In re Equifax, Inc.
362 F. Supp. 3d 1295
N.D. Ga.2019Background
- In 2017 Equifax disclosed a major data breach (mid-May–July 2017) exposing highly sensitive data of ~147 million U.S. consumers (SSNs, birthdates, addresses, driver's licenses, some payment-card numbers).
- Plaintiffs are 96 individual consumers seeking to represent a nationwide class; they allege actual identity-fraud losses, costs for mitigation (credit monitoring, time), and ongoing risk of future fraud.
- Defendants are Equifax Inc. and two Georgia subsidiaries; suit proceeds in federal court under diversity jurisdiction; Georgia law governs common-law claims.
- Plaintiffs pleaded multiple claims: FCRA, negligence, negligence per se (FTC Act), state consumer-protection and data-breach statutes, unjust enrichment, breach of contract (for consumers who purchased services), and requests for declaratory/injunctive relief.
- Defendants moved to dismiss under Rule 12(b)(6) arguing failures to state FCRA claims, lack of legally cognizable injury/proximate cause for tort and statutory claims, extraterritorial limits, absence of private causes of action under certain state statutes, and contractual/other defenses.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether FCRA §1681b/§1681e applies | Plaintiffs: breach disclosed consumer reports/failed procedures; stolen data falls within consumer-report definition | Equifax: data were stolen, not "furnished"; stolen legacy/header data are not "consumer reports" | Dismissed: plaintiffs failed to allege "furnish" or that stolen data constituted a consumer report; FCRA claims dismissed |
| Whether plaintiffs pleaded legally cognizable injuries | Plaintiffs: alleged actual fraud, unreimbursed card charges, mitigation costs, and imminent risk of identity theft | Equifax: injuries are speculative or non-cognizable precautionary costs | Denied: court found allegations of actual fraud, mitigation expenditures, and imminent risk sufficient at pleading stage |
| Proximate causation and intervening criminal acts | Plaintiffs: alleged Equifax custody, hack, and resulting fraud; foreseeability of criminal attack made by Equifax's prior knowledge | Equifax: third-party hackers break causal chain; plaintiffs cannot tie specific frauds to this breach | Denied: court held hackers' acts were foreseeable given Equifax's knowledge and prior breaches; causation adequately pled |
| Duty to safeguard under Georgia law | Plaintiffs: Equifax knew of cybersecurity risks; traditional negligence principles and prior FT C/GLB/FTC guidance impose duty | Equifax: McConnell (Georgia appellate) holds no statutory/common-law duty to safeguard PII; no duty to whole world absent statute | Denied: court recognized a duty here based on allegations Equifax knew of a foreseeable risk and failed to implement reasonable measures (distinguishing McConnell facts) |
| Negligence per se via FTC Act | Plaintiffs: Section 5 (FTC Act) proscribes unfair data-security practices; violation supports negligence per se | Equifax: Section 5 is too vague or inapplicable for negligence per se | Denied: claim survives; complaint plausibly alleges Section 5 violation and class membership in protected class |
| State consumer-protection and data-breach claims; extraterritoriality & private rights of action | Plaintiffs: injuries occurred in plaintiffs’ home states; many state statutes or consumer-protection laws provide relief or permit enforcement | Equifax: many statutes lack private causes of action, are extraterritorial, or require consumer-transaction/privity; some statutes permit only AG enforcement | Mixed: many state claims survive; certain data-breach claims dismissed where statute or precedent forecloses private action (e.g., NY breach-notification statute); other state-by-state limits reserved for later |
| Unjust enrichment and contract claims | Plaintiffs: Equifax profited from PII; some consumers formed contracts or implied contracts via privacy policies/purchases | Equifax: non-contract plaintiffs conferred no benefit; merger clauses/terms preclude or limit contract damages | Partial: unjust enrichment dismissed for non‑contract plaintiffs (no conferral/expectation); contract claims dismissed where no mutual assent pleaded or terms disclaim damages, though contract plaintiffs may plead in the alternative |
| Statutory remedies and other relief (e.g., O.C.G.A. §13‑6‑11) | Plaintiffs: seek fees under Georgia statute due to alleged bad faith/security knowledge | Equifax: no bad faith alleged; bona fide controversy exists | Denied: court found factual allegations sufficient to plead bad faith under §13‑6‑11 |
Key Cases Cited
- Ashcroft v. Iqbal, 556 U.S. 662 (plaintiff must plead facts showing plausible claim)
- Bell Atl. v. Twombly, 550 U.S. 544 (plausibility standard for pleadings)
- Bradley Ctr., Inc. v. Wessner, 250 Ga. 199 (Georgia recognizes duty to avoid foreseeable risks under general negligence principles)
- LabMD, Inc. v. Fed. Trade Comm'n, 894 F.3d 1221 (11th Cir.) (FTC data-security "unfairness" standards and limits of administrative enforcement)
- Wyndham Worldwide Corp. v. F.T.C., 799 F.3d 236 (3d Cir.) (FTC enforcement of inadequate data‑security under Section 5 upheld)
- Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir.) (data compromise can support injury allegations)
- State Farm Mut. Auto. Ins. Co. v. Campbell, 538 U.S. 408 (limitations on using out‑of‑state conduct in punitive-damage analyses)
- In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489 (1st Cir.) (data-breach litigation principles; standing and damages issues)
- McConnell v. Dep't of Labor, 345 Ga. App. 669 (Georgia Ct. App.) (relevant Georgia appellate treatment of duty-to‑safeguard PII in different factual posture)