In re Equifax, Inc. Customer Data Sec. Breach Litig.
| Decision Date | 13 April 2022 |
| Docket Number | MDL 2800,1:17-md-2800-TWT |
| Parties | IN RE EQUIFAX, INC., CUSTOMER DATA SECURITY BREACH LITIGATION |
| Court | U.S. District Court — Northern District of Georgia |
This is a data breach case. It is before the Court on the Defendants' Motion to Dismiss [Doc. 1220]. For the reasons set forth below, the Defendants' Motion to Dismiss [Doc. 1220] is GRANTED with respect to Douglas Adams [No. 1:19-cv-3682-TWT], Alice Flowers [No. 1:10-cv-5703-TWT] Edward Hutchinson [No. 1:19-cv-5706-TWT], Ruby Hutchinson [No. 1:19-cv-5705-TWT], Raymond Silva [No. 1:19-cv-3825-TWT] Christopher Eustice and Cathy Eustice [No. 1:19-cv-3128-TWT] Christopher Eustice and David Eustice [No. 1:19-cv-3129-TWT] and Christopher Eustice and Travis Hubbard [No. 1:19-cv-3130-TWT]. The Court GRANTS in part and DENIES in part the Defendants' Motion to Dismiss [Doc. 1220] with respect to Audella Patterson [No. 1:19-cv-5529], Brett Joshpe [No. 1:19-cv-3595-TWT], Richard Khalaf [No. 1:19-cv-3830], and Anna Lee [No. 1:18-cv-4698-TWT]. The Court suggests to the Judicial Panel on Multidistrict Litigation that the actions of Audella Patterson [No. 1:19-cv-5529], Brett Joshpe [No. 1:19-cv-3595-TWT], Richard Khalaf [No. 1:19-cv-3830], and Anna Lee [No. 1:18-cv-4698-TWT] be remanded to the transferor courts for further proceedings.
On September 7, 2017, Defendant Equifax Inc. announced that hackers had stolen the personal and financial information of nearly 150 million Americans from its computer networks in one of the largest data breaches in history (the “Data Breach”). See In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F.Supp.3d 1295, 1308 (N.D.Ga. 2019). The Data Breach spawned more than 300 class actions against Equifax Inc., Equifax Information Services, LLC, and Equifax Consumer Services LLC (collectively, “Equifax”), which were consolidated and transferred to this Court as part of a multidistrict litigation (“MDL”). The Court established separate tracks for the consumer and financial institution claims and appointed separate legal teams to lead each track. In the consumer track, the Consumer Plaintiffs and Equifax reached a class action settlement of all claims arising out of the Data Breach, which the Court approved, and the Eleventh Circuit affirmed (except on the narrow issue of incentive awards), in an order dated March 17, 2020. See In re Equifax Customer Data Sec. Breach Litig., 2020 WL 256132 (N.D.Ga. Mar. 17, 2020), aff'd in part, rev'd in part, 999 F.3d 1247 (11th Cir. 2021).[1]
A small number of Consumer Plaintiffs (the “Opt-Out Plaintiffs”) who filed complaints in the MDL requested to be excluded from the class action settlement. Equifax now moves to dismiss their complaints, described below, for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6).
Opt-Out Plaintiffs Douglas Adams, Alice Flowers, Edward Hutchinson, Ruby Hutchinson, Audella Patterson, and Raymond Silva assert contract claims based on Equifax's alleged “commercial acquiescence” to a “Notice of Default.” (Equifax's Br. in Supp. of Equifax's Mot. to Dismiss, Ex. 1, Pt. 1 at 5; id., Ex. 1, Pt. 2 at 107, 143, 188; id., Ex. 1, Pt. 3 at 57, 91.)[2] Following the Data Breach, each individual mailed Equifax a “Conditional Acceptance” letter that requested “Proof of Claim” about its knowledge of, response to, and liability for the incident. The letter provided that “[y]our non-response will equate to commercial acquiescence to the terms outlined . . . in a final Affidavit and Notice of Default.” (E.g., id., Ex. 1, Pt. 1 at 8-9.) After not responding to the Conditional Acceptance and a second letter, Equifax was sent an “Affidavit and Notice of Default” stating that Equifax “has willingly, knowingly, intentionally, or voluntarily agreed and acquiesced through its non-response to the facts stated herein.” Those facts include that Equifax is “liable to me . . . for damages no less than a minimum of $75, 000, 000.00[.]” (E.g., id., Ex. 1, Pt. 1 at 14.) The OptOut Plaintiffs allege that Equifax is now “in default under contract.” (E.g., id., Ex. 1, Pt. 1 at 5.)
