In re Equifax Inc.

357 F.Supp.3d 1189

IN RE EQUIFAX INC. SECURITIES LITIGATION

CIVIL ACTION FILE NO. 17-CV-3463-TWT

United States District Court, N.D. Georgia, Atlanta Division.

Signed January 28, 2019

OPINION AND ORDER

THOMAS W. THRASH, JR., United States District Judge

This is a securities fraud class action. It is before the Court on the Defendants' Joint Motion to Dismiss [Doc. 62]. For the reasons set forth below, the Defendants' Joint Motion to Dismiss [Doc. 62] is GRANTED in part and DENIED in part.

I. Background

This case arises out of a massive data breach incident. On September 7, 2017, the Defendant Equifax Inc. announced that it was the subject of a data breach affecting more than 148 million Americans (the "Data Breach").¹ Criminal hackers breached Equifax's Computer network and obtained a vast amount of personally identifiable information in the company's custody. The Lead Plaintiff, Union Asset Management Holding AG, seeks to represent a putative class of investors that purchased the securities of Equifax from February 25, 2016 through September 15, 2017. The Plaintiff alleges that the Defendants committed fraud in connection with the Data Breach that caused a loss in value of the class's investments. Specifically, the Plaintiff alleges that the Defendants made multiple false or misleading statements and omissions about the sensitive personal information in Equifax's custody, the vulnerability of its internal systems to cyberattack, and its compliance with data protection laws and cybersecurity best practices.² Despite these assurances, Equifax allegedly failed to take some of the most basic precautions to protect its computer systems from hackers. According to the Plaintiff, these material misrepresentations artificially inflated the value of Equifax's securities, causing a loss in value of the class's investments when the truth was revealed after the Data Breach.

Equifax is a Georgia corporation with its headquarters in Atlanta, Georgia.³ It is one of the three largest credit reporting agencies in the world.⁴ Equifax operates primarily through four segments: U.S. Information Solutions, a segment that provides products and services to businesses; Equifax's International operating segment, which includes its Asia, Europe, Latin America, and Canada business units; Equifax's Workforce Solutions segment, which provides verification and employer services; and Global Consumer Solutions, its direct-to-consumer business that provides consumers with products to protect and monitor their credit and identity.⁵ The Defendants Richard F. Smith, John W. Gamble, Jr., Rodolfo O. Ploder, and Jeffrey L. Dodge (the "Individual Defendants") were corporate officers at Equifax during the putative class period. The Defendant Richard F. Smith is the former Chief Executive Officer and Chairman of the Board of Directors of Equifax.⁶ Smith resigned from both of these positions on September 26, 2017.⁷ The Defendant John W. Gamble is the Corporate Vice President and Chief Financial Officer of Equifax.⁸ The Defendant Rodolfo O. Ploder is the President of Equifax's Workforce Solutions operating segment.⁹ The Defendant Jeffrey L. Dodge is the Senior Vice President of Investor Relations at Equifax.¹⁰

As part of its business, Equifax collects, maintains, and sells a huge quantity of personal data about consumers and employees all over the world.¹¹ This personally identifiable information is highly sensitive.¹² It includes Social Security numbers, addresses, birthdays, employment history, driver's license information, detailed payment history, loans, credit card information, and more.¹³ Credit bureaus such as Equifax acquire this information from banks, mortgage lenders, credit card issuers, and other financing companies.¹⁴ This personally identifiable information is a highly valuable target for cybercriminals; it includes some of the most private information about consumers.¹⁵ This information can be used to enter into a mortgage, set up a bank account, change a phone number, and even more.¹⁶

The Defendants recognized the importance of safeguarding this highly sensitive personal information.¹⁷ In its SEC filings, Equifax acknowledged that it collected and stored sensitive data, including the personally identifiable information of consumers, and stated that safeguarding this data was "critical" to its "business operations and strategy."¹⁸ It noted that its success was dependent upon its "reputation as a trusted steward of information."¹⁹ Equifax also acknowledged that it was a valuable target for cybercriminals due to the vast trove of information it collected.²⁰ In its SEC filings, Equifax recognized that it was regularly the target of criminal hackers, and that a cybersecurity incident could subject it to a variety of serious consequences.²¹

