendant Equifax Information Services LLC is a wholly-owned subsidiary of Equifax with its principal place of business in Atlanta, Georgia.⁵ Equifax Information Services collects and reports consumer information to financial institutions, including the Plaintiffs.⁶ The Plaintiffs are financial institutions that provide a range of financial services.⁷ The Plaintiffs depend greatly on the services provided by Equifax and other credit reporting agencies, since the information they provide

371 F.Supp.3d 1158

is necessary to determine the credit-worthiness of their customers.⁸

According to the Plaintiffs, the Data Breach was the direct result of Equifax's refusal to take the necessary steps to protect the personally identifiable information in its custody. Equifax was warned on numerous occasions that its cybersecurity was dangerously deficient, and that it was vulnerable to data theft and security breaches.⁹ In fact, Equifax had suffered multiple security breaches in the past, showing that the Data Breach was not an isolated incident.¹⁰ However, despite these warnings, Equifax did not take the necessary steps to improve its data security or prepare for the known cybersecurity risks.¹¹

On March 7, 2017, a vulnerability in the Apache Struts software, a popular open source software program, was discovered.¹² Equifax used Apache Struts to run a dispute portal website.¹³ The same day that this vulnerability was announced, the Apache Foundation made available various patches to protect against this vulnerability.¹⁴ The Apache Foundation, along with the U.S. Department of Homeland Security, issued public warnings regarding the vulnerability and the need to implement these patches.¹⁵ Equifax received these warnings and disseminated them internally, but failed to implement the patch.¹⁶ Then, between May 13 and July 30, 2017, hackers exploited this vulnerability to enter Equifax's systems.¹⁷ These hackers were able to access multiple databases and exfiltrate sensitive personal information in Equifax's custody.¹⁸ In addition to obtaining this personal information, the hackers accessed 209,000 consumer credit card numbers.¹⁹ On July 29, 2017, Equifax discovered the Data Breach.²⁰ Equifax's CEO, Richard Smith, was informed of the breach on July 31, 2017.²¹ On September 7, 2017, Equifax publicly announced that the Data Breach had occurred.²²

The Plaintiffs allege that the Data Breach undermined the credit reporting and verification system by exposing this personally identifiable information.²³ According to the Plaintiffs, they were harmed because the Data Breach had a significant impact on financial institutions, including the measures they use to authenticate their customers.²⁴ The Plaintiffs were forced to expend resources to assess the impact of the Data Breach and their ability to authenticate customers and detect fraud.²⁵ They have also expended resources establishing new monitoring methods for preventing fraud and will continue to incur costs to develop new modes of

371 F.Supp.3d 1159

preventing such activity.²⁶ Twenty-three of the Plaintiffs also allege that they issued payment cards that were compromised in the Data Breach.²⁷ The Plaintiffs assert claims for negligence, negligence per se, negligent misrepresentation, and claims under various state business practices statutes. The Defendants now move to dismiss.

A. Choice of Law

First, the Court concludes that Georgia law governs this case. This case is before the Court based on diversity jurisdiction. The Court therefore looks to Georgia's choice of law requirements to determine the appropriate rules of decision.²⁸ Georgia follows the traditional approach of lex loci delecti in tort cases, which generally applies the substantive law of the state where the last event occurred necessary to make an actor liable for the alleged tort.²⁹ Usually, this means that the "law of the place of the injury governs rather than the law of the place of the tortious acts allegedly causing the injury."³⁰ However, there is an exception when the law of the foreign state is the common law. "[T]he application of another jurisdiction's laws is limited to statutes and decisions construing those statutes. When no statute is involved, Georgia courts apply the common law as developed in Georgia rather than foreign case law."³¹ The Plaintiffs identify no foreign statutes that govern their common law claims, therefore the Court will apply Georgia common law.

B. Standing

1. The Financial Institutions

The Defendants contend that the Plaintiffs lack Article III standing.³² In order to establish standing under Article III, a plaintiff must show an injury that is "concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling."³³ The Supreme Court has held that "threatened injury must be certainly impending to constitute injury in fact, and that allegations of possible future injury are not sufficient."³⁴ The Supreme Court has also noted, however, that standing can be "based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm."³⁵

First, the Defendants contend that the Plaintiffs' allegations fail because they have failed to make individualized allegations

371 F.Supp.3d 1160

as to standing, and instead assert generic allegations as to the entire putative class.³⁶ The Plaintiffs have each explained the steps they took after the Data Breach, and the harm that they suffered as a result of the Data Breach.³⁷ The allegations fall into two groups. The first group of Plaintiffs ("Financial Institutions") allege: (1) they have already spent time and money responding to the compromise of the credit reporting system and personal information they rely upon for their businesses; (2) they have already spent time and money assessing the impact of the Data Breach as required by federal law; and (3) each Plaintiff has already spent time and money mitigating a "substantial risk" of future fraudulent activity.³⁸ The second group of Plaintiffs ("Financial Institution Card Issuers") make the same allegations plus a fourth: these Plaintiffs issued payment cards compromised in the Data Breach, and have spent time and money reissuing payment cards or reimbursing customers. For each group, the allegations are pretty much word for word the same for each of the Plaintiffs. This is a factor that weighs against finding that the allegations are concrete and particularized. Instead, they are abstract and generalized.

Next, the Defendants contend that the Plaintiffs have not provided sufficient factual allegations demonstrating a cognizable injury-in-fact. A "plaintiff must allege that he has suffered a ‘concrete’ injury particular to himself."³⁹ This injury must be "actual or imminent, not conjectural or hypothetical."⁴⁰ The Defendants contend that the Plaintiffs' alleged injuries are speculative and conjectural because their "primary theory of harm is focused on actions they might take or costs they may incur due to the theft of consumers' PII" and based on what criminal third party actors might do in the future.⁴¹ According to the Defendants, the Plaintiffs have not identified any customers who were actually affected by the Data Breach, and that they cannot manufacture standing by taking unnecessary steps to protect themselves.⁴²

Here, the Plaintiffs have adequately pleaded standing as to the Financial Institution Card Issuers with respect to reissuing payment cards and reimbursing customers for fraudulent charges. Although the allegations are generalized, the injuries themselves are sufficiently concrete and...