In re Equifax, Inc.
Decision Date | 28 January 2019 |
Docket Number | 1:17-md-2800-TWT,MDL DOCKET NO. 2800 |
Citation | 371 F.Supp.3d 1150 |
Parties | IN RE EQUIFAX, INC., CUSTOMER DATA SECURITY BREACH LITIGATION |
Court | U.S. District Court — Northern District of Georgia |
FINANCIAL INSTITUTION CASES
This is a data breach case. It is before the Court on the Defendants' Motion to Dismiss the Financial Institutions' Consolidated Amended Complaint [Doc. 435]. For the reasons set forth below, the Defendants' Motion to Dismiss the Financial Institutions' Consolidated Amended Complaint [Doc. 435] is GRANTED in part and DENIED in part.
On September 7, 2017, the Defendant Equifax Inc. announced that it was the subject of one of the largest data breaches in history.1 From mid-May through the end of July 2017, hackers stole the personal information of nearly 150 million Americans (the "Data Breach").2 This personally identifiable information included names, Social Security numbers, birth dates, addresses, driver's license numbers, images of taxpayer ID cards and passports, photographs associated with government-issued identification, payment card information, and more.3 This Data Breach, according to the Plaintiffs, was the direct result of Equifax's disregard for cybersecurity.
Equifax is a Georgia corporation with its principal place of business in Atlanta, Georgia.4 The Defendant Equifax Information Services LLC is a wholly-owned subsidiary of Equifax with its principal place of business in Atlanta, Georgia.5 Equifax Information Services collects and reports consumer information to financial institutions, including the Plaintiffs.6 The Plaintiffs are financial institutions that provide a range of financial services.7 The Plaintiffs depend greatly on the services provided by Equifax and other credit reporting agencies, since the information they provide is necessary to determine the credit-worthiness of their customers.8
According to the Plaintiffs, the Data Breach was the direct result of Equifax's refusal to take the necessary steps to protect the personally identifiable information in its custody. Equifax was warned on numerous occasions that its cybersecurity was dangerously deficient, and that it was vulnerable to data theft and security breaches.9 In fact, Equifax had suffered multiple security breaches in the past, showing that the Data Breach was not an isolated incident.10 However, despite these warnings, Equifax did not take the necessary steps to improve its data security or prepare for the known cybersecurity risks.11
On March 7, 2017, a vulnerability in the Apache Struts software, a popular open source software program, was discovered.12 Equifax used Apache Struts to run a dispute portal website.13 The same day that this vulnerability was announced, the Apache Foundation made available various patches to protect against this vulnerability.14 The Apache Foundation, along with the U.S. Department of Homeland Security, issued public warnings regarding the vulnerability and the need to implement these patches.15 Equifax received these warnings and disseminated them internally, but failed to implement the patch.16 Then, between May 13 and July 30, 2017, hackers exploited this vulnerability to enter Equifax's systems.17 These hackers were able to access multiple databases and exfiltrate sensitive personal information in Equifax's custody.18 In addition to obtaining this personal information, the hackers accessed 209,000 consumer credit card numbers.19 On July 29, 2017, Equifax discovered the Data Breach.20 Equifax's CEO, Richard Smith, was informed of the breach on July 31, 2017.21 On September 7, 2017, Equifax publicly announced that the Data Breach had occurred.22
The Plaintiffs allege that the Data Breach undermined the credit reporting and verification system by exposing this personally identifiable information.23 According to the Plaintiffs, they were harmed because the Data Breach had a significant impact on financial institutions, including the measures they use to authenticate their customers.24 The Plaintiffs were forced to expend resources to assess the impact of the Data Breach and their ability to authenticate customers and detect fraud.25 They have also expended resources establishing new monitoring methods for preventing fraud and will continue to incur costs to develop new modes of preventing such activity.26 Twenty-three of the Plaintiffs also allege that they issued payment cards that were compromised in the Data Breach.27 The Plaintiffs assert claims for negligence, negligence per se, negligent misrepresentation, and claims under various state business practices statutes. The Defendants now move to dismiss.
First, the Court concludes that Georgia law governs this case. This case is before the Court based on diversity jurisdiction. The Court therefore looks to Georgia's choice of law requirements to determine the appropriate rules of decision.28 Georgia follows the traditional approach of lex loci delecti in tort cases, which generally applies the substantive law of the state where the last event occurred necessary to make an actor liable for the alleged tort.29 Usually, this means that the "law of the place of the injury governs rather than the law of the place of the tortious acts allegedly causing the injury."30 However, there is an exception when the law of the foreign state is the common law. 31 The Plaintiffs identify no foreign statutes that govern their common law claims, therefore the Court will apply Georgia common law.
