In re Equifax, Inc.

362 F.Supp.3d 1295

IN RE EQUIFAX, INC., CUSTOMER DATA SECURITY BREACH LITIGATION

MDL DOCKET NO. 2800

1:17-md-2800-TWT

United States District Court, N.D. Georgia, Atlanta Division.

Signed January 28, 2019

CONSUMER CASES

OPINION AND ORDER

THOMAS W. THRASH, JR., United States District Judge

This is a data breach case. It is before the Court on the Defendants' Motion to Dismiss the Consolidated Consumer Class Action Complaint [Doc. 425]. For the reasons set forth below, the Defendants' Motion to Dismiss the Consolidated Consumer Class Action Complaint [Doc. 425] is GRANTED in part and DENIED in part.

I. Background

On September 7, 2017, the Defendant Equifax Inc. announced that it was the subject of one of the largest data breaches in history.¹ From mid-May through the end of July 2017, hackers stole the personal and financial information of nearly 150 million Americans.² During this time period, Equifax failed to detect the hackers' presence in its systems, allowing the hackers to exfiltrate massive amounts of sensitive personal data that was in the company's custody.³ This data breach ("Data Breach") is unprecedented – it affected almost half of the entire American population.⁴ The Data Breach was also severe in terms of the type of information that the hackers were able to obtain. The hackers stole at least 146.6 million names, 146.6 million dates of birth, 145.5 million Social Security numbers, 99 million addresses, 17.6 million driver's license numbers, 209,000 credit card numbers, and 97,500 tax identification numbers.⁵ This is extremely sensitive personal information. Using this information, identity thieves can create fake identities, fraudulently obtain loans and tax refunds, and destroy a consumer's credit-worthiness.⁶

Equifax Inc. is a Georgia corporation with its principal place of business in Atlanta, Georgia.⁷ Equifax is the parent company of the Defendants Equifax Information Services LLC and Equifax Consumer Services LLC.⁸ Both of those subsidiary companies are Georgia limited liability companies, with their principal places of business in Atlanta, Georgia.⁹ The Defendants operate together as an integrated consumer reporting agency.¹⁰ The Plaintiffs are 96 consumers who allege that they have been injured by the Data Breach. They allege that they are suffering a "present, immediate, imminent, and continuing increased risk of harm" due to the compromise of their personally identifiable information in the Data Breach.¹¹ The Plaintiffs seek to represent a class of those similarly situated consumers in the United States who were injured by the Data Breach.¹²

Equifax's business model entails aggregating data relating to consumers from various sources, compiling that data into credit reports, and selling those reports to lenders, financial companies, employers, and others.¹³ Credit reporting agencies are "linchpins" of the nation's financial system due to the importance of credit reports in decisions to extend credit.¹⁴ Equifax also sells this information directly to consumers, allowing consumers to purchase their credit files and credit scores.¹⁵ In recent years, Equifax has worked to rapidly grow its business. Recognizing the value in obtaining massive troves of consumer data, Equifax has aggressively acquired companies with the goal of expanding into new markets and acquiring new sources of data.¹⁶ Equifax now maintains information on over 820 million individuals and 91 million businesses worldwide.¹⁷

Equifax recognized the importance of data security, and the value of the data in its custody to cybercriminals. Equifax observed other major, well-publicized data breaches, including those at Target, Home Depot, Anthem, and its competitor Experian.¹⁸ Equifax held itself out as a leader in confronting such threats, offering "data breach solutions" to businesses.¹⁹ It also acquired two identity theft protection companies, Trusted ID and ID Watchdog.²⁰ Equifax was also the subject of several prior data breaches. From 2010 on, Equifax suffered several different data breach incidents highlighting deficiencies in its cybersecurity protocol.²¹ Given these prior breaches, cybersecurity experts concluded that Equifax was susceptible to a major data breach.²² Analyses of Equifax's cybersecurity demonstrated that it lacked basic maintenance techniques that are highly relevant to potential data breaches.²³ However, despite these risks, Equifax did little to improve its cybersecurity practices. Equifax's leaders afforded low priority to cybersecurity, spending a small fraction of the company's budget on cybersecurity.²⁴

