Indianapolis-based Cohen & Malad LLP has filed a class-action lawsuit against Equifax Inc. just one day after the credit reporting agency announced a massive data breach affecting roughly 143 million Americans.
The class action, filed Friday in the Indianapolis Division of the U.S. District Court for the Southern District of Indiana, alleges claims under federal and state law, including violations of the Fair Credit Reporting Act, Indiana consumer laws, negligence and unjust enrichment. The suit seeks relief in the form of actual and statutory damages, equitable relief, restitution, disgorgement, costs and reasonable attorney fees.
According to the complaint, Equifax learned on July 29 that a data breach occurred from mid-May to mid-July, but did not inform the public of the breach until Sept. 7. Hackers obtained personal and financial information of some 143 million consumers, whose names, Social Security numbers, birth dates, addresses and driver’s license numbers were compromised. Additionally, credit card numbers were accessed from 209,000 consumers, while 182,000 others were compromised through personal identifying information.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer, Richard F. Smith in a statement on the company’s website. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”
The class action– which was filed on behalf of New Whiteland resident Justin King and a similarly situated class – alleges Equifax willfully and negligently violated the Fair Credit Reporting Act by failing to maintain procedures to protect consumers’ data. As compensation, the complaint says class members should recover actual damages or damages not less than $100 and not more than $1,000, as well as punitive damages, costs of the action and reasonable attorney fees.
The complaint goes on to allege Equifax was negligent because it had a duty to protect sensitive information and disclose the fact that its security systems were not adequate. However, those duties were breached when Equifax failed to protect its data or disclose in a timely manner that the breach had occurred, it says.
Under Indiana law, the complaint claims Equifax violated the Indiana Deceptive Consumer Sales Act by representing that it was protecting consumer information but failing to do so, and also by keeping information about the breach from the public for more than a month. Those actions “were done as part of a scheme, artifice, or device with intent to defraud or mislead and constitute incurable deceptive acts,” the suit says. It then calls for $1,000 or treble damages, reasonable attorney fees, costs of the suit and an order enjoining Equifax’s “unlawful practices” as compensation.
Finally, the class action alleges unjust enrichment, as the fees Equifax customers paid were supposed to be used, in part, to cover the cost of “administrative and other costs of providing reasonable data security and protection… .” Equifax should not be permitted to keep that money, which is described as an overpayment, the complaint says. Instead, the class members are allegedly entitled to restitution and disgorgement of profits, benefits and other compensation obtained by Equifax.
In addition to relief the class is allegedly entitled to, the suit makes a demand for a jury trial. The case is Justin King v. Equifax, Inc., 1:17-cv-3157.
In response to the breach, Equifax set up a website to help consumers determine if their information has been potentially impacted and plans to offer credit file monitoring and identity theft protection for those who sign up for it.