The Defendants contend that the Plaintiffs lack Article III standing.32 In order to establish standing under Article III, a plaintiff must show an injury that is "concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling."33 The Supreme Court has held that "threatened injury must be certainly impending to constitute injury in fact, and that allegations of possible future injury are not sufficient."34 The Supreme Court has also noted, however, that standing can be "based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm."35
First, the Defendants contend that the Plaintiffs' allegations fail because they have failed to make individualized allegations as to standing, and instead assert generic allegations as to the entire putative class.36 The Plaintiffs have each explained the steps they took after the Data Breach, and the harm that they suffered as a result of the Data Breach.37 The allegations fall into two groups. The first group of Plaintiffs ("Financial Institutions") allege: (1) they have already spent time and money responding to the compromise of the credit reporting system and personal information they rely upon for their businesses; (2) they have already spent time and money assessing the impact of the Data Breach as required by federal law; and (3) each Plaintiff has already spent time and money mitigating a "substantial risk" of future fraudulent activity.38 The second group of Plaintiffs ("Financial Institution Card Issuers") make the same allegations plus a fourth: these Plaintiffs issued payment cards compromised in the Data Breach, and have spent time and money reissuing payment cards or reimbursing customers. For each group, the allegations are pretty much word for word the same for each of the Plaintiffs. This is a factor that weighs against finding that the allegations are concrete and particularized. Instead, they are abstract and generalized.
Next, the Defendants contend that the Plaintiffs have not provided sufficient factual allegations demonstrating a cognizable injury-in-fact. A "plaintiff must allege that he has suffered a ‘concrete’ injury particular to himself."39 This injury must be "actual or imminent, not conjectural or hypothetical."40 The Defendants contend that the Plaintiffs' alleged injuries are speculative and conjectural because their "primary theory of harm is focused on actions they might take or costs they may incur due to the theft of consumers' PII" and based on what criminal third party actors might do in the future.41 According to the Defendants, the Plaintiffs have not identified any customers who were actually affected by the Data Breach, and that they cannot manufacture standing by taking unnecessary steps to protect themselves.42
Here, the Plaintiffs have adequately pleaded standing as to the Financial Institution Card Issuers with respect to reissuing payment cards and reimbursing customers for fraudulent charges. Although the allegations are generalized, the injuries themselves are sufficiently concrete and particularized that they should be easily ascertainable. Specifically, the banks have pleaded actual injury in the form of costs to investigate fraudulent charges, costs to cancel and reissue cards compromised in the data breach, and costs to refund fraudulent charges.43 These injuries are not speculative and are not threatened future injuries, but are actual, current, monetary damages. The disclosure of payment card numbers is regulated by the Fair Credit Reporting Act.44 Here, the Financial Institution Card Issuers have adequately pleaded standing.45 Therefore, the Motion to Dismiss is denied as to these 23 Plaintiffs as to these specific claims.
All of the Financial Institution Plaintiffs allege that they "rel[y] on the accuracy and integrity of the information supplied by the credit reporting system, a reliance which is entirely foreseeable by Equifax, given the role that Equifax serves in such a system."46 The Plaintiffs allege that their "current and/or future...
To continue reading
Request your trial-
Bowen v. Porsche Cars, N.A., Inc.
... ... Ctr., Inc. , 300 Ga. 722, 729, 797 S.E.2d 828 (2017). "In the absence of a statute, however, at least with respect to a 561 F.Supp.3d 1373 state where the common law is in force, a Georgia court will apply the common law as espoused by the courts of Georgia." Id. See also In re Equifax, Inc. Customer Data Sec. Breach Litig. , 371 F. Supp. 3d 1150, 1159 (N.D. Ga. 2019) (citing In re Tri-State Crematory Litig. , 215 F.R.D. 660, 677 (N.D. Ga. 2003) and Coon , 300 Ga. at 729, 797 S.E.2d 828 ); Frank Briscoe Co., Inc. v. Ga. Sprinkler Co., Inc. , 713 F.2d 1500, 1503 (11th Cir ... ...
-
Parker v. Perdue Farms, Inc.
... ... 1997) ... 1 ... Negligent Misrepresentation ... First, ... for negligent misrepresentation, courts are split on applying ... the heightened pleading standards of Fed.R.Civ.P. 9(b) to ... such claims. See In re Equifax, Inc., Customer Data Sec ... Breach Litig. , 371 F.Supp.3d 1150, 1177 (N.D.Ga. 2019) ... (“[T]he heightened pleading standards of Rule 9(b) do ... not apply to claims of negligent misrepresentation.”); ... Higgins v. Bank of Am., N.A. , No ... ...
-
Akkad Holdings, LLC v. Trapollo, LLC
...Homes, LLC, 533 F.Supp.3d 1321, 1339 (N.D.Ga. 2021) (Rule 9(b) does not apply); In re Equifax, Inc., Customer Data Sec. Breach Litig., 371 F.Supp.3d 1150, 1177 (N.D.Ga. 2019) (same); Higgins v. Bank of Am., NA, 2015 WL 12086083, at *4 (N.D.Ga. Sept. 22, 2015) (same), adopted by 2015 WL 1208......
-
Versilia Supply Serv. SRL v. M/Y Waku
... ... of the defendant must be considered collectively and show a general course of business activity in the state for pecuniary benefit." RMS Titanic, Inc. v. Kingsmen Creatives, Ltd., 579 Fed. Appx. 779, 783 (11th Cir. 2014) (quoting Horizon Aggressive Growth, L.P. v. RothsteinKass, P.A., 421 F.3d ... ...