The story of the Data Breach begins on March 6, 2017. On that date, a serious vulnerability in the Apache Struts software was discovered and reported.²⁵ This software, a popular open-source program, was used by Equifax in its consumer dispute portal website.²⁶ The next day, the Apache Software Foundation issued a free patch and urged all users to immediately implement the patch.²⁷ The Department of Homeland Security also issued warnings concerning this vulnerability.²⁸ Equifax internally disseminated the warning, but never implemented the patch.²⁹ Then, beginning on May 13, 2017, hackers were able to manipulate the Apache Struts vulnerability to access Equifax's systems, and using simple commands determined the credentials of network accounts that allowed them to access the confidential information of millions of American consumers.³⁰ From May 13 to July 30, 2017, the hackers remained undetected in Equifax's systems.³¹ During this time, the hackers were able to steal the sensitive personally identifiable information of approximately 147.9 million American consumers.³² The personally identifiable information that hackers obtained in the Data Breach includes names, addresses, birth dates, Social Security numbers, driver's license information, telephone numbers, email addresses, tax identification numbers, credit card numbers, credit report dispute documents, and more.³³

On July 29, 2017, Equifax's security team noticed "suspicious network traffic" in the dispute portal.³⁴ The next day, the consumer dispute portal was deactivated and taken offline.³⁵ On July 31, 2017, Equifax's CEO Richard Smith was informed of the breach.³⁶ On August 2, 2017, Equifax informed the Federal Bureau of Investigation about the Data Breach, and retained legal counsel to guide its investigation.³⁷ Equifax also hired cybersecurity firm Mandiant to investigate the suspicious activity.³⁸ On September 7, 2017, seven weeks after discovering suspicious activity, Equifax publicly disclosed the Data Breach in a press release.³⁹ Experts have since opined that the Data Breach was the result of weak cybersecurity measures and Equifax's low priority for data security.⁴⁰

The Plaintiffs here are a putative class of consumers whose personal information was stolen during the Data Breach. The class alleges that it has been harmed by having to take measures to combat the risk of identity theft, by identity theft that has already occurred to some members of the class, by expending time and effort to monitor their credit and identity, and that they all face a serious and imminent risk of fraud and identity theft due to the Data Breach. The putative class brings a number of nationwide claims, along with a number of state claims. The class also seeks declaratory and injunctive relief. The Defendants now move to dismiss.

II. Legal Standard

A complaint should be dismissed under Rule 12(b)(6) only where it appears that the facts alleged fail to state a "plausible" claim for relief.⁴¹ A complaint may survive a motion to dismiss for failure to state a claim, however, even if it is "improbable" that a plaintiff would be able to prove those facts; even if the possibility of recovery is extremely "remote and unlikely."⁴² In ruling on a motion to dismiss, the court must accept the facts pleaded in the complaint as true and construe them in the light most favorable to the plaintiff.⁴³ Generally, notice pleading is all that is required for a valid complaint.⁴⁴ Under notice pleading, the plaintiff need only give the defendant fair notice of the plaintiff's claim and the grounds upon which it rests.

III. Discussion

A. Choice of Law

First, the Court concludes that Georgia law governs this case. This case is before the Court based on diversity jurisdiction. The Court therefore looks to Georgia's choice of law rules to determine the appropriate rules of decision.⁴⁵ Georgia follows the traditional approach of lex loci delecti in tort cases, which generally applies the substantive law of the state where the last event occurred necessary to make an actor liable for the alleged tort.⁴⁶ Usually, this means that the "law of the place of the injury governs rather than the law of the place of the tortious acts allegedly causing the injury."⁴⁷ However, there is an exception when the law of the foreign state is the common law. "[T]he application of another jurisdiction's laws is limited to statutes and decisions construing those statutes. When no statute is involved, Georgia courts apply the common law as developed in Georgia rather than foreign case law."⁴⁸ The Plaintiffs identify no foreign statutes that govern their common law claims. Therefore, the Court will apply Georgia law to the common law claims.⁴⁹

B. Fair Credit Reporting Act

The Defendants first move to dismiss the Consumer Plaintiffs' claims under the Fair Credit Reporting Act ("FCRA"). Under the FCRA, a "consumer reporting agency may furnish a consumer report" only under limited circumstances provided for in the statute.⁵⁰ In Count 1 of the Complaint, the Consumer Plaintiffs allege that the Defendants "furnished Class members' consumer reports" in violation of section 1681b of the FCRA and "failed to maintain reasonable procedures designed to limit the furnishing of Class members' consumer reports to permitted purposes, and/or failed to take adequate security measures that would prevent disclosure of Class members'...