A team of lawyers, including former Georgia Gov. Roy Barnes, has filed a class-action lawsuit against Equifax over the massive data breach that has compromised the personal information of more than 140 million U.S. consumers.
The lawsuit filed in U.S. District Court in Atlanta faults Equifax for “gargantuan failures to secure and safeguard consumers’ personally identifiable information … and for failing to provide timely, accurate and adequate notice” to consumers that such sensitive material had been stolen.
The lawsuit said plaintiffs Brian F. Spector, of Florida, and James McGonnigal, of Maryland, are each victims of the breach. McGonnigal alleges he has “recently had four credit accounts opened in his name without his authorization.”
The case joins another filed this week in Oregon on behalf of a couple there, and other lawsuits are expected. A committee of the U.S. House of Representatives has called for hearings, and the FBI reportedly is investigating the breach.
A message left with Equifax representatives on Saturday morning was not immediately returned.
The Atlanta case calls Equifax reckless in its handling of consumers’ data, and also said the company failed to disclose why there was more than a month’s delay in making the breach public. It cites the sale of stock by three executives days after Equifax learned of the breach, but weeks before the company alerted consumers to the cyber theft.
Three executives — Chief Financial Officer John Gamble, Joseph Loughran, who heads its U.S. information solutions business, and Rodolfo Ploder, who runs the company’s workforce solutions operation – sold nearly $1.8 million in stock in the days after Equifax discovered the cyber-attack.
The sales were not part of a scheduled sale, and Equifax said this week the three executives “had no knowledge that an intrusion had occurred at the time.”
But the company told its investors that it had “promptly” informed its board of directors of the incident.
The complaint contends the breach “was the inevitable result of Equifax’s inadequate approach to data security and the protection” of consumers’ personal information.
The Atlanta lawsuit seeks statutory damages under the federal Fair Credit Reporting Act and state statutes and other out-of-pocket losses and compensatory damages, as well as “more robust credit monitoring services with accompanying identity theft insurance. The plaintiffs also seek an order from the court requiring the company to improve its data security.
Equifax has taken heat from consumer groups for fine print in the credit and identity protection package it has offered for free to consumers hit by the breach. The fine print appears to bind consumers who agree to use the free products to arbitration, essentially giving up their rights to sue the company or join a class action case.
Equifax said in a statement Friday the arbitration clause doesn’t apply to the breach, but only to disputes that might arise with the free protection services.
Henry Turner, a Decatur lawyer with expertise in class action litigation, said in an e-mail the choice of venue in Equifax’s hometown “should be particularly interesting.”
He said that is “especially true” if the company attempts to use “the mandatory arbitration and/or class action waiver argument for all those that sign up [for] credit monitoring … to limit the putative class size and therefore the damages.”
“Remember that the language Equifax is using for these sign-ups not only contains a Mandatory Arbitration Provision but also a Class Action Waiver Provision,” he said.