Acknowledging the importance of protecting the data in its custody, the Defendants made a number of statements during the class period regarding Equifax's networks and the security of the personal data in its custody. According to the Plaintiff, the Defendants issued statements concerning the strength of Equifax's cybersecurity systems, its compliance with data protection laws, and the integrity of its internal controls.²² For example, with regard to the strength of its data security, Equifax's website provided that the company employed "strong data security and confidentiality standards" and maintained "a highly sophisticated data information network that includes advanced security, protections and redundancies."²³ With regard to Equifax's compliance with data protection laws, regulations, and standards, the Defendants stated in SEC filings that they continuously monitored federal and state legislative and regulatory activities "in order to remain in compliance" with those laws.²⁴ The Defendants also certified in SEC filings during the class period that Equifax had effective internal controls that would provide "reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of our assets."²⁵

However, despite these assurances, Equifax's cybersecurity was dangerously deficient. The Data Breach, according to the Plaintiff, was the inevitable result of widespread shortcomings in Equifax's data security systems. According to the Plaintiff's allegations, Equifax's data protection measures were "grossly inadequate," "failed to meet the most basic industry standards," and "ran afoul of the well-established mandates of applicable data protection laws."²⁶ These shortcomings spanned a number of facets of cybersecurity practices, including a failure to implement proper patching protocols, failure to encrypt sensitive information, the storage of sensitive data on public-facing servers, the use of inadequate network monitoring practices, the use of obsolete software, and more. Overall, according to cybersecurity experts, a "catastrophic breach of Equifax's systems was inevitable because of systemic organizational disregard for cybersecurity and cyber-hygiene best practices."²⁷

According to the Plaintiff, Equifax failed to implement an adequate patch management process, while also failing to remediate known deficiencies in its cybersecurity infrastructure.²⁸ The company relied upon a single individual to manually implement its patching process across its entire network.²⁹ This individual had no way to know where vulnerable software in need of patching was being run on Equifax's systems.³⁰ This protocol was far less secure than the automatic patching processes that many other companies, including Equifax's peers, employ in their systems.³¹ According to cybersecurity experts, this patching process fell far short of industry standards.³²

Equifax also failed to encrypt sensitive data in its custody. According to the Amended Complaint, Equifax admitted that sensitive personal information relating to hundreds of millions of Americans was not encrypted, but instead was stored in plaintext, making it easy for unauthorized users to read and misuse.³³ Not only was this information unencrypted, but it also was accessible through a public-facing, widely used website.³⁴ This enabled any attacker that compromised the website's server to immediately have access to this sensitive personal data in plaintext.³⁵ Smith also admitted during congressional testimony that, with respect to its core credit databases, Equifax failed to encrypt any of its data.³⁶ It also failed to encrypt its highly vulnerable mobile applications, meaning that in addition to keeping sensitive data unencrypted in its own systems, it also failed to encrypt data being transmitted over the internet.³⁷ This, according to experts, was a major security failure.³⁸ And, when Equifax did encrypt data, it left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data.³⁹ These inadequacies in Equifax's encryption protocol fell far short of industry standards and data security laws, and showed that Equifax did not "know what they were doing" with respect to data security.⁴⁰

Moreover, Equifax also failed to implement adequate authentication measures.⁴¹ Authentication measures are mechanisms, such as passwords, that verify that a party attempting to access a system or network is authorized to do so.⁴² According to the Amended Complaint, Equifax's authentication measures were insufficient to protect the sensitive personal data in its custody from unauthorized access.⁴³ These mechanisms included weak passwords and security questions.⁴⁴ For example, Equifax relied upon four digit pins derived from Social Security numbers and birthdays to guard personal information, despite the fact that these weak passwords had already been compromised in previous breaches.⁴⁵ Furthermore, Equifax employed the username "admin" and the password "admin" to protect a portal used to manage credit disputes, a password that "is a surefire way to get hacked."⁴⁶ This portal contained a vast trove...