In addition to her commercial acquiescence claim, Patterson raises a claim for negligence based on Equifax's “careless disregard for safeguarding the sensitive data it collected to unjustly financially benefit from the data it collected, stored, and sold.” (Id., Ex. 1, Pt. 3 at 55.) That “careless disregard, ” she alleges, “put [her] at risk of identity theft for the rest of her life.” (Id., Ex. 1, Pt. 3 at 55.) Patterson also asserts a claim for unjust enrichment on the grounds that Equifax “prioritized growth and profits over protecting the [personal identifying information (“PII”)] of consumers, ” and that Equifax stands to gain new credit monitoring customers (and thus more revenue) as a result of the Data Breach. (Id., Ex. 1, Pt. 3 at 56-57.) Finally, Patterson accuses Equifax of violating the California Customer Records Act (“CCRA”) because it failed to publicly disclose the Data Breach in a “timely and accurate” manner. (Id., Ex. 1, Pt. 3 at 55-56.) She alleges that, as a direct and proximate cause of the delayed notice, she “suffered identity theft and aggravated identity theft damages, ” for which she now seeks actual damages and injunctive relief under the statute. (Id., Ex. 1, Pt. 3 at 56.)
Three of the opt-out complaints were filed by Christopher Eustice, on behalf of himself and Cathy Eustice, David Eustice, and Travis Hubbard (the “Eustice Plaintiffs”), in Texas state court. (Id., Ex. 1, Pt. 1 at 37, 100; id., Ex. 1, Pt. 2 at 56.) The Eustice Plaintiffs raise the following identical, verbatim claims against Equifax:
(E.g., id. Ex. 1, Pt. 1 at 37.) The complaints contain no factual assertions in support of these claims; instead, Christopher Eustice attaches a list of press statements, articles, and other documents with “relevant information . . . to [the] breach of [his] client's private information[.]”[3] (E.g., id. Ex. 1, Pt. 1 at 41-42.) In an accompanying affidavit, Christopher Eustice states that the Equifax “vulnerability was known for at least four months to the cyber security industry before Equifax was hacked and took remedial measures to protect consumer information.” (E.g., id. Ex. 1, Pt. 1 at 41.) The Eustice Plaintiffs seek $9, 975 each in monetary damages. (Id., Ex. 1, Pt. 1 at 37, 100; id., Ex. 1, Pt. 2 at 56.)
Brett Joshpe and Richard Khalaf bring claims for negligence and violations of New York General Business Law (“NYGBL”) Section 349 and the FCRA. (Id., Ex. 1, Pt. 3 at 1-2, 15-16.) They have allegedly “suffered financial, emotional and reputational damages” as “a direct and proximate result of the data breach[.]” (Id., Ex. 1, Pt. 3 at 13, 26.) Among their stated damages, Joshpe and Khalaf have received harassing and fraudulent phone calls; their credit ratings have been damaged such that Joshpe was denied a credit card in December 2018; Joshpe's PayPal account has been used in unauthorized transactions; fraudulent bank and credit card accounts have been opened in Joshpe's name; Khalaf has been targeted with check, credit card, and tax return fraud; and Joshpe's personal Gmail account has been hacked and used to send embarrassing messages to business and personal contacts. (Id., Ex. 1, Pt. 3 at 8, 22.) Joshpe and Khalaf also claim to have expended “significant emotional and financial resources” in an unsuccessful effort to mitigate the effects of the Data Breach. (Id., Ex. 1, Pt. 3 at 8-9, 22-23.) They seek no less than $1, 000, 000 in monetary damages on each count as well as litigation expenses, punitive damages, and injunctive relief. (Id., Ex. 1, Pt. 3 at 14, 26.)
Finally, Anna Lee filed an action in New York state court asserting claims for negligence and violations of NYGBL Section 349 and the FCRA. (Id., Ex. 1, Pt. 3 at 36-40.) Her injuries include “the loss of [her] legally protected interest in the confidentiality and privacy of [her] Personal Information” as well as “a significant risk of harm or threat of harm in the future, ” citing unspecified reports that information from the Data Breach is for sale on the Dark Web. (Id., Ex. 1, Pt. 3 at 3839.) Lee has also allegedly “spent numerous hours monitoring [her] accounts and addressing issues arising from the . . . Data Breach.” (Id., Ex. 1, Pt. 3 at 37.) Her complaint requests damages in the amount of $25, 000. (Id., Ex. 1, Pt. 3 at 40.)
A complaint should be dismissed under Rule 12(b)(6) only where it appears that the facts alleged fail to state a “plausible” claim for relief. Ashcroft v Iqbal, 129 S.Ct. 1937, 1949 (2009); Fed.R.Civ.P. 12(b)(6). A complaint may survive a motion to dismiss for failure to state a claim, however, even if it is “improbable” that a plaintiff would be able to prove those facts; even if the possibility of recovery is extremely “remote and unlikely.” BellAtl. Corp. v. Twombly, 550 U.S. 544, 556 (2007). In ruling on a motion to dismiss, the court must accept the facts pleaded in the complaint as true and construe them in the light most favorable to the plaintiff. See Quality Foods de Centro Am., S.A. v. Latin Am....
To continue reading
Request your trial